Payments Security Enters a New Era: Agents, Identities, and Quantum Threats

The opening weeks of 2026 signal a fundamental paradigm shift in the payment security landscape. The institutionalization of “Agentic Commerce,” moving the primary merchant challenge from blocking bots to authenticating authorized AI agents is a dominant trend. Concurrently, fraud vectors are migrating “upstream,” transitioning from transaction-level theft to total identity-level compromise via deepfake-enabled scams. This blog details the emergence of three key trends shaping payment frauds: physical infrastructure threats like SMS Blasters, the AI-driven identity fraud, and the critical multi-year migration to Post-Quantum Cryptography (PQC). To maintain parity with high-velocity threats, financial institutions must move beyond static defenses toward real-time, cryptographic, and behavioral trust frameworks.

1. Agentic Commerce & The “Cryptographic Handshake”

The Identity Crisis: Legitimate Agents vs Malicious Bots 

By early 2026, AI software agents capable of executing autonomous purchases have entered the mainstream. However, these agents often trigger legacy fraud filters by mimicking the high-velocity behaviors typically associated with credential stuffing or Account Takeover (ATO). Commonly used patterns and protocols include Trusted Agent Protocol (TAP), Agent Pay Acceptance, and Agentic Commerce Protocol (ACP). Malicious actors are already attempting to “spoof” agent headers to bypass CDN-layer bot mitigation. Furthermore, the legal liability for “unintended” agent purchases remains a significant gray area between platforms and merchants.

2. The AI-Driven Identity Battle: Upstream Fraud

2.1 The “Phantom Hacker” 3-Step Chain 

Generative AI has industrialized “Phantom Hacker” scams (where criminals impersonate tech support, bank representatives, or government officials to trick victims into believing their assets are compromised), moving fraud from the point of sale to the point of identity. The three-phase scam takes a structured approach that involves: 

1. The Lure: AI-authored alerts notify users of a fabricated security breach. 
2. The Hook: Hyper-realistic deepfake voice or video calls convince victims to move funds to “protected” accounts. 
3. The Drain: Once “upstream” access to the banking identity is secured, attackers execute Authorized Push Payments (APP) or Account-to-Account (A2A) transfers. 

2.2 Identity vs. Transactional Compromise 

Fraud is no longer about stealing a card number; it is about owning the profile. When an attacker compromises on an identity via synthetic IDs or deep impersonation, transaction-level rules (e.g., spending limits) become ineffective because the attacker possesses the “authority” to override them.

3. Infrastructure & Network Threats

3.1 SMS Blasters: Bypassing the Carrier 

Criminal organizations are increasingly deploying “SMS Blasters” (localized IMSI catchers). These devices mimic legitimate cell towers to force nearby mobile devices to connect. The impact is that messages bypass carrier-level security filters, delivering smishing lures directly to devices with high-trust signals. Users may experience a brief “No Service” state followed by immediate receipt of high-fidelity, urgent retail or tax alerts. 

3.2 Post-Quantum Cryptography (PQC) Migration 

Following the finalization of NIST’s FIPS standards (203, 204, and 205), the migration to quantum-resistant algorithms has begun. Two key developments are underway and are expected to gather steam as PQC adoption is set to accelerate. 

• The “Harvest Now, Decrypt Later” Threat: Attackers are harvesting encrypted payment data today, intending to decrypt it once quantum computing matures.
• Operational Impact: PQC algorithms like ML-KEM require larger keys and signatures, increasing secure connection bandwidth by 15-20%.

Conclusion 

As we navigate 2026, cybersecurity is no longer a peripheral technical concern, it is the foundational pillar of global commerce. The convergence of Agentic Commerce, SMS Blaster technology, and Quantum-readiness demands a “resilience-first” mindset. Success in this new era requires moving beyond static prevention toward a dynamic, cryptographic trust model that can authenticate intent and identity in real-time, across every layer of the payment ecosystem. SISA recommends that organizations take proactive, securityfirst measures to strengthen their defenses, that would include the key steps outlined below: 

For Infrastructure Providers: Inventory all RSA/ECC dependencies and begin firmware updates to support ML-KEM and ML-DSA for long-term data protection.  

For Merchants: Adopt RFC 9421 HTTP signatures to distinguish between “trusted” AI agents and malicious bots.  

For Compliance Officers: Implement “Know Your Agent” (KWA) procedures. Update due diligence to focus on the authorization chain between the human user and their software agent. 

For more insights into emerging payment threats, download the latest Payment Intelligence Report or read the Weekly Threat Watch.