2026 Cyber Threat Report: Key Findings

New analysis details how digital fraud escalated worldwide, with automated tools and synthetic identity tactics reshaping the threat landscape and exposing shifting targets across regions.

Briefing: Global Cyber Fraud Snapshot

The report warned that increasingly sophisticated schemes relentlessly probe defenses to exploit lapses, targeting the vulnerable, the uninformed, or anyone momentarily distracted. Common examples include credential-stuffing and account-takeover campaigns, payment and refund manipulation, SIM-swap and help-desk social engineering, and stealthy bot traffic designed to mimic human behavior; these approaches often succeed by chaining small weaknesses such as reused passwords, weak or bypassable verification, misconfigured authentication flows, and delayed detection of anomalous session behavior.

Insights: Regional Patterns and Defensive Shifts

The Atlanta-based firm examined 116 billion digital events worldwide to calculate regional fraud rates, tracking payments, logins, and new-account openings through its identity network—a 12% increase in monitored volume year over year.

Generational behavior diverged: Younger users leaned into mobile apps for transactions, while older cohorts favored desktop and browser-based activity.

After a flat 2024, the global rate ticked up last year. A feared AI-fueled “fraud storm” did not fully materialize in 2025, but the data shows tactics are evolving and attack patterns are shifting.

AI is already changing both offense and defense. On the criminal side, operators use AI to draft convincing phishing lures at scale, generate realistic voice or video deepfakes for social-engineering and verification bypass, and automate reconnaissance such as scanning for exposed services or quickly iterating on exploit attempts; on the defensive side, AI is increasingly applied to anomaly detection across logins and payments, alert triage and correlation, faster identification of bot-like behavior, and semi-automated containment steps that reduce response time when attacks move too quickly for manual workflows.

Across 2026, many organizations expect pressure from familiar threat types that continue to mutate: ransomware that combines disruption with data theft, phishing and business email compromise that target payment processes, supply chain intrusions that leverage vendors and software dependencies, insider-driven misuse of access, and DDoS or other availability attacks used to distract teams or force concessions.

Risk remains uneven by sector. Healthcare, finance, government, critical infrastructure, and education are frequently treated as high-value targets because they hold sensitive personal data, rely on always-on operations, run complex third-party ecosystems, and often face constraints that complicate rapid patching and modernization.

Ransomware tactics are expected to keep evolving toward “double extortion” and beyond, with greater emphasis on data exfiltration, pressure campaigns that target customers or partners, attacks that seek out backups and recovery tooling, and broader use of ransomware-as-a-service models that let affiliates scale operations quickly while specializing roles across an underground supply chain.

Geopolitical tension remains a force multiplier. State-aligned actors and proxy groups blend espionage, disruptive operations, and influence objectives, while hacktivist campaigns can surge around elections, conflicts, and sanctions—creating a threat mix where the same incident can serve political aims and criminal monetization at once.

Human-led incidents grew a modest 8% versus 2024, while bot-triggered attempts surged 59%, underscoring the expanding role of automation in cyber operations.

In North America, adversaries increasingly target desktop sessions. Browser-based attacks on desktop more than doubled, while attempts against mobile apps fell 77% in the region.

As a result, North America exceeded the global average for desktop-browser attack rates and aligned with the worldwide average on mobile-app risk.

The report highlighted a sharp swing away from app-based targeting and toward browser exploitation during 2025.

Mobile app attack volume halved in 2025 across most regions except EMEA, while browser-based threats spiked. The downturn likely reflects organizations hardening app defenses after long treating that channel as relatively safe.

Zimperium, a Dallas-based provider of mobile security software for financial institutions and enterprises, reports that threat actors increasingly seed malware by enticing users to install free utilities—such as gaming titles or mortgage calculators—to compromise devices.

Once attackers gain persistence via malicious apps, they quietly execute small, repeated transactions to siphon funds and avoid detection.

Fraudsters can wake a device, open a banking app, sign in, and move money while the user is unaware. Their ability to persist and remain hidden enables these covert transfers, said Krishna Vishnubhotla, the company’s vice president of product strategy.

Zimperium, acquired by Liberty Strategic Capital for $525 million in 2022, deploys on-device tooling that guides users away from risky behaviors and alerts security teams when threats are detected.

For many organizations, improving cybersecurity hygiene still comes down to execution: enforce phishing-resistant multi-factor authentication where feasible, patch internet-facing systems quickly, harden identity and recovery paths, segment networks, protect and routinely test backups, monitor for anomalous access and data movement, train staff on social-engineering patterns, and rehearse incident-response decisions before a crisis compresses timelines.

Investigating and prosecuting cybercrime remains difficult. Cross-border jurisdictional friction, rapid infrastructure churn, encrypted communications, the use of intermediaries, and anonymizing payment rails can slow attribution and evidence collection, while many teams face resource constraints that make sustained pursuit of large, distributed operations hard to maintain.

A shortage of cybersecurity professionals compounds these pressures. Understaffed teams can struggle to keep up with patch cycles, alert volume, vendor risk reviews, and incident-response readiness, which can lengthen dwell time for attackers and increase the odds that smaller signals are missed until damage is already underway.

Recent large-scale breach disclosures have included:

• Change Healthcare: A ransomware-linked disruption that exposed the downstream risk of third-party concentration in healthcare operations and raised concerns about the potential theft of sensitive personal and health-related data.
• AT&T: Reported exposure of customer information that renewed attention on long-lived identifiers and the lasting fraud risk that follows large credential or account-data leaks.
• Ticketmaster: Reported theft and attempted sale of customer data, illustrating how consumer platforms can become attractive targets for monetization and follow-on phishing.
• Snowflake-related customer incidents: A wave of reported data theft tied to compromised credentials and insufficient account protections, highlighting how identity controls can be a decisive factor even when core infrastructure remains intact.

LexisNexis Risk Solutions attributed recent gains in fraud prevention to:

• Advances in defense technology.
• Refreshed regulatory frameworks.
• Deeper collaboration among institutions.

Even so, threat actors are refining operations and scaling their campaigns.

Cybercrime has become an industrialized business, with specialists handling access, social engineering, laundering, and monetization in parallel to speed up attacks and reduce friction.

Despite widely publicized raids, scam centers continue to expand globally. The sheer volume of people involved in this mature, industrialized enterprise strains fraud prevention teams worldwide, the report said.