Credential thefts are intensifying in Latin America: attack and defense strategies

The cybersecurity landscape in Latin America faces a persistent threat that has claimed victims for over a decade: digital access thefts. The situation worsens as banking, government, and corporate services become increasingly digitalized in the region. In 2025, SOCRadar documented over 2.6 million compromised credentials solely in Latin America, reflecting the acceleration of this issue. A stolen email credential is not just an inconvenience: it opens the door to subsequent access to bank accounts, corporate platforms, financial records, and medical histories, exponentially increasing the risk.

Three Methods Behind Credential Thefts

Cybercriminals employ different strategies to obtain access data. Eset, a cybersecurity company, classifies these attacks into three main categories that vary in sophistication and scope. Each represents a different risk vector requiring specific attention.

Phishing and Social Engineering: Manipulation as a Tool

Social engineering remains the most common mechanism. Phishing stands out as the attackers’ preferred tactic, where they impersonate public institutions or established companies to reduce suspicion. Criminals send emails and messages that mimic urgent notifications—account issues, rejected payments, reservation problems—including links to fraudulent sites that replicate legitimate interfaces. In this mode, users enter credentials unknowingly falling for the deception.

An equally dangerous variant involves sponsored ads in search engines directing users to fake portals. Attackers pay for visibility on Google or other search engines, placing counterfeit sites that imitate banks, email services, cloud platforms, or corporations. The visual impersonation is so meticulous that even experienced users can be fooled.

Malware-Based Theft: Silent Threats on Devices

The second attack vector involves distributing specialized malicious software that operates within already compromised devices. Victim users often remain unaware that their equipment is being exploited. Programs like info stealers, keyloggers, and spyware run in the background, continuously collecting sensitive information: stored passwords in browsers, autocomplete data, credentials for active applications, and user sessions.

Within this malware ecosystem, banking Trojans pose a significant threat. In 2025, over 650,000 unique detections of this malware type were recorded; among them, the Guildma family stood out, responsible for 110,000 detections, establishing itself as one of the most active variants in the region.

Breaches and Organizational Failures: When Databases Are Exposed

The third source of theft comes from vulnerabilities in systems of organizations that store credentials. When a database is compromised due to security weaknesses or poor configurations, the impact can be massive. In critical scenarios, full credentials with passwords are leaked; in other cases, only emails and usernames are exposed, which are later used for credential stuffing attacks or brute-force attempts.

“Threats that systematically employ brute-force methods also exist,” notes Martina López, a cybersecurity researcher at Eset Latin America. This technique involves testing large combinations of usernames and passwords until access is gained.

Prevention Strategies: Strengthening Defense Against Theft

To reduce risks from these attack methodologies, Eset recommends implementing comprehensive measures. The first is using unique, strong passwords for each service, avoiding reuse that facilitates cascading thefts. Enabling multi-factor authentication adds an extra layer of protection. Maintaining skepticism toward unexpected messages, using professional password managers, regularly updating systems and applications, and monitoring for unusual access or activity form a solid defensive approach.

Response to Already Occurred Thefts

If a credential has already been compromised, immediate action is essential. Steps include changing all reused passwords, remotely closing all active sessions, verifying unauthorized changes in affected accounts, and installing security tools on potentially infected devices.

“Staying updated on the latest trends and tactics in cybersecurity is vital to anticipate these thefts,” emphasizes López. Continuous education and active vigilance are the best defenses against threats that constantly evolve in the region.