Fraud and scam bad actors are adapting again to changes in technology and consumer behavior, but so, too, are organizations charged with preventing their misdeeds. In its “Spring 2026 Biannual Threats Report,” Visa Inc. points to four shifts in the second half of 2025 as fundamentally changing how criminals interact with consumers.

Released Thursday, the report shows on a global scale that controls are helping improve outcomes for those caught up in fraud and scams even as attack volume rises, Visa says. Other changes are that scams are the primary source of consumer harm and artificial intelligence is speeding up both the attack and defense aspects. Fourth, the economics of ransomware, though still prevalent, are changing.

Visa data shows that fraud at the device-token level decreased 9.6% in the latter half of 2025 compared to the second half of 2024, while enumeration —a reconnaissance stage for criminals to verify stolen data—dropped 16% in the same period.

The implication from this is that criminals are moving toward vectors like consumers and third-party dependencies, Visa says. “The most important question is no longer ‘how much fraud occurred,’ but ‘where is fraud migrating–and how quickly?’” Visa’s report says.

The second notable shift, the ascendancy of scams, cannot be solved solely with controls at the authorization layer, Visa says. To counter this, a multi-element response is needed, it says. Scams are when criminals trick a consumer into willingly sending them money, providing them with payment details, or providing access to their accounts, as defined by Wells Fargo.

“When the user behaves ‘legitimately’ from a transaction perspective, scam defense becomes a combined challenge of identity verification, intent assessment, and manipulation detection—often requiring coordinated action beyond a single institution,” Visa says.

Just as AI is weaving itself into productive uses, it is being used for other less-than-legal ones, too. Visa says AI is shortening the fraud cycle for both sides, the attackers and defenders.

Criminals are using AI to create more personalized and convincing attacks they can automate at scale, while organizations trying to halt that activity are able to use AI to spot anomalies sooner than without AI, stop attacks before they reach consumers or merchants, and make their identification of attacks more precise, Visa says.

Thus, “Organizations that rely on manual, siloed review models are structurally disadvantaged. The advantage belongs to those that can act in real time, coordinate across partners quickly, and automate the detect-triage response lifecycle,” Visa says.

The fourth shift, more ransomware with changing economics, may be a result that organizations are being more resilient when under threat and increasingly recognizing that paying the extortionist does not reliably  prevent a data release, Visa says.

Ransomware is becoming more of a recovery issue, not just a prevention problem, it says. Visa says this suggests a shift in approach when dealing with ransomware to treating business continuity and recovery as primary security controls instead of afterthoughts.