March 2026 Fraud Update: AIT Tactics, Weaponized Trust, and a New Fraud Response Guide

March 2026 Fraud Update: AIT Tactics, Weaponized Trust, and a New Fraud Response Guide

Hey, builders! We’re back with a quick look at the fraud trends we’ve been tracking throughout Q1 2026. We’ll cover how artificially inflated traffic (AIT) patterns have evolved, as well as tactics we have seen that exploit customers with weak Know Your Customer (KYC) practices. We also break down the latest in phishing campaign evolution and their use of marketing templates.

This quarter, we’re also excited to share that Twilio has released a new step-by-step guide to help your organization navigate every phase of response, from verification to containment to remediation. Read on to learn more.

Fraud patterns we’re tracking in 2026

Emerging patterns in AIT

Fraudsters aren’t standing still. AIT tactics have evolved in Q1 2026 in ways that make traditional detection and prevention mechanisms harder to rely on. We’re also seeing a significant shift in both the sophistication and scope of AIT attacks:

• AIT with full workflow completion and OTP conversion: Fraudsters are increasingly using advanced automation tools and scripts that can fully mimic legitimate user behavior, including completing entire verification workflows and successfully converting one-time passwords (OTPs). Traditional defenses that rely on detecting incomplete workflows or failed OTP entries are becoming less effective as attackers now ensure OTPs are entered and the process is completed, making fraudulent traffic appear legitimate. Because this activity closely mirrors genuine user actions, you’ll need more advanced behavioral analytics and anomaly detection to identify AIT.
• Randomization of target numbers across multiple phone families: Historically, AIT attacks often targeted a series of numbers (e.g., +1234567890, +1234567891, etc.), making them easier to detect through pattern analysis. Fraudsters now randomize target numbers across various phone number families, including different carriers, regions, and number types (mobile, landline, and VoIP). This randomization reduces the effectiveness of simple pattern-based detection and increases the attack surface, making it harder to distinguish AIT from “organic” traffic.
• Geographic shifts in attacked countries: Attackers are shifting their focus to new geographies, often targeting countries with more stringent telecom regulations and lower SMS termination rates. We’re observing a rise in AIT activity across EU nations that have historically been considered low-risk zones. Fraudsters monitor and adapt to changes in local regulations, carrier filtering, and fraud prevention measures quickly, moving to new markets as old ones become less profitable.
• Expansion beyond 2FA traffic: AIT is no longer limited to 2FA or OTP workflows. We’ve seen an increase in attackers inflating traffic for other use cases. These cases include repeatedly requesting for app download links or surveys to artificially boost engagement metrics, as well as generating promo codes to exploit promotional campaigns. Generating these requests skews engagement analytics and increases the risk of financial loss.

We recommend customers adopt a multi-layered fraud prevention strategy that includes incorporating advanced analytics from SMS Pumping Protection and Verify Fraud Guard, rate limiting, real-time monitoring, and configuring SMS and voice geo permissions to block countries where there’s no business interest across all products.

Bad actors abusing free-text forms

Building on our 2025 analysis, threat actors are still systematically targeting Independent Software Vendors (ISVs) with weak KYC protocols. But this quarter, something more concerning is happening: bad actors are exploiting unstructured free-text fields within legitimate communication platforms.

In these campaigns, bad actors exploit established communication channels. Sometimes, they intentionally omit malicious URLs or flagged keywords to bypass standard automated content filters. Their strategies include nudging the victim to unmonitored or encrypted environments, such as another app, or contacting a victim via email or phone, where the scam can be completed without oversight. ISVs can unknowingly become a delivery channel for this traffic if their web forms lack proper safeguards or if their end users’ forms are unsecured.

The most effective defense strategy is multi-layered, starting with strong KYC checks and controls at every point where unstructured input enters your system.

Email marketing template abuse

Phishing attacks became more targeted this quarter. Bad actors are now sending phishing emails using marketing templates. Phishing volume for these specific templates nearly doubled in Q1 2026 alone. While these emails look professional, always verify that the "From" address matches the official company domain since fraudsters often hide behind legitimate-looking templates. Also, hover over buttons to inspect the destination URL for suspicious redirects or unfamiliar domains before clicking any call-to-action button or link. In general, it’s also good practice to not accept unexpected invites and call-to-action requests.

Introducing the Twilio Fraud and Abuse Response Guide

The best defense against fraud is preparation before the first suspicious packet even hits your Twilio service. But even with the strongest prevention in place, Twilio wants to ensure that if fraud were to occur to your accounts or applications, you have all of the resources at your disposal to respond immediately. That’s why we’re excited to release a mission-critical resource for operating production applications with Twilio safely: the Twilio Fraud and Abuse Response Guide.

Why this guide?

Think of this guide as your "In Case of Emergency, Break Glass" manual. While Twilio provides tools like MFA, Verify Fraud Guard, and SMS Geo Permissions to stop bad actors at the front door, this guide is designed to help you navigate the entire lifecycle of an incident. Twilio may have reached out and may have even taken proactive measures to suspend your account due to detected fraud on our end. Or, your own organization may have observed suspicious billing or usage activity. In either case, this guide will help you get back on your feet and ensure the threat is contained and prevented in the future. Stop fraud in its tracks by understanding how to verify threats, contain bad actors, and fix the root cause for good.

Until next quarter, stay alert and we hope these additional resources help you keep your customers safe. Cheers from Twilio!