U.S. payment fraud in 2026 looks different than it did three years ago, and the underlying defense stack has changed even more. Card-not-present fraud is still the loudest threat, but it is no longer the fastest-growing one. Authorized push payment fraud, the category in which a real customer is tricked into sending money to a scammer, has tripled in reported losses since 2022 according to FTC and Federal Reserve data. At the same time, AI-based real-time risk scoring has reduced traditional card fraud rates at major U.S. issuers to historical lows. The result is a payments security picture that is, for the first time, defined more by social engineering than by stolen card numbers.
This piece looks at what changed, what is working, where the defense is still losing ground, and which technology and regulatory shifts will define the next two years for U.S. issuers, acquirers, fintechs and consumers.
The fraud picture in the US payments stack right now
The headline numbers from the Federal Reserve Payments Study and Nilson Report together show U.S. card fraud losses sitting around $14 billion annually in 2025, a figure that has been roughly flat for three years even as transaction volume has grown by double digits. Behind that flat line is a real improvement in fraud rates. Per dollar transacted, card fraud is now lower than at any point this decade, and chargeback rates at the largest issuers have come down by 18 to 24% since 2022.
The category that has gone the other way is authorized push payment fraud. FTC data for 2024 shows nearly $3 billion in imposter scam losses (up from $2.7 billion in 2023), up from roughly $850 million in 2022. The dominant vectors are romance scams, business email compromise, fake bank impersonation, and crypto investment fraud, often combining several techniques in a single attack. Real-time payments rails, which by design cannot be reversed once a payment leaves the sending account, have made the consequences sharper.
AI risk scoring has taken over the first line of defense
Real-time risk scoring is now the default at every major U.S. issuer and at most acquirers handling more than a few hundred million dollars of volume. Visa Advanced Authorization, Mastercard Decision Intelligence, and the proprietary models at Capital One, JPMorgan and Discover collectively score the majority of U.S. card transactions in under 100 milliseconds. The technology stack underneath has shifted from rules engines to gradient boosting models to, in the past two years, transformer-based sequence models that consume the customer’s full transaction history rather than features extracted from it.
U.S. payment fraud loss categories, 2022 vs. 2025. Authorized push payment fraud is the fastest-growing category.The acquiring side has consolidated around a handful of specialists. Stripe Radar, Adyen RevenueProtect, Forter, Sift, Riskified and Signifyd compete on hosted fraud scoring for U.S. merchants. The differentiator at this point is data network depth rather than model architecture. The more merchants a vendor protects, the better the signal on cross-merchant device reputation, IP behavior and bot patterns.
The flip side is friction. False positives, where a legitimate customer is declined or step-up-challenged, still cost U.S. merchants more than fraud itself in lost revenue and abandonment. The 2024 LexisNexis True Cost of Fraud Study estimated that for every dollar of fraud loss, a U.S. merchant absorbs about $3.80 in associated costs once mitigation, manual review and lost-good-customer revenue are counted. AI risk scoring has improved this ratio, but it has not eliminated it.
Authorized push payment fraud is the bigger problem
The reason authorized push payment fraud is harder to defend against is structural. The fraudster does not breach a bank, an issuer or a card network. The fraudster talks the customer into sending money. By the time the bank sees the transaction, all the conventional fraud signals look normal. The customer is logged in. The device is recognized. The geographic location matches. The amount is consistent with prior behavior. The transaction is approved because it should be.
U.S. banks have responded with two main approaches. The first is friction at the moment of payment. Chase, Bank of America, Wells Fargo and most regional banks now run dynamic warning screens when a Zelle or RTP payment matches scam patterns. Second-look prompts, mandatory cooling-off periods on large first-time recipients, and required selection of payment purpose categories have become standard. Internal Bank of America data shared at a Federal Reserve roundtable in 2025 suggested these screens prevent meaningful single-digit billions of dollars of attempted fraud per year.
The second approach is reimbursement reform. The U.K.’s mandatory reimbursement model for authorized push payment fraud, in effect since October 2024, has been studied closely by U.S. regulators. The CFPB’s December 2024 proposed rule on EFTA liability for fraud-induced payments is widely expected to land somewhere between the U.K. model and the current U.S. approach, where banks are not generally liable for tricked-but-authorized transfers. The final rule, if issued in 2026, will reshape liability allocation across the U.S. banking sector.
Step-up authentication and what is actually changing for cardholders
3D Secure 2.x is now the default authentication path for U.S. card-not-present transactions of meaningful size. The friction has dropped substantially compared with the original 3DS, and the data exchange between issuer and merchant is rich enough that step-up challenges happen only when the model considers them necessary. Visa and Mastercard both report that the share of CNP transactions requiring a visible step-up has fallen below 8% at large U.S. merchants, down from 18% in 2022.
Passkeys are the most consequential newer authentication technology. By early 2026, most major U.S. issuers and several large merchants accept passkey-based authentication for high-value or risk-flagged transactions. The user experience is a fingerprint or face scan on the device the user already trusts. The fraud impact is significant because phishing the credential becomes an order of magnitude harder. The IBM 2025 Cost of a Data Breach report estimated that passkey adoption reduced credential theft losses at participating financial institutions by 36% in the first year of deployment.
For card-present transactions, contactless and tokenized cards now account for over 65% of in-person U.S. card volume. The remaining magnetic stripe share has dropped below 4%, mostly in cash-heavy verticals and small independent merchants. The fraud rate on contactless is meaningfully lower than on magnetic stripe, which is why issuers and networks continue to push deployment.
What US payment security looks like by 2027
Three forces will define U.S. payment security through 2027. The first is the rollout of consumer-facing protective tools by the major banks. Chase, Citi and several large credit unions have begun offering virtual card numbers and merchant-specific cards inside their primary banking apps. These act as fraud-circuit-breakers because a leaked virtual number is useless beyond the merchant it was issued for. Adoption is still under 20% of eligible customers, but the trajectory is steep.
The second force is the convergence of identity verification and payment authentication. Plaid, Persona, Alloy and the major bureau-backed services are building bundled offerings that combine document checks, behavioral biometrics, device intelligence and live data signals into a single decision API. Issuers using these bundles in their onboarding flows are reporting application fraud rates well under historical averages, often by half or more.
The third force is regulatory. The CFPB’s authorized-push-payment liability rulemaking, the OCC’s interpretive letters on AI risk model governance, and the FFIEC’s expected 2026 update to its authentication guidance will collectively rewrite what U.S. financial institutions must do at the boundary of fraud prevention. The institutions that have invested in real-time risk scoring, modern authentication and customer-facing protective tools enter that period in a strong position. Those that have not will find 2026 expensive.
The summary is that U.S. payment security has quietly become one of the most data-rich, AI-heavy operational functions in financial services, while at the same time the fraud problem has migrated to a category that is harder for traditional controls to stop. The next two years will be defined by whether the industry can extend the same level of investment that worked on card fraud into the authorized-payment problem, and by whether U.S. regulators can write a rulebook that holds banks, scheme operators and consumers accountable in proportion to their actual leverage over the outcome.
