Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• New Visa research says AI-accelerated scams are the “fastest growing source of consumer harm.”
• Fraud is shifting from credential theft and account hijacking to social engineering tactics.
• Visa outlines what consumers and businesses need to do to meet these threats. 

While AI’s vast potential to improve security, ramp up productivity, and reduce operational costs is being explored by countless companies, the technology is also being weaponized by cybercrooks involved in fraud and financial crime.  

Also: 5 security tactics your business can’t get wrong in the age of AI – and why they’re critical

A new report from Visa says AI is reshaping both cyberattack and defense tactics and, specifically, is compressing the fraud cycle, making it easier to dupe consumers into authorizing malicious transactions. 

AI accelerates ClickFix-like fraud

Remember ClickFix? It’s a social engineering technique, popularized in recent years, that bypasses traditional phishing defenses by exploiting psychological vulnerabilities. 

In ClickFix attacks, victims are lured into performing a malicious action themselves by being presented with a problem to solve — a problem that has an easy solution. For example, you may come across a fake malware alert on a website that urges you to open up a command prompt, copy and paste a code, and submit it to fix a PC “issue” in only a few steps. 

In reality, this “solution” leads you to execute malicious commands yourself, resulting in malware deployment, data theft, and more. 

Also: OpenAI’s new image watermarks make it easier to spot AI fakes – here’s how

Standard digital defenses can’t prevent us from performing malicious or destructive actions ourselves, which makes this social engineering tactic far more effective than basic drive-by downloads or standard phishing campaigns.

Apply this to finance, and the problem is this: If you authorize a transaction (fraudulent or otherwise), the responsibility lies with you — and you will most likely bear the financial cost. 

According to Visa’s Spring 2026 Biannual Threats Report, AI-enabled social engineering is becoming a serious issue for fraud prevention. 

How these scams work

Payment fraud can cost you dearly. Now that financial institutions are well aware of the risks posed to consumers by online scams, phishing, and social engineering, they often implement stringent security controls for large financial transactions. 

You may have to authorize payments before a payment request is accepted, such as by verifying yourself through an app, providing a one-time passcode, or clicking confirm.  

As a consequence, fraudsters are adopting AI and social engineering to “manipulate people into authorizing payments themselves,” according to the report, which includes using AI-generated scam content, voice impersonation, and deepfake media, to “increase both the reach and perceived credibility of scams when exploited by actors with malicious intent.”

In other words, AI is being used to generate sophisticated content that appears to come from a legitimate, trustworthy source — such as your bank — which is convincing enough for you to pay up and authorize a fraudulent transaction, thereby stripping yourself of the ID theft and banking crime guarantees that you are normally protected with by your financial provider. 

Visa says this is forcing a shift from “detect stolen credentials” to “detect and disrupt deception” for financial institutions; for the rest of us, it’s a behavioral and awareness issue that must be tackled. 

The red flags to watch out for

From July to December 2025, Visa detected nearly $1 billion in scam-related activity, including impersonation of trusted brands and companies, scams and phishing campaigns laced with financial urgency, and deception that led unwitting victims to complete transactions that appeared legitimate on the surface, but actually resulted in financial loss. 

We at ZDNET have monitored scam trends for years, and whether or not AI is involved, these are some common patterns and practices to watch out for: 

1. Cold calls

Scammers often pretend to work for trusted companies, such as your bank or wireless provider. They may try to lure you with a discount or free service in return for verification codes or account details, or they may request payment to resolve an “unpaid” bill. If you’re being cold-called, hang up. If you believe the call may be legitimate, use an official communication channel — such as the organization’s website — to confirm before you hand over a single dollar.

2. ClickFix-like tactics

ClickFix attacks are successful because they appeal to people’s problem-solving tendencies. They outline an issue and promise a quick fix with just a few steps. This can apply to financial fraud, too. Imagine you receive an email from your bank demanding an overdue payment and a discount if you act quickly — the message outlines three steps, including a link to pay or a QR code to scan, and one of the steps requires you to authorize a transaction. It causes panic and seems simple to fix, but it’s fake. Take a step back before you make any payments, think rationally, and verify through an official channel, such as your bank’s customer service line or support desk. 

Also: This cyberattack tricks you into hacking yourself. Here’s how to spot it

3. Romance scams

Financial fraud often tries to make you feel panic so you make irrational decisions, and, unfortunately, may also abuse you by engaging your emotions over the long-term. Romance scams often lead to investment and financial fraud. If someone you’ve never met asks you for money, simply say no.  

4. Nearly genuine appearance

One issue surrounding the AI is the sheer volume of AI-generated content, much of which is difficult to distinguish from real, legitimate content, including emails, images, audio, and video. If we can create images, photos, or even a more professional-sounding email using an AI assistant, remember that cybercriminals have the same tools at hand. 

Also: 5 ways to fortify your network against the new speed of AI attacks

Ever see a strange news report on social media and question its legitimacy, or suspect it might be “AI slop“? Apply that same skepticism. Even when an email looks genuine, if any financial change or payment is requested, go through an official channel to confirm it is what it appears to be.

The solution for organizations is speed

As Visa notes in its report, building advanced scam detection networks and adopting AI-backed solutions to detect and flag impersonation, social engineering, or unusual transactions can all boost fraud prevention, but speed is the key ingredient. 

Now that AI is being used for everything from social engineering to vulnerability discovery, reconnaissance, and network intrusion at a pace faster than we can defend against, businesses can’t rely on time-consuming, manual processes to handle their cybersecurity requirements or protect consumers. (Mandiant has also provided technical guidance on this topic recently.)

Also: Why AI-powered security tools are your secret weapon against tomorrow’s attacks

If AI is being weaponized, using automation — and potentially AI assistants, too — is the required shift to keep up. Automation can also take over time-consuming tasks, such as triage, freeing cybersecurity professionals to detect and respond to cyberattacks more effectively. Large language models and automated tools can complete tasks far more rapidly than humans can; as long as these tools are properly supervised, defenders can be better equipped to combat modern threats. 

“The rapid adoption of AI has fundamentally changed the economics of fraud,” says Michael Jabbara, SVP, Payment Ecosystem Risk and Control at Visa. “What once required deep technical skill can now be executed with a prompt. That reality makes intelligence-driven defenses and coordinated action across the ecosystem more critical than ever.” 

Acting quickly can help protect consumers from being scammed and may also give them the time they need to step back and consider whether they should OK that payment after all.