Subscribe to the Non-Human & AI Identity Journal

Conversation-Based Fraud

Conversation-based fraud is a scam pattern where the attacker’s goal is to begin a believable thread and gradually steer the victim toward a fraudulent action. It is effective because the risk emerges after trust is established, not at the first message, which makes simple content filters insufficient.

Expanded Definition

Conversation-based fraud is not a single scam template but a social engineering method that evolves across multiple exchanges. The attacker starts with low-friction, believable messages, then adapts tone, timing, and context until the victim is persuaded to share secrets, approve a payment, or disclose personal data. In cybersecurity terms, the danger is cumulative: each reply can increase trust and reduce suspicion, which is why point-in-time screening rarely catches it.

This pattern often overlaps with phishing, business email compromise, account takeover, and romance or impersonation scams, but it is broader than any one channel. The attacker may use email, messaging apps, social media, voice calls, or a mix of channels to sustain the narrative. The security challenge is behavioural, not just technical, because the fraud depends on interaction and persistence rather than one malicious payload. NIST guidance on control families such as awareness and training, access control, and incident response is relevant here, including the NIST SP 800-53 Rev 5 Security and Privacy Controls.

The most common misapplication is treating conversation-based fraud as a message-filtering problem, which occurs when organisations rely on spam controls alone and ignore the social engineering sequence that unfolds after the first contact.

Examples and Use Cases

Implementing detection and response for conversation-based fraud rigorously often introduces user friction and review overhead, requiring organisations to weigh faster communication against stronger verification.

  • A finance manager receives a polite email thread that appears to continue an earlier supplier discussion, then is asked to change bank details for an upcoming payment.
  • A help desk agent is gradually led through a believable identity story and convinced to reset access for an account the attacker does not own, a scenario that aligns with control weaknesses described in NIST SP 800-53 Rev 5 Security and Privacy Controls.
  • An employee is moved from casual chat to document-sharing in a messaging app, then pressured to send a one-time code or approve a login request.
  • A procurement contact is drawn into a long-running conversation that uses real project details, then redirected to a fraudulent invoice or revised payment destination.
  • A victim is kept in an emotionally charged back-and-forth over days or weeks until they accept an urgent transfer or reveal recovery information.

These examples show why the term is used across email, chat, phone, and identity-support workflows rather than being limited to one channel or one scam genre. Where organisations already publish user awareness content, CISA social engineering guidance is a practical reference point for recognising progressive manipulation and verifying requests out of band.

Why It Matters for Security Teams

Conversation-based fraud matters because it bypasses controls that only inspect a single message or transaction. Security teams must assume that trust can be manufactured over time and that the attack surface includes people, processes, and delegated decision-making. This has direct implications for identity security: once a conversation convinces a user or service desk to approve a reset, a login, or a payment change, the fraud can become indistinguishable from a legitimate workflow.

For that reason, defenders need layered controls: verification steps for high-risk requests, clear callback procedures, strong access governance, and logging that preserves the full interaction context. Guidance from NIST SP 800-63 Digital Identity Guidelines is relevant where identity proofing or authenticators are being socially engineered, while CISA impersonation scam advice reinforces the need for independent verification. Organisations typically encounter the true cost only after a fraudulent request has already been approved, at which point conversation-based fraud becomes operationally unavoidable to investigate and contain.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the technical controls, while ISO/IEC 27001:2022 and DORA define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AT Awareness and training address social engineering patterns central to this term.
NIST SP 800-53 Rev 5 AT-2 Security awareness training is directly relevant to progressive fraud attempts.
NIST SP 800-63 IAL/AAL Identity proofing and authenticator assurance are often targeted by this fraud pattern.
ISO/IEC 27001:2022 A.6.3 Awareness, education, and training support defenses against deceptive conversations.
DORA Operational resilience expectations apply when fraud disrupts financial workflows.

Provide role-based training that covers multi-turn manipulation and verification steps.