- Key insights: Visa reports AI is making it easier for crooks to attack banks.
- What's at stake: The threats come as financial institutions expand their use of new forms of AI.
- Expert quote: "We are gaining ground in payment security, but as we do so, we're forcing adversaries to change the game," —Michael Jabbara, Visa senior vice president
The
"AI has dramatically lowered the barrier to entry for fraud. [Bad] actors can now automate and scale attacks with far less technical expertise than was previously required," Michael Jabbara, senior vice president of Visa's Payment Ecosystem Risk and Control, told American Banker. "That has fundamentally changed the economics of cybercrime and expanded the number of participants capable of executing sophisticated fraud schemes." However, he added that AI is also providing banks with new tools to detect fraud, which Visa and others are employing.
Visa on Wednesday released its Spring 2026 Biannual Threats Report, with the card network contending security measures are working but the pace of attacks has accelerated significantly.
"Fraudsters can test, adapt and refine tactics in near real time. In some cases, ransomware attack timelines that once unfolded over days are now compressed into minutes," Jabarra said. "Traditional review models and static, rules-based systems are increasingly challenged by adversaries operating at machine speed."
Threat agents
The potential danger of new forms of AI has drawn attention at the highest levels of the banking industry.
"Fraudsters are deploying agentic AI offensively, and the operational advantage it confers is significant," Jim Mortensen, strategic advisor for fraud and the anti-money laundering practice group at Datos Insights, told American Banker.
Datos Insights research found that 89% of financial institutions identified deepfakes and generative AI as supercharging payment scams. Consumers are also not comfortable using AI for payments—
The CEOs of Bank of America, Citi, Goldman Sachs, Morgan Stanley and Wells Fargo recently met with Anthropic to
"The most dangerous fraud today is the one that looks completely legitimate, because the customer is the one authorizing it," Jabarra said. "And it's becoming a bigger concern because of the rapid rise of AI-enabled social engineering."
Crooks are using generative AI to create highly personalized phishing campaigns, voice impersonation scams and deepfake-enabled fraud at unprecedented scale. "Capabilities that once required significant technical sophistication and resources can now be deployed quickly and inexpensively," Jabarra said.
Agentic systems can now automate the full fraud lifecycle: generating synthetic identities, uploading fabricated documents in real time, learning from failed attempts, and continuously refining attacks without human intervention, according to Mortensen.
"Because agentic AI can autonomously execute transactions and perfectly mimic legitimate user sessions, distinguishing authorized agents from malicious automation has become extraordinarily difficult," Mortensen said. "The question for fraud teams has fundamentally shifted from 'Who is this customer?' to 'What AI capabilities are being employed in this interaction, and what are their intentions?'
Real-time payments compress the detection window to near zero, further complicating the fraud fight, according to Mortensen. Datos Insights research found that 58% of financial crime leaders cite inadequate institutional detection capabilities for instant payments as a significant issue.
"Criminals can now compress money-laundering layering schemes that once took weeks into hours, moving funds across institutions before legacy systems can respond," Mortensen said. "The core problem is that most institutions still lack unified platforms capable of aggregating threat intelligence from multiple sources in real time."
Traditional indicators of fraud, such as poor grammar or spelling errors, are rapidly disappearing as attackers use AI to produce polished, convincing communications across text, email, websites and messaging platforms, according to Lindsay Hooks, director at Cornerstone Advisors. "As a result, the line between authentic and fabricated interactions continues to blur," Hooks said.
The AI solution
At the same time, agentic and generative AI are probably the most promising tools for fraud fighters, particularly in operations, according to Mortensen. "It enables fraud analysts to spend the majority of their time on critical thinking, rather than data collection, with copilot and agentic tools handling triage, investigation workflows, and case management," he said.
Datos Insights research found that 93% of financial-crime executives expect these tools to assist or automate investigations and threat vetting within five years, and major vendors and financial institutions are already moving in that direction.
There has been a notable increase in the use of AI to create fictitious identities—spanning individuals, businesses, and organizations—as part of phishing and social engineering schemes, according to Cornerstone, with attack types including voice deepfakes and fully developed synthetic identities with humanlike digital footprints, making it difficult to distinguish legitimate entities from AI-generated deception.
To counter this shift, organizations must leverage AI defensively, Hooks argues. "Advanced, agentic AI can rapidly aggregate and analyze data to build a comprehensive view of behaviors, account history, and subtle anomalies, such as inconsistencies in activity patterns or time of existence. These capabilities are critical for identifying signals of manipulation and detecting scams that would otherwise evade traditional controls."
The data
Visa's biannual report drew on data from 1,000 risk and cybersecurity professionals across Visa's global network.
Fraud involving compromised authentication declined 9.6% from July 2025 to December 2025, compared to the same half year period in 2024, while ransomware increased 26% over that period. But only 23% of ransomware victims paid, which Visa attributed to improvements in resilience and recovery. Visa's report did not break out AI-related losses.
"We are gaining ground in payment security, but as we do so, we're forcing adversaries to change the game," Jabbara said, noting vulnerability probes declined 16%. "As technical defenses improve, threat actors are adapting. The challenge now is keeping up with where the fraudsters are moving next."
Visa's report dovetails with other research from Verizon Business released on Wednesday that found 65% of financial services breaches involve a human element, such as phishing victims, errors and social engineering. Verizon reports the attacks often combine ransomware, stolen credentials, and vulnerability exploitation in multi-stage campaigns, and 34% involve a third party, reflecting supply-chain and vendor risk. Internal data is compromised in 53% of breaches, personal data in 43%, and credentials in 26%, Verizon reports and ransomware was 48% of breaches in 2025, up from 44% in 2024.
Fraud today is less about breaking systems and more about influencing people, according to Jabarra. "With that, security is shifting from a technology problem to a human one."
The scale of scams is an indicative example of this trend: Between July and December 2025 alone, Visa identified nearly $1 billion in scam-related fraud attempts.
"Scams have now become one of the most significant drivers of consumer harm across the payments ecosystem, fueled in large part by AI-enabled impersonation, deepfake content and increasingly sophisticated social engineering tactics," Jabarra said.
