Subscribe to the Non-Human & AI Identity Journal

Why do trusted accounts create more fraud loss than obvious new attacks?

Trusted accounts already carry behavioural history, payment permissions, and user confidence, so malicious actions blend in more easily. That makes them better vehicles for monetisation than noisy attack attempts. The result is higher downstream loss even when overall fraud volume appears to be falling.

Why This Matters for Security Teams

Trusted accounts are high-value because they already look legitimate to payment systems, fraud models, help desks, and other users. Once an attacker operates through a known account, the activity benefits from prior history, normal approval paths, and existing trust relationships, which reduces the chance of immediate challenge. That is why the damage is often driven by account credibility, not just attack volume.

This is especially relevant for service accounts, API keys, and delegated access, where the identity itself may never “log in” in a human sense. NHIMG’s research shows that Ultimate Guide to NHIs — Why NHI Security Matters Now and The 52 NHI breaches Report both point to how compromise of trusted identities turns into downstream loss through quiet misuse, not noisy intrusion. NIST’s Security and Privacy Controls emphasise that access control, auditing, and anomaly detection must be applied to the identity after it is trusted, not only at the moment it is created.

In practice, many security teams encounter fraud escalation only after a trusted account has already been used to move money, change payee details, or approve transactions, rather than through intentional monitoring of the account itself.

How It Works in Practice

Fraud losses rise when an attacker inherits the account’s built-in legitimacy. A new attack often triggers sign-up friction, velocity checks, or obvious behavioural anomalies. A trusted account, by contrast, arrives with login history, device familiarity, transaction patterns, and sometimes delegated authority. That context can suppress alerts unless controls are tuned to look for abuse of privilege rather than only novelty.

Operationally, the key question is whether the account is allowed to do something meaningful: approve payments, reset credentials, access customer data, or issue tokens. If the answer is yes, the attacker does not need to break the system open. They only need to stay inside the normal path long enough to monetise it. The LLMjacking: How Attackers Hijack AI Using Compromised NHIs research is a good example of how quickly exposed credentials can be abused once they are trusted by systems and workflows.

  • Apply step-up verification when a trusted account changes payout details, recovery settings, or tool access.
  • Use behavioural baselines to detect impossible travel, unusual sequencing, and atypical transaction timing.
  • Treat service accounts and API keys as fraud-relevant identities, not just technical artifacts.
  • Correlate identity events with payment, CRM, and help-desk actions so misuse is visible across systems.

For attack-pattern context, the MITRE ATT&CK Enterprise Matrix helps teams map credential abuse, valid accounts, and persistence behaviours, while the CISA cyber threat advisories show how trusted access is routinely reused across sectors for monetisation and lateral movement. These controls tend to break down in highly automated environments where service accounts are shared across workflows and no single team owns the end-to-end identity lifecycle.

Common Variations and Edge Cases

Tighter fraud controls often increase friction for legitimate users, requiring organisations to balance loss prevention against customer experience and operational overhead. That tradeoff is real, especially when the same account is used for both routine activity and high-risk actions. Current guidance suggests using risk-based step-up controls rather than blanket lockouts, but there is no universal standard for threshold design yet.

Edge cases matter. A trusted account may be compromised without changing its routine pattern, which makes pure anomaly detection weaker. Conversely, an account with sparse history can look suspicious even when it is legitimate, so new-but-valid accounts need different thresholds from long-lived ones. The hardest cases are delegated or shared accounts, where the user and the credential do not map cleanly to one person or one device.

Where AI is involved, fraud can also be amplified by automated decisioning. The MITRE ATLAS adversarial AI threat matrix highlights how attackers can exploit model outputs, scoring workflows, or tool access when a trusted identity is already accepted by the system. That is why identity governance and fraud monitoring should be linked to access revocation, secret rotation, and approval-chain review. NHIMG’s Top 10 NHI Issues is useful here because it frames excessive privilege, poor visibility, and weak offboarding as practical fraud enablers rather than abstract hygiene issues.

In short, trusted accounts create more loss when controls assume legitimacy is permanent. The real challenge is not spotting a strange login once, but detecting when an ordinary identity is being used for an extraordinary outcome.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Trusted-account fraud is often enabled by excessive or stale access rights.
MITRE ATT&CK T1078 Valid accounts are a common way attackers hide behind legitimate access.
OWASP Non-Human Identity Top 10 Trusted machine identities can directly drive fraud through API and workflow abuse.

Govern service accounts, API keys, and tokens as fraud-relevant identities with lifecycle controls.