Fraud has always exploited trust, urgency and authority

At a glance

What this is: This is a historical analysis of fraud’s evolution, showing that the mechanisms of deception change with technology while the psychological triggers remain constant.

Why it matters: It matters to IAM and security practitioners because identity controls, verification workflows, and user education all fail when attackers can impersonate trust itself at scale.

👉 Read Sumsub's full history of fraud from ancient scams to AI deception

Context

Fraud is not defined by the medium it uses. Whether the attacker is altering coins, forging documents, or using deepfakes, the pattern is the same: create a believable story, compress the victim’s decision time, and exploit a trust relationship before verification can happen.

For identity and access teams, the important lesson is that fraud is increasingly an identity problem as much as a financial one. The controls that matter are the ones that slow down impersonation, surface anomalies early, and reduce the chance that a trusted channel can be turned into an attack path.

This makes the article relevant beyond anti-fraud teams. Human identity controls, privileged workflows, and even non-human identity governance all depend on the same assumption that the caller is legitimate, and that assumption is exactly what modern fraud targets.

Key questions

Q: How should security teams reduce fraud risk when attackers can imitate trusted people and processes?

A: They should add independent verification for high-impact actions, reduce reliance on a single channel, and design workflows so urgency does not bypass scrutiny. The strongest control is not only detection. It is forcing a request to prove legitimacy through a separate, harder-to-spoof path before money, access, or authority changes hands.

Q: Why do AI deepfakes and voice cloning make fraud harder to stop?

A: Because they lower the cost of producing convincing impersonation at scale. The attacker no longer needs perfect realism, only enough realism to get past a rushed human decision. That means organisations must assume synthetic media is normal and move sensitive approvals onto out-of-band checks and stronger identity validation.

Q: What do organisations get wrong about fraud prevention?

A: They often focus on blocking known scam patterns instead of reducing the conditions that make scams work. Fraud succeeds through urgency, authority, trust, and social proof. If those conditions are not addressed in process design, employees and systems can still be manipulated even when technical controls appear strong.

Q: Who is accountable when a fraudulent request is approved through a trusted channel?

A: Accountability should be shared across process owners, control owners, and the approving function, because the failure usually sits in the workflow design rather than one bad decision. Organisations should map where trust is assumed, where review can be rushed, and where approval can be impersonated without a separate challenge step.

Technical breakdown

Why fraud scales when verification lags behind communication

Fraud becomes more powerful whenever communication is faster than validation. In ancient markets that meant a buyer could not inspect weights or coin purity at the same speed as the seller could present them. In digital environments, the same gap appears when attackers can send millions of messages, spin up believable personas, or use synthetic media before a human review loop catches up. The core technical issue is not sophistication alone. It is the mismatch between how quickly trust can be simulated and how slowly organisations can verify authenticity across channels, identities, and transactions.

Practical implication: shorten verification paths and add independent checks before trust can be converted into action.

How narrative-driven fraud defeats human and identity controls

Narrative-driven fraud works because people often accept a coherent story before they test the facts. The medieval relic trade, the South Sea Bubble, and modern advance-fee scams all used the same pattern: a plausible promise, social proof, and pressure to act now. Technically, that means the defence is not only blocking known indicators. It also requires detecting when a claim is designed to bypass scrutiny by borrowing authority, urgency, or familiarity. Identity systems that rely on a single trusted channel are especially exposed when the attacker can convincingly imitate the expected context.

Practical implication: require independent verification for high-friction actions, especially when the request is urgent or emotionally charged.

Why AI-powered fraud changes the cost curve, not the psychology

AI does not invent new fraud psychology, but it collapses the cost of generating convincing deception. Deepfakes, voice cloning, and automated phishing let attackers produce personalised content at industrial scale, while fraud-as-a-service packages the trade for less-capable actors. That changes the economics of abuse: more attempts, more variation, and faster adaptation. The technical risk for identity teams is that the signal quality of human interaction drops, so behavioural trust indicators that once felt reliable become easier to spoof. The result is not a new fraud model, but a much cheaper one.

Practical implication: treat AI-generated impersonation as a baseline threat and strengthen out-of-band verification for sensitive requests.

NHI Mgmt Group analysis

Fraud is now an identity security problem because trust itself has become the attack surface. The article shows that every era of fraud succeeds by manipulating who or what someone believes they are interacting with. For identity teams, that means authentication, authorisation, and verification cannot be treated as separate concerns when the attacker is trying to simulate legitimacy across multiple channels. The practical conclusion is that identity programmes must assume trust can be forged before access is ever granted.

Urgency is the oldest and most durable control bypass in fraud. The article repeatedly shows that scams work when the victim is pressured to act before they can verify. That matters for IAM, PAM, and approval workflows because human-paced review cycles are easy to outrun when the attacker controls the tempo of the interaction. The implication is that any process depending on delayed human confirmation is vulnerable if urgency can be manufactured convincingly.

AI-powered fraud does not change the scam pattern, but it collapses the cost of producing believable deception. Deepfakes, voice cloning, and fraud-as-a-service lower the barrier to entry and raise the volume of attempts, which means traditional trust signals become noisier and less discriminating. This is a governance problem because programmes built around static trust cues will see more false positives and more successful impersonation. Practitioners should treat synthetic identity pressure as a structural condition, not an edge case.

Human identity controls and non-human identity controls are converging on the same failure mode: assumed legitimacy. A person spoofed by a deepfake and a workload abused through a trusted channel both fail when the organisation relies on identity labels without validating context. That is why fraud analysis belongs in broader identity governance conversations, not only in anti-fraud teams. The implication is that identity programmes need one consistent model for proving legitimacy across human, machine, and emerging AI-mediated interactions.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• Companies are dedicating an average of 32.4% of their security budgets to secrets management and code security, with US organisations leading at 40.8%.
• For a broader identity context, see Top 10 NHI Issues for the governance problems that emerge when trust and access are not tightly controlled.

What this signals

Fraud prevention is becoming an identity assurance discipline. Teams that still treat fraud as a pure detection problem will miss the point of deepfake-enabled impersonation and synthetic social engineering. The practical shift is to strengthen challenge-response steps, tighten approval paths, and make legitimacy harder to counterfeit across human and machine interactions.

The warning sign is not only more fraud attempts. It is more requests that feel believable enough to reach a human decision point. That is where process design, not only monitoring, has to absorb the pressure, especially around privileged actions and sensitive financial approvals.

As identity systems expand into agentic and machine-mediated workflows, the same lesson applies: if legitimacy is assumed rather than proven, deception will scale faster than review cycles can adapt.

For practitioners

• Add independent verification steps to high-risk requests Require a second, separate channel for approving payments, credential resets, vendor onboarding, and other high-impact actions. Do not let the same channel that carries the request also carry the approval.
• Harden identity proofing against synthetic impersonation Review whether your current identity checks can distinguish a real person from a voice clone, deepfake, or scripted social engineering flow. Where the answer is unclear, raise verification depth rather than relying on familiarity.
• Train staff to treat urgency as a risk signal Update awareness programmes so employees recognise compressed decision time, emotional pressure, and authority cues as indicators to pause and verify. Fraud succeeds when people feel they must act before thinking.
• Review privileged workflows for impersonation exposure Map the requests that can change financial, identity, or access state and identify where a trusted request can be made look-alike enough to bypass normal review. Add challenge steps for those paths.

Key takeaways

• Fraud keeps changing form, but it still works by turning trust, urgency, and authority into leverage.
• AI lowers the cost of convincing deception, which means organisations face more attempts and fewer obvious warning signs.
• The right response is stronger independent verification, not just better detection after the fact.

Key terms

• Fraud-as-a-Service: A criminal service model where ready-made fraud tools, infrastructure, or playbooks are sold to others. It lowers the barrier to entry for social engineering, phishing, and impersonation by packaging the operational parts of fraud into a subscription or marketplace offering.
• Synthetic impersonation: The use of generated voice, video, text, or profile content to appear like a real person or trusted organisation. In practice, it weakens the reliability of familiar identity cues and forces teams to rely more on independent validation than on appearance alone.
• Trust signal: Any cue that makes a person or system seem legitimate, such as a familiar name, known channel, authority marker, or expected behaviour. Fraud targets these signals directly, so security programmes must distinguish between recognition and proof.
• Identity assurance: The degree of confidence that an identity really is who or what it claims to be at the moment of interaction. It depends on proofing, authentication, context, and review, and it must be stronger when the action carries higher financial or access impact.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: From Alchemy to Algorithms: A History of Fraud. Read the original.