2024 threat forecasts show fraud farms and phishing scaling fast

At a glance

What this is: Arkose Labs’ forecast says phishing, SMS toll fraud, and cybercrime-as-a-service are set to intensify, alongside a 121% quarter-over-quarter rise in cyberattacks cited for Q2 2023.

Why it matters: IAM and fraud teams need to treat identity interception, OTP abuse, and bot-driven abuse as programme-level risks because these threats undermine human login controls, customer authentication, and delegated access patterns.

By the numbers:

• With a 121% increase in total cyberattacks in Q2 over Q1 2023, attackers are moving faster and at greater scale.
• SMS toll fraud increased 141% in Q3 2023, underscoring how quickly abuse can become industrialised.
• 20-fold in 2024

👉 Watch Arkose Labs' webinar on 2024 cyber threat forecasts and fraud trends

Context

Enterprise identity programmes are being stressed by attack models that intercept logins, abuse one-time codes, and industrialise fraud at scale. In practice, that means human authentication controls are now inseparable from fraud prevention and bot detection, especially where adversary-in-the-middle phishing and SMS pumping can bypass traditional user awareness.

The article frames 2024 as a year in which criminals will use more structured services, more automation, and more deceptive delivery chains. That matters to IAM leads because the weak point is no longer only password hygiene or MFA rollout, but the entire trust path from user intent to successful authentication.

Key questions

Q: How should security teams reduce the risk of adversary-in-the-middle phishing?

A: Security teams should move high-risk accounts to phishing-resistant authentication, bind sessions more tightly to device or risk signals, and reduce reliance on reusable OTPs. User training still matters, but the core defence is removing the attacker’s ability to relay a live session and reuse it outside the original authentication context.

Q: Why does SMS toll fraud create IAM risk as well as financial risk?

A: SMS toll fraud turns an identity control channel into a monetisation channel. If login, recovery, or verification relies too heavily on SMS, attackers can abuse that path to drive costs, weaken trust, or redirect users. That makes SMS dependency a governance issue, not just a telecom or billing issue.

Q: What do teams get wrong about cybercrime-as-a-service?

A: Teams often treat cybercrime-as-a-service as a backend market for advanced actors, but it is really an access multiplier. It lowers the skill needed to run phishing, bot abuse, and fraud at scale, which means defenders must assume more frequent, more repeatable attacks with faster operational turnover.

Q: How should organisations connect fraud detection with identity governance?

A: Organisations should share signals across IAM, fraud, and support workflows so suspicious login patterns, recovery attempts, and transactional abuse are evaluated together. The goal is to stop treating authentication, session handling, and fraud response as separate programmes when attackers combine them in one chain.

Technical breakdown

Adversary-in-the-middle phishing and reverse proxy interception

Adversary-in-the-middle phishing sits between the user and the legitimate site, often using redirects and reverse proxies to capture credentials, session cookies, or MFA tokens in real time. The attack is effective because the victim can believe they are interacting with the real service while the attacker relays the session behind the scenes. This differs from basic credential theft because the attacker may never need to crack a password if they can harvest a live authenticated session. It is a human identity problem, but the downstream impact reaches delegated access, financial controls, and account recovery paths.

Practical implication: strengthen phishing-resistant authentication and session binding, not just password policies.

SMS toll fraud as a telecom and identity abuse pattern

SMS toll fraud, also called SMS pumping, abuses verification and messaging workflows to generate fraudulent message traffic and cost. The attack is attractive because it blends into legitimate OTP and notification flows, which makes it harder to detect with ordinary security tooling. The relevant control problem is not only fraud loss but also whether identity workflows depend too heavily on SMS as a trust channel. When SMS is overused for verification, attackers can monetise the authentication path itself rather than the account after compromise.

Practical implication: measure which user journeys still depend on SMS and prioritise alternatives where abuse economics are worst.

Cybercrime-as-a-service and the bot economy

Cybercrime-as-a-service turns abuse into a subscription model, where attackers can buy bots, training, support, and operational playbooks. That changes the threat landscape because scale no longer depends on a skilled operator building tooling from scratch. The article’s warning is that fraud, credential attacks, and synthetic activity become easier to operationalise and harder to distinguish from normal traffic. For identity teams, that means bot detection and behavioural risk controls are now part of access governance, not just application security.

Practical implication: connect fraud telemetry, identity signals, and bot mitigation so abuse patterns are visible before account compromise spreads.

Threat narrative

Attacker objective: The attacker wants to monetise trusted identity and messaging channels by stealing sessions, draining funds, and turning authentication workflows into fraud infrastructure.

1. Entry begins with adversary-in-the-middle phishing, where victims are redirected through reverse proxies that capture live credentials and session artefacts.
2. Escalation occurs when attackers use the stolen session or abused verification channel to bypass normal authentication checks and move into account control or fraudulent messaging flows.
3. Impact follows as attackers drain accounts, steal card data, inflate SMS costs, or scale abuse through commoditised cybercrime services.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing has moved from credential capture to session interception. The key shift in adversary-in-the-middle attacks is that the attacker does not need to own the password long enough to reuse it later. They only need to sit in the middle long enough to steal a live session or verification artefact. That makes traditional awareness and static MFA programmes insufficient on their own. Practitioners should treat session integrity and phishing resistance as the real control objective.

SMS-based verification has become an abuse surface, not just an authentication channel. Once attackers can monetise message volume or intercept OTP flows, the identity journey itself becomes the product they are attacking. This is why SMS toll fraud belongs in the same governance conversation as customer authentication and fraud controls. The implication is that identity teams should stop treating SMS as a default trust primitive.

Cybercrime-as-a-service is the industrialisation of identity abuse. A 20-fold projected rise in CaaS means more actors can run high-volume fraud with low technical skill, which shifts the burden to defenders. The model normalises repeatable playbooks, support, and scale, so security programmes must assume adversaries can operationalise quickly. Practitioner conclusion: identity telemetry and fraud controls need to be designed for abuse marketplaces, not isolated attackers.

Identity security and fraud prevention are converging into one operating model. The article’s threat mix shows that human authentication, bot mitigation, and financial abuse are no longer separable disciplines. When phishing, SMS fraud, and CaaS reinforce one another, the enterprise is facing a combined identity and fraud attack surface. Practitioner conclusion: governance must span login, session, and transaction controls together.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why abuse-friendly identity workflows persist, according to The State of Secrets in AppSec.
• For a broader NHI control baseline, see Top 10 NHI Issues for the governance patterns that matter when identity channels are being abused at scale.

What this signals

Identity abuse is increasingly an economics problem. When attackers can industrialise phishing, OTP abuse, and fraud through service models, the programme challenge becomes reducing attacker return on effort. Teams should expect more automated abuse, shorter dwell times, and higher pressure on support and recovery workflows, especially where SMS and session replay remain in play.

Trust boundaries are shifting from the login page to the full user journey. The practical response is to instrument the path between initial challenge, token issuance, and transaction approval so that abuse can be interrupted before money or account control changes hands. That creates a single risk view across IAM, fraud, and customer operations.

With 75% of organisations expressing strong confidence in their secrets management capabilities while the average time to remediate a leaked secret is still 27 days, the broader lesson is that confidence often outpaces control. For identity and fraud leaders, this is a reminder to validate real-world abuse resistance, not policy intent alone.

For practitioners

• Harden phishing-resistant authentication Prioritise passkeys, FIDO2, or other phishing-resistant methods for high-value user journeys so reverse proxy attacks cannot reuse captured credentials and sessions. Reduce reliance on SMS and consider step-up checks only where the risk model justifies them.
• Map SMS dependence across critical journeys Inventory where SMS still supports login, recovery, or verification flows, then rank those paths by abuse economics and business impact. If the path can be monetised through toll fraud, design out SMS or constrain it to lower-risk use cases.
• Combine bot signals with identity telemetry Correlate device, behavioural, and session signals with identity events so fraud teams can spot synthetic activity before it becomes account compromise. Tie this to bot management rules and escalation workflows that can block or challenge suspicious flows.
• Treat fraud and IAM as one control plane Align IAM, fraud, and customer support teams around shared playbooks for phishing, OTP abuse, and account takeover. Make sure recovery, lockout, and transaction challenge decisions use the same risk inputs rather than separate team-specific thresholds.

Key takeaways

• The article describes a fraud-driven threat mix where phishing, SMS abuse, and cybercrime services reinforce one another to bypass human identity controls.
• The cited numbers suggest rapid scaling, with a 121% cyberattack increase in one quarter, a 141% rise in SMS toll fraud, and a projected 20-fold expansion in cybercrime-as-a-service.
• Practitioners should shift from awareness-only defences to phishing-resistant authentication, reduced SMS dependence, and shared IAM-fraud telemetry.

Key terms

• Adversary-in-the-middle phishing: A phishing method where the attacker places themselves between the user and the real service to relay traffic and capture credentials or session tokens. It is especially dangerous because the victim may complete a real login while the attacker quietly takes over the authenticated session.
• SMS pumping: Fraud that exploits SMS delivery or verification flows to generate artificial message volume and cost. In identity programmes, the issue is not only billing abuse but also the overreliance on SMS as a trust channel for login, recovery, or step-up verification.
• Cybercrime-as-a-service: A criminal operating model that packages fraud tooling, bots, support, and playbooks into purchasable services. It lowers the barrier to entry for attackers and turns identity abuse into a repeatable business process rather than a one-off technical exploit.
• Session integrity: The assurance that an authenticated session still belongs to the legitimate user and has not been intercepted, replayed, or substituted. For human identity and fraud use cases, session integrity is often more important than password strength because many attacks succeed after login.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Arkose Labs: Foreseeing the Future Threatscape: 2024’s Bad Actor Forecast. Read the original.