For Visa and rival Mastercard, fighting the explosion of fraud attempts is both a big expense–and an opportunity for profit.
Visa’s Cyber Fusion Center in Ashburn, Virginia is so secure that Michael Jabbara, the San Francisco-based global head of fraud services for the credit card network, has trouble getting through its double set of doors. With a Forbes reporter in tow, he scans his badge to get through the first door, a sensor beeps, but it doesn’t unlock. Finally, with the help of the on-site security team, we get through both sets (the second requiring a fingerprint as well as an ID badge) and enter the Cyber Fusion Center, which sits at the heart of a secure 42-acre campus. Drive into this Visa complex without clearance from the security personnel manning the gate and you could end up in a drainage pond—a modern day protective moat.
Inside the Fusion Center, analysts monitor a large screen displaying a variety of data reflecting how smoothly Visa’s deluge of transactions–some 310 billion worth $15.9 trillion in 2024–are being processed worldwide, and where suspicious activity is high. “A lot of the suspicious attacks are handled in an automated fashion, but there are certain incidents that generate human intervention and then they get worked through a consistent playbook,’’ Jabbara explains.
His ID badge now working, Jabbara leads the way through yet another set of secure doors to the Situation Room, where a big screen displays more charts and lists, plus a news feed. In this room, employees are watching threats against Visa’s clients–the 14,500 financial institutions in more than 200 countries who are part of the world’s largest credit card network. Jabbara points to a chart that shows an ongoing brute force attack in which fraudsters are bombarding vendors with thousands of attempts to come up with an account number, expiration date and three-digit. CVV code that will work together. “Our aim is to make sure that we are detecting large-scale attacks that could result in catastrophic losses or loss to consumer confidence,” he says.
Within the Situation Room area is another smaller conference room that contains yet another Visa unit; the workers in this one monitor the cybersecurity of Visa’s own network operations. “One of the things that we’ve really benefitted from is having this close collaboration between cyber and fraud, because the threats are common, the actors are common,’’ says Jabbara. That’s particularly true, he says, as fraud rings have become more sophisticated and nation-states more involved in fraud as well as cyber attacks.
It’s late morning in Virginia, but as it turns to night, this center will empty out and Visa’s security centers in London, Bangalore and Singapore will handle more of the activity. In all, Visa now has more than 1,000 employees worldwide dedicated to risk and security and says it has invested $11 billion in anti-fraud technology in the past five years. At the same time, it’s been building a side business selling the fraud-fighting expertise it’s had to develop–some $1.5 billion of Visa’s $35.9 billion in 2024 revenue came from its sale of risk and security services.
Both fraud and fighting fraud are big businesses, with artificial intelligence increasingly driving growth on both sides. During Cyber Monday last November, Visa reported an 85% year-over-year increase in fraud attempts, and a stunning 200% increase for the first official weekend of holiday shopping –increases it attributes in large part to AI.
That word “attempts” is key, since most are thwarted, points out Steve Yin, global head of fraud at TransUnion. (The big credit bureau got 7% of its $4.4 billion in 2024 revenue selling fraud prevention software.) TransUnion estimates that 5.2% of all attempted digital transactions in the first half of 2024 involved suspected fraud, with the vast majority of those blocked.
Still, the cost of successful fraud is growing, albeit at a much slower pace than attempts. Juniper Research estimates that e-commerce fraudsters worldwide grabbed $44 billion in 2024 and will siphon off $107 billion by 2029–for a 19.5% compound annual growth rate. “It is a constant arms race,” observes Nick Maynard, vice president of fintech market research for Juniper.
On the fraudsters’ side, AI helps them launch more, and more sophisticated attacks, in a variety of ways. Among other things, they can impersonate people through deep fakes; launch mass attacks to find vulnerabilities in systems; use bots to navigate websites and extract information; and generate more believable emails that lead people to give up sensitive information.
The protectors are equally dependent on AI. Visa now uses 115 different cybersecurity tools that collect and analyze intelligence from more than 300 resources, reports Visa Chief Information Security Officer Subra Kumaraswarmy. The company has built some of those tools, including a behavior analytics platform and its threat intelligence fusion platform. It also works with cybersecurity tool vendors including Microsoft, Thales, IBM, Zscaler, Cloudflare, Checkpoint and Palo Alto Networks.
Because companies use so many different anti-fraud tools simultaneously, and because there are always new variants to fight, the anti-fraud business is also fertile ground for fintech startups. It’s notable that five companies on the Forbes 2025 Fintech 50 list–Alloy, DataVisor, Persona, SentiLink and Zip– help businesses prevent financial fraud, with each having its own specialty. DataVisor, for example, uses what’s known as “unsupervised” machine learning to find correlations in seemingly unrelated events that could represent previously undiscovered fraud rings or methods. Sentilink, which first made its mark fighting synthetic identify fraud (where scammers combine real Social Security numbers and fake names), recently developed a tool to catch assumed identity abuse, a new variant where fraudsters exploit real identities for people who entered the U.S. on temporary visas and have since left. (Synthetic and other fake identities are used, among other things, to acquire credit cards, take out car and personal loans and open bank accounts used in fraudulent schemes.)
Visa isn’t the only big credit card network treating fraud as not only a threat, but a business opportunity. In December, Mastercard, the #2 network, finalized the $2.65 billion acquisition of Recorded Future, an AI-heavy cybersecurity company with 1,900 clients in 50 countries and $300 million in annual revenues. Last year, before that deal was announced, Mastercard launched a service with Recorded Future that aims to alert banks more quickly when a credit card is likely to have been compromised. The partnership, it says, has doubled the number of potentially compromised cards identified. (Mastercard doesn’t disclose how much of its $28 billion in 2024 revenues came from selling security services.)
Within its own network, Mastercard has been using AI to stop fraud for more than a decade, notes Ranjita Iyer, executive vice president for cyber and intelligence solutions. Like Visa, it monitors transactions across its entire network, using AI to detect suspicious activity. Recently, she says, it has started using generative AI to predict what an individual merchant’s business at a certain time should look like. That allows it to alert merchants if actual patterns diverge from what’s projected, a possible warning flag of fraud.
Last year Mastercard also began selling banks an upgraded Decision Intelligence Pro system that uses AI to analyze and produce a risk score for each individual transaction in real time (less than 50 milliseconds), based on the purchase, the merchant, the cardholder, and other factors. The pitch is that it will not only detect more fraud, but produce fewer false positives, so fewer legitimate transactions will be blocked.
For all the AI-based systems fighting fraud, human behavior still plays a key role in enabling and stopping scams. “If you’re securing the data, if you’re securing the infrastructure, what’s the weakest link? It’s the consumer,” says Visa’s Jabbara. “There’s no patch that we can send out to consumers to make them be more security conscious. That’s why you’ve seen this massive proliferation of social engineering attacks, phishing scams, phishing, all of that.” In a TransUnion survey of adults in 18 countries, 49% said they were targeted by email, online, phone call or text messages during the second quarter of 2024.
One phishing scheme on the rise: fake cancellation messages, meaning texts or emails telling users that something they have bought or booked will be cancelled unless they log in using an included link. Of course if they do, their log-in credentials are stolen.
Earlier this month, when Visa announced a new “scam disruption practice” (a team that includes former law enforcement professionals as well AI developers and data visualization experts), Jabbara offered an intriguing example of the sort of scam that the team is targeting. Fraudsters were sending a phishing link from a dating website that looked like it was an identity verification page. But those who clicked were involuntarily enrolled in a monthly billing plan they never meant to sign up for. The team used the data from cracking that scam to look for others operating in a similarly deceptive fashion and turned up 12,000 “merchants” engaged in the ploy.
The rapid spread of that variant is evidence of another vexing development: fraud as a service. Just as companies like Visa and Mastercard are selling their antifraud expertise to others, so too are fraudsters selling their new schemes to other fraudsters. “These are very smart individuals and they’re very creative individuals,’’ Yin observes.
“It’s an ongoing battle,” says Yin, who expresses faith in the ability of the fraud deterrence industry to come up with approaches to keep the bad guys in check. One area TransUnion is working with clients on now is introducing more friction to today’s instant transactions—extra steps that won’t annoy a legitimate customer so much as to scare them off, but can deter fraudsters. Consumers, he says optimistically, “will embrace friction if they have a belief and an understanding that it’s actually helping them reduce the likelihood that they’re going to be a victim of fraud.”