Artificial intelligence is changing the economics of cybercrime, giving scammers and fraudsters a faster way to scale attacks that companies already struggle to stop.
That is one of the central findings in Verizon’s 2026 Data Breach Investigations Report, which analyzed more than 31,000 real-world security incidents, including more than 22,000 confirmed data breaches across 145 countries. The report found that threat actors are using generative AI across different stages of attacks, including targeting, initial access, vulnerability research, malware development and other tooling.
The finding does not mean every scam is suddenly new. Verizon’s report argues that AI is, for now, mostly making familiar attacks faster, cheaper and more scalable. In the median case, threat actors researched or used AI assistance in 15 documented techniques, while some used it across 40 or 50 techniques. Most AI-assisted malware and tooling was tied to already known attack methods, while less than 2.5% involved less common techniques.
That makes the threat practical for banks, payments companies and digital commerce firms. AI can help a less sophisticated criminal write better phishing messages, automate parts of reconnaissance, test targets faster or impersonate trusted contacts more convincingly. Verizon also found that the human element was present in 62% of breaches, while social engineering represented 16% of all breaches. Phone-centric tactics, including voice and text-message attacks, are becoming more effective, with simulated mobile-centric attacks producing median click rates 40% higher than email.
The broader fraud picture is not limited to AI. Exploitation of vulnerabilities became the most common initial access vector for breaches, rising to 31%, while credential abuse fell to 13%. Ransomware appeared in 48% of breaches, up from 44% the prior year, although 69% of ransomware victims did not pay. Third-party involvement also rose sharply, reaching 48% of total breaches.
The implication is that companies do not need to throw out their security playbooks, but they do need to speed them up. Verizon put it this way: “AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking these novel or rare attack surfaces.”
Advertisement: Scroll to Continue
For financial services firms, that means the AI fraud challenge is not only about exotic deepfakes or autonomous hackers. It is about more-convincing scams, more pressure on help desks, more attacks against mobile channels and more criminals using automation to find weak spots before defenders close them.
