Technical defences are holding, but Visa’s Spring 2026 threat report warns the payments industry is now fighting a behavioural war it wasn’t built to win
Visa has identified nearly $1bn in scam-related fraud activity across the second half of 2025, as the company warns improved network-level defences are pushing adversaries away from infrastructure and toward people.
The card giant’s Spring bi-annual Threat Report, covering July to December 2025, documents measurable progress on traditional fraud vectors – finding device-token fraud fell 9.6% year-on-year, while losses tied to enumeration attacks declined 16% over the same period.
Visa’s Risk Operations Centre blocked a 13% increase in unique enumeration attempts at the network level during the period.

But Chief Risk and Client Services Officer Paul Fabara cautioned headline improvements mask a change of direction in how fraudsters are carrying out their attacks.
“Over the last six months, Visa blocked a 13% increase in unique enumeration attacks at the network level while continuing to deliver measurable improvements in core security outcomes – clear evidence that network scale defenses are working,” he said.
“But while security initiatives are working, the nature of the threat is changing as fraudsters are moving their targets.”
From credential theft to behavioural manipulation
Scams have become what the report describes as the fastest growing category of consumer risk, with AI-generated content, voice impersonation and deepfake media enabling fraudsters to operate at scale, presenting a false sense of credibility previously unachievable.
Critically, because the victim authorises the transaction themselves, the fraud is largely invisible to conventional authentication controls.
“Fraud is increasingly a problem of behavioural manipulation, ecosystem fragmentation and accelerated attack cycles enabled by AI,” says Fabara.
For the industry this means a change in detection logic, moving away from identifying stolen credentials to identifying deception in progress.
The report notes scam prevention cannot be resolved at the authorisation layer alone, because when a user behaves legitimately from a transactional standpoint, defence requires identity verification, intent assessment and manipulation detection. These are not capabilities any single institution can deploy in isolation.
AI compresses the attack cycle on both sides
Attackers are using AI to generate personalised scams, automate workflows and iterate tactics at far greater speed. This is particularly true for ransomware, where AI tools have compressed attack timelines from days to minutes.
Defenders are deploying the same tools in reverse, by using AI to detect anomalies earlier, reduce false positives and automate the ‘detect-triage-response’ cycle. Visa describes this as a speed competition, and one where manual, siloed review models are structurally disadvantaged.
Visa reveals global ransomware activity rose 26% in the second half of 2025 compared to the same period in 2024 – yet only 23% of victims paid ransoms, the lowest rate on record, with average payments down 66% quarter-on-quarter. The report attributes declining payments to growing awareness paying ransoms has little reliable effect on whether data is leaked.
Visa’s findings tellingly show the most consequential security failures now occur at the boundaries between institutions – where incentives and visibility are misaligned – as opposed to within any single organisation’s perimeter.
“Staying ahead now requires more than incremental control improvements,” says Fabara. “It requires a shared, system-level approach to security across all points of the financial ecosystem: financial institutions, merchants, technology platforms, and policymakers.”