Visa Biannual Threats Report 2025

Keypoints

• Typical report structure: Executive Summary (high-level findings and scope), Payments Threat Landscape (major vectors and trending tactics), Exploitation of System Misconfigurations (ransomware/data breaches and impacts), Scams and Consumer Threats (scam types, investigations, and disruption efforts), Threat Actor Disruption (investigations, arrests, and takedowns), How Visa Helps (capabilities, operations, and recommendations), followed by acknowledgements and a disclaimer.
• Executive Summary content: a concise appraisal of the six-month window, notable increases in threat activity, major incidents, Visa PERC’s mitigation outcomes, and high-level statistics that set the agenda for the detailed sections.
• Payments Threat Landscape section typically breaks down specific vectors (enumeration, digital skimming, provisioning, NFC/relay attacks, malicious mobile apps, POS vulnerabilities) and shows regional and temporal trends, detection methods, and mitigation approaches such as VAAI and eTD.
• Exploitation of System Misconfigurations section focuses on third-party/service-provider breaches, ransomware and data-exfiltration campaigns, sectoral and regional targeting, and the operational impact of misconfiguration-driven compromises.
• Scams section explains consumer-focused fraud types (marketing scams, debt-consolidation scams, fake eCommerce stores, task-based scams), describes Scam Disruption capabilities, and highlights investigative outcomes and consumer guidance.
• Threat Actor Disruption section documents coordinated law enforcement actions supported by Visa PERC, including major indictments, arrests, and infrastructure seizures that undercut large-scale carding and processing fraud operations.
• Detection and protection capabilities emphasized: Visa tools and teams—VAAI (enumeration detection), eTD (web skimmer scanning), VPTL/VPTI (technical and threat intelligence), 24×7 ROC, and Scam Disruption—form the backbone of proactive detection, notification, and surgical blocking.
• Enumeration findings: enumeration remains a top ecosystem threat—global enumerated transactions rose 22% in the six-month period, enumerated PANs rose 8%, and programmatic enumeration contributed to about US$1.1B in follow-on fraud over a one-year period.
• Digital skimming and web compromise: eTD identified a 7% increase in infected websites over the past year; North America accounted for 51% of skimmer detections in the six-month window, with Europe second.
• Provisioning and delayed cashout trend: provisioning fraud persists but threat actors increasingly delay monetization—Visa observed a 29% decrease in provisioning-related fraud within the first seven days post-token activation compared to prior year, indicating longer lag times before cashout.
• Malicious mobile apps and POS/ATM exploitation: schemes included fraudulent provisioning into malicious apps that trigger offline authorizations to obtain in-store approvals and ATM cashouts; these attacks exploit POS configuration weaknesses and offline auth flows.
• NFC relay attacks: relay fraud leveraging malicious apps and the open-source NFCGate project continues to allow real-time capture/forwarding of NFC data, enabling remote cashout in different physical locations via social engineering lures.
• Scam statistics and campaigns: in the last 12 months Visa PERC detected US$357M in scam-associated fraud and identified over 20,000 merchants/domains tied to fake eCommerce campaigns; task-based scams saw a reported FTC 300% increase with ~20,000 victims and US$41M losses.
• Ransomware and data breaches: Visa PERC tracked several thousand ransomware/data-breach incidents in the six-month period (a 51% increase from prior six months), with North America the most targeted region for these attacks.
• Notable disruption outcomes: recovery of 250M at-risk accounts from a ticketing service provider breach affecting 165 companies; arrests and indictments tied to US$150M in fraud processed via Allied Wallet; Joker’s Stash administrators indicted and Cryptex seizure of US$1.15B in laundered proceeds.
• Operational mitigation impact: Visa PERC coordinated pre-emptive targeted blocks for approximately 76% of incidents from July–December 2024, resulting in more than 134.3M declined transactions; Visa’s AI/ML blocked nearly 85% more suspected fraud during the 2024 holiday period versus the prior year, despite a 200% spike in suspected fraud around Black Friday/Cyber Monday.
• AI-driven threats and scaling: threat actors are adopting AI to scale and refine attacks—voice cloning/deepfakes for social engineering, AI-crafted personalized phishing, automated credential attacks, synthetic identity creation, and mass generation of fake stores/reviews to enable large-scale fraud.
• Regional and ecosystem shifts: North America consistently shows high targeting for skimming, ransomware, and scam activity; threat actors increasingly exploit global hosting/template services to spin up thousands of fraudulent eCommerce sites originating from EU and AP infrastructures.
• Recurring themes and takeaways: fraudsters blend social engineering with technical automation and AI to scale attacks, shift cashout timing to evade heuristics, and exploit misconfigurations and third-party supply-chain weaknesses—making rapid detection, shared intelligence, targeted blocking, and cross-industry collaboration essential.
• Actionable recommendations reiterated: keep software and POS systems patched, conduct regular security audits, provide employee anti-phishing training, enforce strong MFA/biometrics and token controls (including considering token age), share intelligence with partners and law enforcement, and proactively educate customers to reduce scam exposure.