Quick answer: why does the protection gap matter for internet service providers (ISPs)?
Most internet service provider (ISP) security offerings are built around antivirus, which detects malicious files. The majority of consumer financial losses today come from social engineering attacks, fake websites, SMS scam links, phishing messages, that don't involve malicious files and don't trigger antivirus detection. ISPs and mobile virtual network operators (MVNOs) can close this gap by offering scam protection as a cyber security value-added service through F‑Secure Horizon, with no custom development required and pricing from EUR 99 per month.
52% of scam victims lost money last year. That figure has more than doubled since 2025 (F-Secure Scam Intelligence and Impacts Report 2026).
What changed is not the volume of attempts. It's the method. The fraud doing the most financial damage today doesn't arrive as a malicious file. It arrives as a text message pretending to be a parcel delivery service, a fake banking login page that looks identical to the real one, or an AI-generated message using the name and photo of a real financial adviser. None of these trigger antivirus detection. They don't need to.
80% of consumers expect their provider to help keep them safe online. 93% say it matters that their telco offers cyber security (F-Secure Digital Trust Report 2026). When a subscriber loses money to a fraud type that an ISP's security offering wasn't built to catch, the trust damage lands on the provider.
This piece covers what the protection gap actually looks like, why it's a commercial problem as much as a security one, and how ISPs and MVNOs can close it by adding scam protection as a cyber security value-added service.
What this article covers
How the dominant consumer threat shifted from malicious files to social engineering.
Where antivirus stops and where scam protection starts.
Why the gap is a commercial and retention problem as much as a security one.
How ISPs and MVNOs can add scam protection as a value‑added service through F‑Secure Horizon in days.
How the threat has changed
For most of the history of consumer cyber security, attacks came through files. Criminals embedded malicious code in downloads and found ways to get it onto devices. Antivirus was built for exactly that, and it still works well against file-based threats.
The problem is that file-based threats are no longer where most consumer financial harm happens.
Today's dominant attacks are social engineering. A subscriber taps a link in a fake parcel text. A website opens that looks exactly like their bank. They enter their card details. The site captures them. No malicious file was downloaded. No executable ran. The antivirus had nothing to scan.
89% of scammers' AI use now focuses on improving the quality of their bait.
84% of consumers worry AI will make it impossible to tell what is real online.
AI‑written phishing attacks carry a 54% click-through rate vs 12% for standard attempts.
Source: F‑Secure Scam Intelligence and Impacts Report 2026; Global Anti‑Scam Alliance
Consumer education still matters. But when the message and the website look real, awareness alone isn't enough. Active technical protection at the interaction layer is what's missing.
What F‑Secure Total is built to address are the fraud types responsible for the majority of actual consumer financial harm today: SMS scam links, phishing websites, fake online stores, and social engineering attacks arriving through the channels subscribers use daily for banking and commerce.
What antivirus covers and where the gap opens
Antivirus is still a relevant product. Many scams use it to steal money and information from devices. But malware is no longer the dominant threat model for consumers.
Antivirus operates at the device file system level, identifying and neutralizing malicious code before it can execute. It remains essential for the threats it was designed to address: malware, ransomware, trojans, and infostealers. Any credible consumer security offering needs endpoint protection as part of it.
The gap opens when the attack doesn't touch the file system at all.
Consider a fake delivery text. The subscriber taps the link. A realistic website opens. They enter payment details. The site captures them. At no point was antivirus given anything to detect. The attack succeeded not by defeating the protection, but by operating in a channel the protection was never designed to cover.
The same gap applies to investment scams arriving through social media, fake banking sites, AI‑generated messages impersonating known contacts, and SMS scams mimicking trusted services. These are the fraud types responsible for the majority of consumer financial losses in 2026, and they share one characteristic: they target human judgment, not device architecture.
52% of scam victims lost money in 2026, more than double the 2025 rate.
The most common scam types: fake invoice (20%), investment fraud (19%), banking and payment scams (11%).
Source: F‑Secure Scam Intelligence and Impacts Report 2026
A subscriber who loses money to any of these wasn't let down by their antivirus. They were let down by a security offering that didn't extend to where the attack happened.
Two complementary protection layers: device security and scam protection
Both layers are necessary. Neither replaces the other.
Dimension | Device security (antivirus) | Scam protection |
|---|---|---|
Primary threat addressed | File-based malware: viruses, trojans, ransomware | Social engineering: SMS scams, fake websites, phishing links, investment fraud |
Detection method | Signature-based and heuristic file scanning | AI‑powered behavioral pattern recognition |
Channel coverage | Device file system | Browsing, SMS, transactions, links, online stores |
Consumer experience | Background scanning | Real-time warnings at the moment of risky interaction |
What it doesn't cover | SMS links, fake websites, AI‑generated scam messages | File-based malware, needs antivirus alongside it |
2026 relevance | Essential but insufficient alone | Closes the gap device security leaves open |
The question for ISPs and MVNOs is not whether to offer antivirus or scam protection. It's whether the current offering covers both. For most providers running a legacy security service built around antivirus, every subscriber who has ever tapped a link in a text message is in the gap.
The commercial case for acting now
The protection gap isn't only a security problem. For ISPs and MVNOs, it's a revenue problem, a retention problem, and a competitive positioning problem.
Retention
F‑Secure service provider partners report a 30–60% reduction in core service churn when security is offered as a value-added service alongside connectivity, figures that are market and partner dependent. 69% of consumers say they'd consider switching provider based on the strength of a security offering (F-Secure Digital Trust Report 2026). The subscriber who switches for security doesn't come back only for a lower price.
Revenue
Partners typically achieve 40–60% margin on consumer cyber security services, depending on pricing and market positioning. 51% of consumers say they'd pay for scam protection. That's more than one in two subscribers in an existing base representing an addressable revenue opportunity with no new customer acquisition needed (F-Secure Scam Intelligence and Impacts Report 2026).
Differentiation
Providers who move now are building an advantage that competitors who wait will find increasingly difficult to close. The subscriber who loses money to a scam the security offering didn't catch isn't just a support ticket. They're a churn risk and a trust deficit that takes time to recover from.
93% of consumers say it's important their telco offers cyber security.
80% expect their provider to help keep them safe online.
69% would consider switching provider based on the strength of a security offering.
Source: F‑Secure Digital Trust Report 2026
The regulatory context
The commercial case stands on its own. The regulatory direction adds further weight.
NIS2 across EU markets
The Network and Information Security Directive 2, formally Directive (EU) 2022/2555, came into force across EU member states in October 2024. It explicitly includes telecoms operators and digital infrastructure providers within its cyber security framework. NIS2 doesn't mandate consumer-facing scam protection specifically. What it does is raise the baseline expectation placed on digital service providers around risk management and the security of services delivered to end users. Providers already investing in consumer protection are ahead of that direction. This is not a compliance claim, and this article does not constitute legal or regulatory advice. Partners should confirm their specific obligations with their legal teams.
The UK Online Safety Act
The UK Online Safety Act 2023, in force from 2024, places duties on regulated services to protect users from illegal content including financial fraud. Its primary obligations fall on platforms rather than connectivity providers, but it has materially raised the regulatory conversation about provider accountability for consumer safety online. The National Cyber Security Centre has published guidance addressing telecoms provider responsibilities in this area.
Neither framework requires a specific product response. Both signal that the direction of regulatory expectation is upward, not stable.
How ISPs and MVNOs can close the gap
Through F‑Secure Horizon, adding scam protection as a cyber security value-added service doesn't require a security engineering team or months of development. Most partners go from sign-up to live service within 3–5 business days.
F‑Secure Total Core, the consumer product partners offer through F‑Secure Horizon, combines device security with AI‑powered SMS Scam Protection, browsing and phishing protection, banking protection, and fake website detection. F‑Secure Total Complete adds ID Monitoring, a Password Vault, and VPN.
The partner creates subscriptions through the F‑Secure Horizon console. F‑Secure manages the consumer-facing experience: the welcome email, installation reminders, product updates, and 24/7 end-customer support. The partner tracks activation rates, usage, and commercial performance through the Grow module.
F‑Secure Horizon starts at EUR 99 per month with no setup fee and no long-term contract. Full pricing details and a revenue calculator are at f-secure.com/en/partners/solutions-and-services/horizon/pricing.
Partners can go from sign-up to live service within 3–5 business days. No custom development required.
Key takeaways
For ISP product directors, MVNO commercial leads, and telco partnership teams:
The fraud your subscribers face has shifted from infected files to AI‑powered deception.
Antivirus remains a necessary part of the protection stack but it wasn't built for the social engineering attacks responsible for most consumer financial losses today.
Adding scam protection through F‑Secure Horizon closes that gap without custom development or a security engineering team.
Consumer demand is established, and the commercial case is documented. Most partners are live in days.
Frequently asked questions
Fake delivery texts are social engineering attacks, not file-based malware. Traditional antivirus operates at the device file system level and has nothing to detect when a subscriber taps a fraudulent link, no malicious file is downloaded, so no signature fires. F‑Secure Total's AI-powered SMS Scam Protection operates at the interaction layer, helping identify suspicious links before the subscriber engages with them. The F‑Secure Scam Intelligence and Impacts Report 2026 identifies SMS as the second most common scam delivery channel globally.
No. Antivirus remains relevant and should stay in the stack. File-based threats, malware, ransomware, trojans, haven't disappeared, and antivirus is still the right tool for addressing them. F‑Secure Total Core combines device security and AI‑powered scam protection in a single product, so subscribers get both layers of coverage without needing separate tools.
Most partners are live within 3–5 business days of signing up to F‑Secure Horizon. No custom development is required to start. Partners can begin with manual subscription management and introduce API-based automation as volumes scale. F‑Secure Horizon handles marketing materials, subscription management, analytics, and end-customer support. F‑Secure Horizon starts at EUR 99 per month with no setup fee.
Partners typically achieve 40–60% margin on consumer cyber security services, depending on pricing and market positioning. F‑Secure service provider partners report a 30–60% reduction in core service churn when security is offered alongside connectivity, figures that are market and partner dependent. 51% of consumers say they'd pay for scam protection (F-Secure Scam Intelligence and Impacts Report 2026). These are directional figures, not guaranteed outcomes for every partner.
Adding a consumer cyber security service through F‑Secure Horizon does not in itself create new compliance obligations. F‑Secure Horizon is ISO/IEC 27001 certified. Partners should confirm with their legal and compliance teams how existing data processing agreements reflect the addition of a new service. In the context of NIS2, proactively investing in consumer security is aligned with the direction of EU regulatory expectations. This is not a compliance claim.
The gap is commercial, not just technical
The fraud your subscribers face has shifted from infected files to AI‑powered deception. Antivirus remains a necessary part of the protection stack, but it wasn't built for the social engineering attacks responsible for most consumer financial losses today.
Providers who recognize that gap and act on it are building subscriber trust, reducing churn, and generating recurring margin from a service their customers already want and expect. Consumer demand is established. The commercial case is documented. The platform to deliver it is ready in days.
About the author
F‑Secure Partner Content Team
Cyber Security Content Specialists, F‑Secure
This article is produced by the F‑Secure Partner Content Team using insights from the F‑Secure Scam Intelligence and Impacts Report 2026, the F-Secure Digital Trust Report 2026, the Global Anti-Scam Alliance (GASA) Global State of Scams Report 2025, and partner program data. F‑Secure has more than 37 years of experience in cyber security research and partner services. F‑Secure Horizon is ISO/IEC 27001 certified.
Last updated: June 2026

)