8 Years After the Fintech Law, How Is the Mexican Fraud Landscape In 2026?
February 18, 2026
In 2018, Mexico was one of the first countries in the world to legislate the fintech industry with its “Law to Regulate Financial Technology Institutions.”
Mexico wanted to lead the world in the new wave of how consumers bank. And it worked. Since then, not only has Mexico’s fintech industry grown, but digital banking offerings and consumer trends have surged ahead of regional trends.
Although half of the country is estimated to be without a bank account, digital engagement has surged. 53% of Mexicans over the age of 15 now have a digital financial services account of some kind (up from 36% in 2017).
The rise of digital banking is a positive development, but it comes with a downside - a parallel rise in banking fraud.
In the first half of 2025, Mexican banks faced 2.48 million fraud-related claims, and digital fraud increased by 27% year over year.
Unsurprisingly, three out of every four complaints against banks are now about fraud.
These levels of fraud losses are unsustainable in the long term, but Mexican banks can dramatically reduce fraud by making consumer authentication invisible, unbreakable, and frictionless. Learn how IronVest’s ActionID prevents fraud.
With Ley Fintech 2.0 having passed both chambers of the Mexican Congress and expected to take effect in 2026, now is a critical moment for fraud teams to reassess the country’s financial crime landscape.
We explain the most prevalent fraud vectors driving this surge and what Mexican banks and fintechs can do to fight back in 2026.
4 Fraud Types Targeting Mexican Banks In 2026
While Mexican banks face all major forms of banking fraud, recent data from 2024 and 2025 reveal that some threats are disproportionately severe in the Mexican market.
Our analysts have identified four attack vectors that represent the most critical risks for Mexican financial institutions in 2026.
1. Identity Fraud
Identity fraud, in which criminals impersonate legitimate users to access their accounts and conduct fraudulent transactions, is Mexico's fastest-growing fraud category overall.
In 2024, there were over 36,400 formal fraud complaints related to identity impersonation alone.
CONDUSEF reports that losses from fraud involving identity theft surged 77% in 2024, reaching approximately 11.3 billion pesos in claimed losses.
This sharp increase coincides with a series of large-scale data breaches in Mexico. In October 2025, it was reported that cybercriminals were selling a database containing over eight million records of Mexican debtors, allegedly stolen from debt collection agencies.
The exposed data included full names, addresses, dates of birth, bank details, and CURP numbers (Mexico’s primary personal identification number) - information that makes identity fraud significantly easier to commit.
2. AI-Enabled Impersonation
AI-enabled impersonation fraud, where criminals use artificial intelligence to pose as trusted institutions or individuals, is surging across Mexico.
Criminals commonly exploit automated calls with cloned voices, as well as WhatsApp voice notes, posing as bank staff or even relatives in distress.
They also set up fake websites, social media profiles, and call centers that closely mimic real banks, allowing them to harvest credentials and personal data from unsuspecting customers.
Mexico’s financial ombudsman has reported a steady increase in bank impersonation schemes. In mid-2024, for example, CONDUSEF identified 49 legitimate financial institutions whose identities were being regularly cloned online.
Driving this rise is easy access to technology for creating advanced deepfakes.
Deepfake tools are available at accessible prices on the dark web for Mexican fraudsters, allowing criminal groups to replicate faces, voices, and other biometric identifiers at scale. By late 2024, Kaspersky Lab noted a 220% surge in deepfake-type fraud reports in Mexico, illustrating how quickly this threat is growing.
The problem is compounded by Mexico's own regulatory framework. As banks invest in N4 account-level (Nivel 4) physical identifiers requirements like facial recognition, they are inadvertently creating a new target for AI.
Deepfake tools can now copy the exact physical characteristics described in CNBV regulations. This turns a legal requirement into a vulnerability, and simple identity verification is no longer enough to stop impersonation.
The financial impact is already significant.
A late 2024 survey found that Mexican financial firms reported an average of $627,000 USD in losses per company due to deepfake-related scams, the highest of any country surveyed (ahead of Singapore at $577,000 and the US at $438,000).
Mexican consumers are worried about deepfakes, too. 9 out of 10 Mexican online users reported daily worry about being duped by a deepfake into surrendering sensitive data or money.
3. Synthetic Identity Fraud
Synthetic identity fraud occurs when fraudsters defraud banks or other financial institutions by combining real and fake personal information to create a false identity. By obtaining accounts or loans under false identities, they can then commit credit fraud, launder money, or steal funds.
Mexico is, unfortunately, leading the world when it comes to the growth in AI-powered synthetic identity fraud. The use of synthetic identity documents saw a 1,200% jump in 2025 compared to a global average of 195%.
4. Social Engineering As a Force Multiplier
Social engineering, including phishing and vishing (voice phishing), is a contributing factor in the majority of successful banking fraud attempts in Mexico.
Recent high-profile cases show that no one is safe.
Mexican comedian Sofía Niño de Rivera fell victim to a vishing scam that drained her bank account after she received a call from scammers posing as her bank.
The attackers were so convincing that Niño de Rivera followed their instructions to delete her banking app and disable facial recognition, allowing them to transfer her savings to 11 different accounts.
Mexican Consumers Want Better Fraud Protection from Banks
In the first half of 2025, claims against banks for potential fraud reached 2.48 million cases, with the total amount claimed by victims rising to MX$10.71 billion (US$580 million).
Every day, Mexican banking users face fraud attempts that happen over the phone, via email, and across every possible channel. In 2024, 59% of Mexicans reported suffering at least one scam attempt per month.
Unsurprisingly, this situation has led to a strong desire for better fraud protection. Consumers in Mexico are very concerned about fraud when choosing banking or financial services.
75% of banking users in Mexico say that having good fraud protection is one of their top three considerations when choosing a bank, and 38% consider fraud protection the single most important factor in their banking choice.
Fraud protection now outranks ease of use, value for money, and ethical practices as a choice for who to bank with. Learn why banking users love IronVest.
Is Traditional MFA Enough For Mexican Banking?
Short answer: No.
Although a layer of authentication beyond passwords is a legal requirement for Mexican banks, traditional MFA does not prevent fraud.
In June 2024, the National Banking and Securities Commission (CNBV) issued new regulations requiring banks to establish comprehensive fraud management plans.
These rules also mandate that customers be able to set their own transaction limits. Any transaction that exceeds those limits must now be protected with two-factor authentication. If a bank fails to enforce these controls, it can be held financially responsible for fraud losses.
However, traditional multi-factor authentication options like SMS codes, authenticator apps, and security questions create three critical vulnerabilities for Mexican banks and their customers:
They train users to expect interruptions, making legitimate security checks indistinguishable from scam attempts.
SMS and email codes can be intercepted or socially engineered.
When authentication is visible and predictable, fraudsters adapt their scripts to account for it.
But what about face recognition? And other biometric controls?
Under Mexico’s current regulatory framework, banks are focusing heavily on Category 4 Authentication Factors, such as fingerprints, iris patterns, and facial recognition, to verify users.
But these are not safe by default, either.
While physical characteristics provide a baseline for identity, the regulation treats them as a static 'check-the-box' step. Criminals are already exploiting this by using deepfakes to bypass facial recognition logins that lack robust liveness testing.
The growing legal risk for Mexican banks
Mexican banks also need a better evidence trail than most currently have.
In November 2025, Mexico's Supreme Court established new jurisprudence, shifting the burden of proof to banks in cases of unauthorized charges.
With the burden of proof firmly on banks and fraud rates soaring, authentication needs to evolve and blur into the background of the user experience, creating an unbreakable bond that consumers can rely on.
IronVest ActionID™: Invisible Security for Mexican Banks
IronVest ActionID™ is ready to help Mexican banks and fintechs prevent fraud and get ahead of new regulations.
IronVest ActionID™ continuously authenticates users across all channels without a single user interruption. There are no SMS codes to intercept, no predictable authentication moments for fraudsters to script around, and no friction for legitimate customers.
With IronVest ActionID™, Mexican banks and financial institutions can:
Stop social engineering at the source.
Get evidence of user intent for disputes that get denied.
Defeat deepfakes automatically.
Replace statistical fraud signals with continuous behavioral authentication.
Schedule an IronVest demo today to learn more.