It has been a long time since there was a revolutionary upheaval in the world of fraud. Fraudsters never stay still; by their nature, every month, if not every week, brings a new tweak on an old trick. Threats naturally shift around in emphasis and sophistication. Agentic AI, however, represents something different. It’s a meaningful shift in the “how,” the “what,” and the “who.”
Bots were once the domain of cheating actors, primarily fraudsters, with some resellers also involved. With the advent of agentic AI, that’s all changed. Now, legitimate customers can utilize agents to streamline and support their purchasing process. That has the potential to be great for consumers, but it presents a serious challenge to merchants in terms of fraud.
How Agentic AI Makes Fraud Harder to Detect
Speaking as a fraud fighter, agentic AI is another way of saying that nowadays, regular consumers use bots. Agentic AI represents a significant shift in how people use AI on a day-to-day basis. Rather than the use case of leveraging AI for information (ChatGPT), with agentic AI, we delegate our authority to the agent, allowing it to perform tasks on our behalf.
For a consumer, that’s good news, because the agent can do things we find tedious, saving us time and effort. For your site’s fraud prevention systems, though, that means that bots might not be bad guys. For the fraudster, it’s ideal because it means it’s much harder to distinguish their malicious bot from a legitimate agent.
Scale, Speed, and No Need to Sleep: Bot Risk in the Age of AI
Bots are popular with fraudsters because they enable operations at scale. Why test one card when you can test a thousand? And why try to break into five accounts when you can attack hundreds?
They also enable criminal efficiency. Yes, fraudsters want to optimize for efficiency, because it ups their payoff. Bots work tirelessly performing the same operation, they don’t get tired, don’t make mistakes, and don’t need sleep.
That’s why many merchants have invested in bot prevention in recent years. But now, with the agent-bot nuance in play, companies are between a rock and a hard place.
They can block all bot traffic — good and bad — and many are doing exactly that, often without realizing it. Forter’s data shows that over 40% of travel sites, for example, have taken this path. But this blanket approach comes with serious risks, especially if competitors are embracing agentic activity to gain an edge.
The other option? Let everything through. But that opens the gates to fraudsters, who can easily hide in a sea of bot traffic, making them harder to detect and stop.
Further “Democratization” of Fraud
Creating scripts to run attacks at scale has been a standard tool in the fraudster’s box for a long time, but it required a certain level of skill and knowledge to write them. Buying them has always been an option, but that required a decision and a certain level of commitment.
Now, a fraudster can run a specific type of fraud attack, such as a card testing account or returns abuse, without the need to write a single line of code.
The size of the online criminal ecosystem received a boost from the coronavirus pandemic, as new amateur fraudsters emerged online. Many of them stayed in the game, becoming more expert. Now, things are even easier. It’s never been simpler to become a fraudster.
Why Ignoring Agentic AI Fraud is a Serious Mistake
Agentic AI is currently in its infancy, and it’s tempting to think that this is a problem that can wait a year or two until it becomes pressing. I think that’s a serious mistake, for a few reasons:
- Turning away new adopters of new technology isn’t a good business idea, as it risks alienating shoppers who are open to trying new things. Moreover, since agentic AI is great for regular purchases, turning it away can be costly in the long run.
- Fraudsters take advantage of every loophole they find. If you’re behind on agentic AI, they’ll read the signal that there might be vulnerabilities.
- This isn’t as big a challenge as you think. It requires a mindset shift from a technical to an identity-based approach, but that’s something that will ultimately benefit your business in the long run.
Agentic AI means that there’s another layer between the customer and you. But the key question remains the same: who is making the purchase, and should you let them do that? It’s the question you want to answer anyway. Investing in getting it right now, so that you’re ready when agentic AI takes off, is an investment in your company’s future and success.
