Mexico City — Mexico’s new mandatory cellphone registration process has entered a new phase, requiring users to complete a “proof of life” verification in addition to presenting official identification. While the measure aims to curb crimes committed through anonymous lines, cybersecurity experts warn it could open the door to new phishing scams.
The proof-of-life mechanism is designed to confirm that the person registering the line is the actual owner. Although authorities have not yet detailed how it will be implemented, some companies already use facial recognition during in-person registration, comparing the photo on the official ID with the user’s face.
The Telecommunications Regulatory Commission (CRT) has set a deadline of December 31, 2026, for all prepaid lines to be linked. To avoid congestion, the process will be staggered based on the last digit of the phone number.
Users who fail to complete the registration by their assigned date will face temporary suspension of their line 72 hours after the deadline. During that period, they can only make calls to emergency numbers, citizen assistance lines, and their phone operator, and receive official alerts until they complete the process.
As part of the campaign, phone companies have begun sending SMS reminders with the registration deadline. One such message reads: “By official order, the deadline to link your line is until 15-09-2026. Link your line at telcel.com/vinculatulinea.”
Companies will send two messages per week for most of the registration period, and daily messages during the final week before each user’s deadline. While this aims to keep customers informed, cybersecurity experts say it also creates an opportunity for criminals.
Scammers often exploit official campaigns with phishing attacks, sending messages that closely resemble the real ones but contain fake links. A user might receive an SMS nearly identical to the official one, but with a slightly altered web address or a shortened link leading to a fraudulent site designed to steal personal data, passwords, or banking information.
The difference between a legitimate and a fraudulent site can be as subtle as a single character. For example:
- telcel.com/vinculatulinea (correct link)
- telceI.com/vinculatulinea (lowercase ‘l’ replaced with uppercase ‘I’)
- vinculatulinea-telcel.com
These techniques are common during government or banking campaigns because they create a sense of urgency.
So far, authorities have not reported any fraud campaigns related to phone registration, but experts recommend:
- Avoid opening links sent via SMS.
- Navigate directly to the company’s official website.
- Do not provide verification codes received by SMS.
- Be wary of messages threatening immediate service cancellation.
The new registration aims to strengthen user identification and reduce the use of phone lines in criminal activities. However, data protection organizations have noted that the challenge will be ensuring the security of the information collected by companies and preventing criminals from exploiting these processes through social engineering.

