On this page · 9 sections
Summary. Apple introduced Trust Insights at WWDC 2026 on June 9, a new iOS 27 framework that helps an app detect, in real time, when its user is being coached through a scam. It runs mostly on-device, assigns a medium or high risk level from behavioural signals, and lets the app add a warning, a delay, or an extra verification step before money moves. The timing is not academic: United States consumers reported $15.9 billion in fraud losses across 3 million reports in 2025, per the FTC, and TransUnion found 7.1% of Indian transactions were suspected fraud in 2025, nearly double the global rate of 3.8%. Trust Insights covers five operation categories, from .payment to .account, and never inspects the contents of Photos, Messages, or Mail. For a retail, D2C, or fintech brand, it is a new control point in the exact moment a customer is most at risk.
Social engineering is the fraud that firewalls miss. The user is not hacked; they are frightened or persuaded into sending the money themselves. That is why an on-device signal that fires mid-interaction matters more than another rule in your backend, and why trust-and-safety teams should be reading the Trust Insights documentation now, not after the September launch.
Why Apple built Trust Insights
The scam economy is large and growing. The FTC's Consumer Sentinel data recorded $15.9 billion in reported fraud losses in 2025, up from more than $12 billion the year before, across about 3 million reports, per the agency's testimony to the Joint Economic Committee. Imposter scams alone caused $3.5 billion in losses, as the FTC reported separately. Christopher Mufarrige, director of the FTC's Bureau of Consumer Protection, put the stakes plainly: "Consumers derive enormous benefits from competitive markets built on truthful information. But fraud undermines that foundation, impeding the market process and preventing markets from operating efficiently."
The common thread in modern fraud is coercion. A caller poses as a bank, a tax officer, or a delivery agent, and talks the victim through the steps of moving their own money. Traditional defences see a logged-in user performing an authorised action, so they wave it through. Trust Insights targets exactly this gap, described by Apple's WWDC26 session as one of the hardest fraud scenarios to stop, because the user is pressured into performing the risky action themselves rather than being hacked.
How Trust Insights works
Trust Insights combines device and cloud infrastructure, but your integration is entirely client-side through a Swift API, per 9to5Mac's report. The framework runs mostly on-device and analyses interaction patterns, timing, context, and basic sensor data. Crucially, it does not inspect the contents of Photos, Messages, or Mail; it reads behavioural signals and immediately discards the underlying data, and those device-derived signals are not shared with Apple or third parties.
When it sees signs of manipulation, it assigns a medium or high risk level, and your app decides what to do with that: show a warning, add a delay, or require a stronger verification step. The user stays in control. Trust Insights can be turned off per app in Settings, but Apple adds a cooldown period before the change takes effect, specifically to protect a user who has been coached by a scammer into disabling it.
The framework organises everything around five operation categories, so the model logic matches the action your app is about to take.
| Operation category | What it covers | Example in a consumer app |
|---|---|---|
| .payment | Any exchange of money, assets, or content | A wallet transfer or in-app purchase |
| .account | Updating account details or security info | Changing a payout bank account |
| .resourceUse | Costly or constrained infrastructure | Triggering expensive AI inference |
| .communication | Sending messages, forms, or signed documents | Submitting a KYC form |
| .other | A fallback for anything else | A one-off sensitive action |
What it means for consumer and fintech brands
For a trust-and-safety team, Trust Insights is a new signal to fold into an existing risk decision, not a replacement for it. The value is timing. Your backend fraud checks run before or after a transaction; Trust Insights fires during the interaction, when the customer is on the phone with the person coaching them. That lets you insert a well-designed pause at the one moment it can change the outcome.
The design work is where brands will differ. A blunt "this may be a scam" banner trains users to dismiss it. A high-risk .payment signal on a first-time payout to a new account might instead trigger a 60-second hold and a plain question about who asked for the transfer. The framework gives you the risk level; your product team owns the intervention. For fintech and payments apps, this is a direct lever on authorised push payment fraud, the category regulators increasingly expect firms to address.
There is also a measurement upside. Because Trust Insights requires feedback, integrating it forces a discipline many teams lack: closing the loop between a risk flag and the real outcome of the transaction.
How to integrate it
Integration is a defined sequence rather than a black box. You declare the Trust Insights entitlement through Xcode, build a parameter pack of the insights you want, and call the InsightEvaluator with the operation category that fits the action, as the developer write-ups describe. The evaluation returns a risk level your code acts on.
Two feedback types keep the model accurate, and both are required. Real-time consumption feedback reports how your app responded to a given insight, and offline feedback reports transactions that later proved fraudulent. This is not optional telemetry; it is how the system learns which of your interventions worked. Plan for it in your data pipeline from the start, and treat the feedback path as part of the feature, not an afterthought.
| Risk level | What it signals | A sensible app response |
|---|---|---|
| No elevated risk | Normal interaction | Proceed as usual |
| Medium | Some signs of possible manipulation | Add friction: a confirmation or short delay |
| High | Strong signs the user is being coached | Hold the action; require stronger verification |
India-specific considerations
India is one of the most important markets for a feature like this. TransUnion's H1 2026 report, released on June 16, found that 7.1% of Indian transactions were suspected digital fraud in 2025, nearly double the global average of 3.8%, per Outlook Business. Fraud risk in India concentrates at account login (3.9%) and account creation (3.1%), and Business Standard reported logistics, telecom, and insurance as the highest-risk sectors, at 16.3%, 14.7%, and 11.5% respectively.
Two India factors shape how you use Trust Insights. First, it maps neatly onto local scam patterns: the "digital arrest" and fake-bank-caller scams that plague Indian users are textbook coercion, exactly what a mid-interaction signal is built to catch. Second, the Digital Personal Data Protection Act, 2023 (DPDP) governs how you handle the personal data around these flows. Trust Insights helps here because it reads behavioural signals on-device and discards the raw data, so adopting it does not add a new pool of sensitive content for you to protect. For a broader view of secure product design, see our note on enterprise AI and security strategy.
| Fraud signal | United States (2025) | India (2025) |
|---|---|---|
| Overall scale | $15.9 billion reported losses (FTC) | 7.1% of transactions suspected fraud |
| Benchmark | 3 million fraud reports filed | Nearly 2x the 3.8% global average |
| Concentration | Imposter scams: $3.5 billion | Logistics sector: 16.3% fraud rate |
A trust-and-safety playbook for the beta window
You do not need to wait for the September release to prepare. The public beta from mid-July gives trust-and-safety and product teams roughly two months to design and test interventions on the real framework. Use the window in four steps.
Start by mapping your riskiest flows to the five operation categories. A first-time payout to a new bank account is an .account and .payment moment; a KYC submission is .communication. List the three or four flows where a coached user could do the most damage, because those are where a Trust Insights signal earns its place.
Next, design the intervention, not just the alert. Decide what a medium risk and a high risk should each do in each flow. Medium might add a confirmation screen with a plain-language question; high might hold the action and route it to step-up verification. Write these as product rules your team agrees on, so the response is consistent rather than improvised per screen.
Then wire the feedback path early. Because Trust Insights requires both real-time and offline feedback, build the plumbing that reports how your app responded and which transactions later proved fraudulent. Teams that treat this as core rather than an afterthought get a model that improves and a fraud view that finally ties flags to outcomes.
Finally, measure the trade-off. Every added step of friction costs some conversion, so instrument both sides: fraud prevented and legitimate transactions delayed or abandoned. The goal is a targeted intervention that fires on genuine coercion signals and stays invisible the rest of the time. A blunt banner on every payment trains users to ignore it and erodes trust in your own product.
Treat the beta as a design exercise. By the time iOS 27 reaches the wider fleet in September, you want interventions tested against real signals, tuned to your fraud data, and owned by a named team, not a rushed banner bolted on at launch.
FAQ
How eCorpIT can help
eCorpIT is a Gurugram-based technology organisation with senior-led engineering teams that build fraud and trust-and-safety systems for consumer, retail, and fintech brands. We can integrate Trust Insights into your iOS app, design interventions that reduce authorised-payment fraud without harming conversion, and wire the required feedback loops into your risk pipeline in line with the DPDP Act. If you want a scam-detection plan ready for the iOS 27 launch, contact us. You can also browse the eCorpIT blog or read about our team.
References
_Last updated: July 5, 2026._