Payment security is getting better. That seems like a positive storyline, but based on Visa’s Spring 2026 Biannual Threats Report, the truth may be more complicated.
Payment networks, merchants and technology providers are all improving core defenses. But, that’s not pushing bad actors out of business. Like the financial industry, they are adapting. Instead of relying as heavily on direct attacks against systems, stolen credentials or card-testing schemes, fraudsters are shifting toward something more difficult to secure: Human trust.
The report argues that fraud is moving from technical compromise toward behavioral manipulation, with artificial intelligence accelerating that transition.
“Criminals are increasingly targeting people rather than technology,” said Paul Fabara, Visa’s Chief Risk and Client Services Officer.
The points to a clear challenge facing the payments ecosystem, which is that the strongest network controls may not stop fraud when the victim has been persuaded to authorize the transaction personally.
From July through December 2025, Visa identified nearly $1 billion in scam-related activity, making scams the largest category of consumer payment fraud. Unlike traditional payment fraud, many modern scams do not require a criminal to compromise a device, steal a card number or bypass authentication. Instead, scammers impersonate trusted brands, financial institutions, government agencies or service providers, then create enough urgency and credibility to convince victims to move money themselves.
That is what makes this newer attack vector so difficult to address. From a transaction perspective, the payments look legitimate. The user is authenticated. The device may be trusted. The account holder may be acting voluntarily. But, the intent behind the transaction has been manipulated.
To be clear, the report doesn’t claim that existing defenses are failing. In fact, it points to measurable progress. Device-token fraud declined 9.6% year-over-year in the second half of 2025, while losses tied to enumeration attacks declined 16%. Visa also said its Risk Operations Center blocked a 13% increase in unique enumeration attacks at the network level.
Those figures show that investments in tokenization, authentication and network-level monitoring are producing results. At the same time, they also explain why fraud is migrating. When it becomes harder to break through the front door, attackers look for side doors. In the payments ecosystem, those side doors increasingly involve people, third-party dependencies, advertising channels, search results, social platforms and fragmented institutional handoffs.
That also changes the strategic question for the payment security industry. It is no longer enough to ask how much fraud occurred after the fact. Visa argues that organizations need to understand where fraud is moving, how quickly it is shifting across channels, and which ecosystem elements are becoming attractive to attackers.
AI is making that shift faster and more scalable. Fraudsters can use generative AI to produce more convincing messages, clone voices, personalize outreach, create synthetic media and test variations of scams at a scale that would have nearly impossible to achieve manually – at least without significant technical expertise and resources.
Visa’s Michael Jabbara, SVP of Payment Ecosystem Risk and Control, said bluntly, “What once required deep technical skill can now be executed with a prompt.”
For defenders, AI is also becoming essential. Defenders are using AI to detect anomalies earlier, improve detection precision and stop attacks before they reach consumers or merchants. The important shift is speed. Manual review processes and slow-moving fraud models are mismatched against attackers that can iterate campaigns, automate workflows and adapt tactics at machine speed.
That same speed dynamic is visible in ransomware. Global ransomware activity rose 26% from July through December 2025, compared to the same period in 2024. Yet, only 23% of victims paid ransoms – the lowest rate on record – while average payment amounts fell 66% from the third quarter of 2025, compared with the previous quarter.
The ransomware data suggests that prevention remains important, but resilience is becoming just as central. If organizations can restore systems quickly, contain the blast radius and maintain reliable backups, they reduce attackers’ leverage. From a business strategy perspective, that means recovery time objectives and backup integrity should be treated as board-level security metrics rather than back-office operational concerns.
Perhaps the most important idea to come from the report is that payment fraud is no longer a problem any single institution can solve alone. Scams often begin outside the financial system, move through communications channels or online platforms, touch a bank or payment provider, and then clear through a network. Each participant may see only part of the pattern and each may have different incentives, different data and different authority to intervene.
That makes ecosystem coordination critical. Scam defense depends on faster takedowns, better information sharing, stronger merchant onboarding, clearer trusted communication channels and verification methods that can withstand synthetic audio, video and highly personalized persuasion.
For consumers, the practical warning is simple, though perhaps uncomfortable: The most dangerous fraud may not look like fraud. It may look like a bank alert, a delivery notification, a government message or a call from a familiar voice. AI is making deception more polished, more personalized and more emotionally convincing.
For financial institutions, merchants and payment platforms, the message is that transaction-level fraud detection is still absolutely necessary, but it is no longer sufficient. The next phase of payment security will require organizations to detect manipulation, not just unauthorized access. The entire ecosystem will need to collaborate and treat customer communications as part of the security perimeter, and to coordinate across a digital ecosystem where criminals are actively exploiting gaps between trusted institutions.
So, while the payments network is becoming more secure, fraud is becoming more human. That means the next frontier of payment security will not be defined only by stronger authentication or better transaction scoring, but by how well the ecosystem can recognize deception before a legitimate user is convinced to make an illegitimate payment.
Edited by
Erik Linask
