Fraud trends in 2026: from simple attacks to complex schemes

      On April 8, 2026, 11:51 Society Analysts from MegaFon, Mail, and Kaspersky Lab jointly studied data for the first quarter of 2026 and identified key trends in the field of digital fraud. Malefactors are actively adapting to user behavior, using both traditional scenarios and new approaches, covering several communication channels at once — SMS and voice calls, email, and messengers. According to MegaFon, cybercriminals are increasing their activity across all channels. In the first quarter of 2026, over 107 million calls were blocked due to suspected fraud — an 18% increase compared to the first quarter of 2025. A similar trend is observed with SMS: nearly half a billion messages were blocked due to suspected fraud and spam, which is 15% higher than last year's figures. At the same time, the number of complaints from subscribers about fraud has decreased, meaning that a large portion of threats was neutralized before users encountered them. Malefactors are increasingly combining channels: a phishing email leads to a fake website, and after entering data, the subscriber receives a call from a "specialist" who offers to install "protection" — which is actually a malicious application. Attacks are becoming multichannel, so protection is built at different levels: operator filters block dangerous traffic, antivirus software tracks malicious applications, and the mail service filters phishing emails. "Phishing and fraudulent messages are becoming the main way for malware to penetrate phones. We recorded a surge in smartphone infections last year, and this trend is intensifying: in the first quarter of 2026, MegaFon identified 124% more infected devices compared to the same period last year," said Sergey Khrenov, director of the fraud prevention and revenue loss department at MegaFon. In the first quarter of 2026, the number of blocked malicious emails from Mail decreased by 5.6% to 6.7 billion compared to 2025. The trend includes emails disguised as notifications from government services threatening fines and messages about debts. In March, emails about deliveries offering to accept flowers or gifts for a gender holiday were particularly popular. These emails look like friendly congratulations but lead to resources where malefactors obtain personal data and access to users' finances. Smart systems blocked 81.7 million unwanted emails daily — this is 3.6% more than in the same period last year. Despite the increase in spam blockages, the overall share of such emails decreased by 34% compared to the first quarter of 2025. "We are actively developing anti-spam technologies and retraining ML models: this allows us to effectively and timely block threats. AI anonymously checks content for vulnerabilities and blocks them, separately marking messages from genuine senders with a green shield icon," comments Dmitry Moryakov, head of the spam analysis group at Mail. Analysts at Mail note that besides "gift" and tax service spam, classic formats of spam and phishing remain. The most popular in this category were fake investments — their share was 47%. Spam related to casinos (gambling) and fake info products were also common — accounting for 31% and 22%, respectively. Kaspersky Lab notes that in the first quarter, malefactors continued to use scenarios from the previous year while simultaneously testing new approaches. Overall, there is a noticeable trend towards more complex attacks: increasingly multi-stage schemes are being applied with sequential interaction with the victim and the use of various communication channels. "At the end of 2025, we recorded a wave of targeted attacks on medical institutions in Russia: malicious emails were sent on behalf of insurance companies and hospitals and were related, for example, to patient complaints within the framework of compulsory medical insurance. By February 2026, similar approaches began to be used against industrial enterprises: emails imitated notifications about supposedly identified violations, and inside archives, as before, a backdoor called BrockenDoor was hidden, allowing remote access to devices and data theft. In January 2026, a large-scale campaign by the Silver Fox group was also recorded: organizations received emails disguised as notifications from tax authorities. In total, over 1,600 such messages were discovered in a month; previously unknown loaders and the Python backdoor ABCDoor were used in the attacks," comments Andrey Kovtun, head of the mail threat protection group at Kaspersky Lab. The NIA "Nizhny Novgorod" has a Telegram channel. Subscribe to stay updated on major events, exclusive materials, and operational information. Copyright © 1999—2025 NIA "Nizhny Novgorod". When reprinting, a hyperlink to NIA "Nizhny Novgorod" is mandatory. This resource may contain materials 18+