Threat taxonomy

Agentic Fraud

A technical taxonomy of autonomous identity attacks. AI agents now execute the full fraud workflow: observe, adapt, and retry, without human involvement at each step.

Begin reading Jump to techniques
00 Introduction

Identity fraud has a new execution model. Where attacks were once driven by human operators submitting fake documents or scripted bots replaying credentials, they are now being replaced by autonomous AI agents that run the full fraud workflow without human involvement at each step.

This document is a technical taxonomy of that threat class. It defines the framework, describes two distinct attack surfaces that require separate defenses, and catalogs ten techniques observed in production environments, each with a technical description, an observed scenario, and detection signals.

01 Definition

What is agentic fraud?

Agentic fraud is a category of identity fraud in which the attack is executed by an autonomous software agent rather than a human operator. The agent finds targets, generates the synthetic media or documents required, submits them to verification systems, reads the outcome, and retries with adjusted parameters. The distinction from prior fraud automation is the feedback loop: the system observes what fails and updates its approach without requiring human involvement at each step.

Voice cloning, face synthesis, and document generation have each been commercially accessible since at least 2022. The shift is in how they are now combined: a single agent chains all three, runs the full sequence without human involvement, and does so across hundreds of parallel sessions at once. Earlier AI-assisted fraud required a person to direct each tool. The cost per attempt in agentic fraud falls to the cost of compute.

Each of those capabilities reached mainstream use within months of public release, and fraud operations adapted to each one. The timeline below traces six milestones from 2022 to today, pairing each public capability shift with the fraud applications that followed.

AI ships in public
Nov 2022
ChatGPT
You can't trust a message
Jan 2023
ElevenLabs
You can't trust a voice
Mar 2023
Midjourney v5
You can't trust a photo
Aug 2024
Face-swap tools
You can't trust a live call
Sep 2025
OpenAI Sora 2
You can't trust any video
We are here
Early 2026
Agentic AI
You can't trust there's a human at all
Fraud puts it to work
▲ What the public did with it
Agents that act on their own
Autonomous AI agents that plan, browse, message, and transact end-to-end — no human at each step.
▼ What fraud did with it
Fraud that runs itself
Agents execute the full fraud workflow 24/7 — finding targets, generating synthetic media, submitting, adapting, retrying.

Each node marks a public AI capability milestone. Above the line: mainstream adoption. Below the line: how fraud operations adapted within months.

$20.9B
Reported US fraud losses, 2025
FBI IC3 Annual Report, 2025 — reported figures represent an estimated ~7% of actual losses (GASA / Feedzai)
4.5×
AI phishing click-through vs. human-written
Microsoft Security, 2025 — 54% vs. 12% click-through rate in controlled comparison
+1,900%
CAGR in payments to AI scam-service vendors
Chainalysis, 2024 — cryptocurrency flows to AI fraud infrastructure, 2021–2024
Definition

Agentic fraud is a class of identity fraud in which autonomous software agents execute the attack workflow end-to-end: sourcing target data, generating synthetic media or documents, submitting to verification systems, interpreting system responses, and retrying with adjusted parameters. The defining characteristic is a closed feedback loop — the system observes what fails and updates its approach without requiring a human operator at each iteration. This distinguishes agentic fraud from scripted automation, which executes a fixed sequence, and from earlier AI-assisted fraud, where humans directed individual AI tools. In agentic fraud, the agent directs itself.

02 Framework

Significant change in the IDV Fraud execution model

Fraud analysis has historically organized attacks by artifact (what was faked) or by vector (how it entered the system). Both dimensions remain relevant. What AI has changed is the execution model, replacing human intervention with autonomous agents that observe, adapt, and retry.

An agentic attack is one where an autonomous software agent, not a human operator, executes the fraud loop. The agent observes system responses, updates its internal model, selects the next action, and retries. This cycle runs continuously, at scale, without human involvement in each iteration.

Manual synthetic identity fraud Human-driven, one attempt at a time Fraudster Create/Select Synthetic identity artifact (deepfake, fake ID, etc.) Submit Into identity verification workflow Outcome ✓ Accepted ✕ Rejected Manual retry Adjust identity or try a different artifact Each attempt requires human effort, manual changes, and trial-and-error. Slow, costly, and less scalable. VS Agentic fraud AI-orchestrated, adaptive, and persistent Fraudster Prompt variants 3. Generate/ modify evidence (GenAI Tools) 1. Orchestration agent (Central agent) 2. Reference search agent 5. Submit to verification system 4. Injection agent 6. Observe & analyze feedback 7. Coordinated retries Agents generate, test, adapt, and retry automatically. Continuous feedback drives improvement and scale. One-off deepfake presentation = Synthetic presentation attack Orchestrated, adaptive, persistent = Agentic fraud

Manual fraud requires human effort and trial-and-error — slow, costly, less scalable. Agentic fraud generates, tests, adapts, and retries automatically; a continuous feedback loop drives improvement. Source: Incode — AIMS Workshop, CVPR 2026.

Three dimensions of any identity fraud attempt

A useful framework for classifying any identity fraud attempt uses three independent dimensions. Understanding each separately clarifies why agentic fraud requires a different defensive response than prior attack classes — a change in the execution model demands a change in the detection model.

DimensionDefinitionExamples
Artifact What is fabricated or abused Deepfake video, synthetic identity document, cloned voice, stolen credential
Vector How the artifact enters the verification system Physical camera presentation, virtual camera feed, direct API upload, credential replay
Execution model What drives the attempt Human operator → scripted automation → adaptive AI agent with feedback loop
Why this matters for defense design

A human operator submitting a deepfake is bounded by their time and attention. An autonomous agent submitting the same deepfake, iterating across thousands of variants, learning which generation parameters pass the classifier, and running hundreds of parallel sessions, is a categorically different threat. Defenses designed for the human execution model will be systematically defeated by the agentic one.

Defensive implication

Systems should return the minimum amount of information in rejection responses. Every differentiating signal — error type, response latency, retry thresholds — becomes training data for the agent's model of the approval boundary.

A mature agentic operation typically starts with real media, making small incremental changes to probe system defenses and map which parameters trigger rejection. Once a vulnerability is identified, the operation scales: the validated attack pattern is deployed across hundreds of parallel sessions. By the time the financial loss event occurs, the attacker is operating on a valid credential issued to a fraudulent identity, often with no synthetic media involved in the triggering transaction.

32→50%
Share of fraud that is AI-assisted — now and projected by year-end
Incode Q1 2026 Fraud Intelligence Report
+55%
Year-over-year growth in digital injection attacks
Incode data, 2025–2026
20,000
Fake IDs a single service could generate per day
OnlyFake, 2024 — $15 per document at volume
03 Attack surfaces

Two distinct attack surfaces

Agentic fraud reaches identity verification systems through two fundamentally different paths. Each requires a distinct class of defense. The failure to distinguish them is one of the most common architectural gaps in current fraud programs.

Surface 01 Pre-agentic baseline
Classical presentation attacks (PAD)
Physical artifact → real camera → verification system

Traditional liveness detection was built to stop presentation attacks: 2D artifacts (printed photos, screens), 3D artifacts (silicone or paper masks), and video replay attacks. These require a human physically present at a device. They cannot be fully automated at scale.

This is the pre-agentic threat model. It is documented here because PAD is the defense layer that agentic injection attacks are engineered to bypass entirely.

Required defense
Media authenticity detection: liveness analysis (PAD), deepfake classification, anti-spoofing
Typical IDV capture frame with annotations: single frontal face, face occupies 20–40% of frame, neutral expression, frontal camera 720×1280
A typical IDV capture: single face, frontal, neutral expression, 720×1280. PAD defenses were designed for this capture path; injection attacks bypass it entirely. Source: CVPR 2026 / Incode Mirage.
Surface 02 Primary agentic surface
Injection attacks
Media → bypasses capture path → injected directly into data stream

Agentic fraud simulates the entire capture environment through three primary methods:

01Virtual camera drivers routing synthetic video directly into the data stream, bypassing the physical camera entirely
02Man-in-the-middle interception capturing and modifying payloads between the SDK and the verification server before they reach analysis
03Emulated device environments running at scale on device farms, each mimicking a distinct real device fingerprint, sensor profile, and behavioral signature
Required defense
Capture path integrity: device attestation, SDK integrity verification, emulator detection
The critical gap

These are separate attack surfaces requiring separate defenses. A strong liveness detector stops classical presentation attacks (PAD) and provides no protection against injection attacks. A capture path integrity check stops injection attacks and provides no protection against sophisticated deepfakes delivered through real hardware. Both defenses are necessary. A fraud program that deploys only one has left exactly half its attack surface undefended, and an agentic attacker's feedback loop will locate that half efficiently.

04 Technique taxonomy

Ten documented attack techniques

The following techniques represent the current generation of agentic identity fraud as observed in production environments. They are not mutually exclusive: a single fraud operation typically combines multiple techniques across different stages of the attack chain.

Agentic fraud pipeline — Collect · Create · Test · Scale
Stage 1 — Collect
Harvest leaked personal data. Rank targets by value. Overnight, pennies per record.
AFT-06 · AFT-09
Stage 2 — Create
Synthetic faces, deepfake video, forged documents. All internally consistent, cross-check surviving.
AFT-01 · AFT-02 · AFT-03 · AFT-04
Stage 3 — Test
A/B test against live systems. Map the approval boundary. Stay below rate-limit thresholds.
AFT-05 · AFT-07 · AFT-08
Stage 4 — Scale
Deploy across many institutions. Regenerate whatever gets blocked. Parallel sessions, mule activation.
AFT-05 · AFT-07 · AFT-10

Four-stage execution model observed in production agentic fraud operations. Each stage corresponds to a cluster of techniques in the taxonomy below. Source: Incode threat intelligence / Agentic Fraud Technical Taxonomy.

Synthetic generation in practice

Base SDXL output for generic selfie prompts
Base SDXL — generic "selfie" prompts. Outdoor backgrounds, studio lighting, high-end rendering. Caught by IDV detectors trained on KYC distributions.
Incode IDV-domain fine-tuned SDXL output matching capture conditions
IDV-domain fine-tuned — same prompts, generator fine-tuned on KYC capture data. Mobile camera quality, indoor lighting, realistic imperfections. APCER rises from 0.0000 to 0.905 against production detectors.
AFT-01 — Synthetic media generation

DFaaS rings operate fine-tuned generators — not commodity models. The gap between these two outputs is why IDV-domain fine-tuning breaks detectors trained on public benchmarks.

Source: Incode Mirage dataset — CVPR 2026 / Efim Boieru, Iago Suarez, Anvar Ganiev
Document cloning: three generations of a Texas driver's license with iterative field-level modification
AFT-02 — Document synthesis & cloning

Three generations of the same document. The base is a real credential. Each iteration modifies one field — name, date of birth, ID number — while preserving fonts, barcode encoding, holographic overlay placement, and machine-readable zone formatting. The result passes optical document verification because the structural signals are authentic.

The fraud operation does not forge from scratch. It edits real documents, one parameter at a time, to produce variants that survive cross-reference checks against public records. At $15 per document, a single service can produce 20,000 of these per day.

Source: Incode threat intelligence.

Select any technique for technical detail, observed scenario, and detection signals.

05 Attack operations

How techniques combine into operations

Individual techniques rarely operate in isolation. A mature agentic fraud operation runs multiple techniques in parallel, organized into functional roles. The Collect–Create–Test–Scale model describes how these roles interact.

  • Automated agents query breach databases, darknet markets, and public data sources for leaked PII: names, SSNs, dates of birth, addresses, passwords, and security question answers.
  • The output is a ranked target list sorted by which identity fragments are most likely to pass which financial products, produced overnight at a cost measured in dollars, not hours of manual labor.
  • Corresponds to AFT-01 (DFaaS sourcing), AFT-06 (SSN harvesting for synthetic ring construction), and AFT-09 (biometric data scraping from social media).
  • Generates complete synthetic identity packages: name, address history, employment record, supporting documents. All components are internally consistent and capable of withstanding cross-reference checks.
  • Produces deepfake video responding to liveness prompts, clones voices for support-line impersonation, and fabricates documents with accurate fonts, barcodes, and machine-readable zones.
  • Corresponds to AFT-02 (document forgery), AFT-03 and AFT-04 (deepfake video production), AFT-06 (synthetic identity assembly).
Capture pipeline injection

The Create role doesn't only generate media. It also sets up the injection infrastructure: virtual camera drivers, tampered SDK builds, and emulated device environments are configured here, before the Test role validates them against live targets. See AFT-03 and AFT-04.

  • Runs systematic A/B testing against live targets, holding all variables constant except one per run: same identity with a different photo crop; same application flow with a different device fingerprint.
  • Operates within normal traffic volumes so no rate limit or anomaly alert fires. Each attempt appears as a distinct, unrelated user session.
  • Calibrates keystroke cadence, mouse movement curves, and form interaction patterns to match behavioral profiles that monitoring systems associate with real human sessions.
  • Corresponds to AFT-05 (farming orchestration), AFT-08 (KYC timing analysis), and the Test stage of AFT-07 (per-institution profiling).
  • Deploys validated patterns simultaneously across targets, platforms, and channels. When a pattern is blocked, the system automatically regenerates identity packages and adapts parameters.
  • Specialized sub-agents run in parallel: one handles document submissions, one manages liveness sessions, one handles support-line calls, one routes fund transfers.
  • Corresponds to AFT-05 (parallel farming), AFT-07 (multi-institution rotation), AFT-10 (mule network activation and fund routing).
The cheapest-path principle

The agentic attacker is not attempting to defeat the strongest control in the system. It is finding the weakest stage. If account opening is well-defended but account recovery is not, the operation migrates to recovery. If the liveness check is robust but transaction monitoring is permissive, the operation opens legitimate-looking accounts and exploits them post-enrollment. The feedback loop finds the minimum-cost path through the system as a whole, not through any individual control.

↳ The adaptive loop

Why the feedback loop defeats static detection

The mechanism enabling cost-per-attempt reduction is a continuous feedback loop. Each cycle produces information that improves subsequent attempts. Understanding the loop structure is prerequisite to understanding why static threshold-based detection fails against it.

1Estimate
2Choose
3Submit
4Observe
5Update
Information leakage

Error message: "document not accepted" ≠ "face match failed". Rejection latency: 180ms ≠ 3,200ms. Retry boundary: attempt 3 triggers additional verification, attempt 2 does not. Every differentiating signal in a system response is training data for the attacker's estimate model. The loop converges toward a complete map of the approval boundary without triggering rate limits, because each attempt appears as a distinct user session.

06 Detection model

Three questions fraud systems must keep separate

Most identity verification systems were designed around a single question: is this person who they say they are? Agentic fraud exploits the conflation of three distinct trust questions, each of which can be answered independently and each of which has different failure modes when systems treat them as one.

How agentic fraud maps your defenses

During the Test phase, agentic operations statistically map each defense control, identifying which are deterministic (binary pass/fail — a fixed rule that always produces the same outcome) versus probabilistic (threshold-based models that vary by input). Deterministic controls are reverse-engineered quickly. Probabilistic controls require more attempts but can still be mapped through variance analysis across sessions. An attacker who knows which controls are which can allocate probing effort efficiently and route attacks to exploit probabilistic controls where confidence thresholds can be gamed.

Deterministic
Is this actor authorized to take this action?
A permissions question, not an identity question. The credential is either valid for this action or it is not. Answerable with cryptographic certainty. Failure mode: credential theft, session hijacking, forged authorization tokens.
Probabilistic
Was the evidence used to establish this identity trustworthy?
A question about verification quality at enrollment or last re-verification. Answerable only probabilistically, to a confidence level appropriate to the transaction risk. Failure mode: synthetic identity, deepfake at enrollment, injection attack during KYC.
Probabilistic
Does this action make sense given the full behavioral context?
A behavioral and graph question. Even valid credentials issued against genuine identity evidence can be associated with anomalous activity patterns. Requires session history, cross-account graph analysis, and transaction context. Failure mode: account takeover of legitimately-verified identity, mule network activity.
The conflation exploit

A passed liveness check answers a narrow sub-question of Question 2: a live person was likely present through an acceptable capture path at this moment. It does not establish that the person is who they claim to be, that their documents are genuine, that any agent acting on their behalf is authorized, or that the transaction is consistent with their behavioral baseline. Treating a passed liveness check as the answer to all three questions creates the exploitable gap that AFT-03, AFT-04, AFT-09, and coordinated mule operations use as their entry point.

Mitigation principles by question

Questions 1 + 2 — Capture and verification layer
  • Separate capture path integrity from media authenticity. Deploy both independently. A system that only checks media quality will fail against AFT-03 and AFT-04. A system that only checks device attestation will fail against AFT-01 and AFT-02.
  • Minimize information leakage in system responses. Every differentiating signal in an error message or response time is a training signal for the attacker's estimate model. Responses to external requestors should contain the minimum detail necessary for legitimate use.
  • Re-verify at material risk events. Not every action requires equal assurance. Tier re-verification to events where the risk profile changes: new payee, elevated transaction amount, account recovery, new device, irreversible action.
Question 3 — Behavioral and graph layer
  • Correlate signals across sessions and accounts. Device fingerprint reuse, velocity patterns inconsistent with plausible human behavior, account recovery clustering around high-value transactions: these are invisible to point-in-time checks. Graph analysis surfaces AFT-07 (impersonation chains) and AFT-10 (mule networks) that individual-account analysis cannot.
  • Measure defense as a system, not as individual controls. A step-up verification that stops fraud at account opening and drives it to account recovery has not reduced fraud loss. Evaluation should track attacker cost across the full operation chain: attempts to first success, information leaked per rejection, which stage becomes the path of least resistance after each defensive improvement.
On adaptive defense

Static classifiers evaluated against historical attack samples produce a bounded defense. An agentic attacker's feedback loop will, over sufficient iterations, identify and exploit the gap between the training distribution and the current attack space. The analog to the attacker's Test role is internal adversarial testing: deliberately generating new attack variants against your own systems in controlled conditions, before those variants appear in production fraud. This is the principle behind spoof bounty programs for liveness detection. It applies to the full identity verification chain.

Detector embedding space

UMAP projection: real images, diffusion-based synthetic, GAN-based synthetic, face animations, and face swaps occupy distinct regions. A new unseen tool (Nanobanana Pro, red) lands in a separate region the detector had not encountered in training.

Adapting to cover a new cluster requires 20–30 labeled samples — not thousands.

Source: CVPR 2026 / Incode, Efim Boieru et al.
Detector embedding space (UMAP projection): real images, diffusion- and GAN-based synthetics, face animations, and face swaps in distinct clusters, with a new unseen tool landing in a separate region
About

About this taxonomy

This site documents agentic fraud as an emerging threat category in identity verification. The framework and technique taxonomy draw on production fraud analysis, formal trust modeling and deepfake detection research from Efim Boieru, narrative structure and fraud factory framework from Jovan Jovanovic, and AI agent deployment taxonomy from Jorge Braniff.

This resource is intended to give security engineering, fraud, and identity teams a shared technical vocabulary for a threat class that is underspecified in current vendor literature and industry standards.