Measure how often suspicious requests are flagged before any payment, shipment, or account change occurs, and whether those flags were based on identity, domain, or conversation anomalies. A useful signal is the percentage of escalations that come from first-time counterparties or newly registered domains.
Why This Matters for Security Teams
Relationship-based fraud rarely looks suspicious at the first step. It often begins with a known vendor, a convincing domain, or a conversation that appears routine until a payment, shipment, or account change is requested. That makes traditional checks, which focus on single events or isolated identities, too narrow for modern abuse patterns. Security teams need measures that capture the full sequence of trust-building, not just the final transaction.
Current guidance suggests measuring the fraction of escalations that were stopped before money or operational change occurred, then breaking those stops down by identity, domain, and conversation signals. This is where fraud telemetry and NHI visibility overlap, because compromised service accounts, poisoned inboxes, and fraudulent domains can all shape the same attack path. NHI Management Group’s Ultimate Guide to NHIs — Key Challenges and Risks notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is a reminder that relationship abuse often rides on machine trust as much as human trust.
In practice, many security teams discover relationship-based fraud only after a legitimate counterparty has already been impersonated inside an otherwise trusted workflow.
How It Works in Practice
Effective measurement starts by defining the attack path, not just the alert. A useful control set watches for first-time counterparties, newly registered domains, abnormal reply chains, and requests that deviate from prior commercial context. Those signals should be scored at the conversation level and carried forward into payment, shipping, and account-change workflows so analysts can see whether a fraud rule fired early enough to matter.
Teams should measure three layers of outcome:
- Detection timing: did the control flag the request before authorisation, fulfilment, or profile modification?
- Signal quality: was the flag driven by identity, domain age, mail routing, device, or conversation anomalies?
- Business relevance: did the intervention stop a genuine loss path, or merely add friction after the risk had already shifted elsewhere?
This is where NHI and fraud governance overlap with broader threat intelligence. The 52 NHI Breaches Analysis shows how identity compromise often becomes a multi-step business process intrusion, not a single login event. External advisories such as CISA cyber threat advisories can help teams map the same adversary patterns across email, infrastructure, and downstream workflows.
Operationally, the best metric is a ratio, not a raw count: the percentage of blocked or escalated cases that originate from first-time counterparties or newly registered domains, paired with the percentage of those cases stopped before any irreversible business action. That combination shows whether controls are catching relationship-based abuse at the trust-building stage rather than after the attacker has already earned credibility. These controls tend to break down in highly automated procurement and customer-service environments because trusted pathways are reused so often that weak anomalies are treated as normal.
Common Variations and Edge Cases
Tighter relationship screening often increases review load and can slow legitimate vendors, so organisations need to balance fraud reduction against customer and supplier friction. Best practice is evolving here: there is no universal standard for how much domain or conversation anomaly should trigger escalation, especially in industries with frequent reseller activity or rapid supplier onboarding.
Some environments need special handling. Shared mailboxes, delegated approvals, and outsourced operations can make first-time counterparties look ordinary. In those cases, the better measure is not “was it new?” but “was the request consistent with the established relationship graph?” For example, a familiar supplier sending a new bank account instruction from a newly registered domain should score differently from a long-standing address used through an approved portal.
Teams can also use threat research to refine thresholds. The Top 10 NHI Issues and Anthropic — first AI-orchestrated cyber espionage campaign report both reinforce a practical point: adversaries increasingly combine identity abuse with persuasive, adaptive messaging. Fraud controls therefore need periodic tuning, because static indicators age quickly while relationship-based attacks adapt to the workflow they are targeting.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential rotation and exposure that often underpins relationship-based fraud. |
| NIST CSF 2.0 | DE.CM-1 | Monitoring anomalies in counterparties and domains aligns to continuous detection. |
| NIST AI RMF | Measures of trust, harm, and monitoring fit AI risk governance for adaptive fraud patterns. |
Track exposed or stale machine credentials and revoke them before they can support fraudulent workflows.
Related resources from NHI Mgmt Group
- How do organisations measure whether multilingual phishing controls are working?
- What should organisations measure to know whether behavioural detection is working?
- What should organisations measure if they want to know fraud controls are working?
- How do organisations know whether authorization controls are reducing fraud?
