Fraud moves at machine speed as systems become the target

At a glance

What this is: This is a SumSub episode about fraud shifting from human deception to system manipulation, with attackers targeting onboarding and detection workflows instead of only people.

Why it matters: It matters because IAM, fraud, and identity teams now have to defend the control plane, not just the login step, across human, NHI, and emerging autonomous attack paths.

👉 Read SumSub's episode on machine-speed fraud and system manipulation

Context

Fraud detection now has to account for attackers who manipulate the systems around identity proofing, not just the identities themselves. That means onboarding flows, device checks, and liveness controls become part of the identity security surface, especially when adversaries use automation to probe for weak links.

The article frames a shift from manual deception to machine-paced abuse. For IAM and fraud teams, the central issue is no longer whether a user looks real at the point of entry, but whether the workflow can be reverse engineered, replayed, or scaled faster than the defence can adapt.

Key questions

Q: How should security teams stop fraud rings from reverse engineering onboarding flows?

A: Security teams should treat onboarding as an attack surface and minimise predictable decision paths. Simplify exception handling, vary challenge points where possible, and monitor for repeated testing of the same branches. If the workflow can be mapped easily, it can usually be abused at scale, so the control goal is to reduce replayability, not just add more checks.

Q: Why do camera injection attacks matter for identity assurance?

A: Camera injection attacks matter because they compromise the signal source, not just the person being verified. If liveness or proofing controls accept synthetic or replayed inputs, the downstream identity decision becomes unreliable. The practical issue is assurance integrity: a control that appears to work may still be trusting fabricated evidence.

Q: How can teams tell whether AI-driven fraud controls are keeping up?

A: Teams should measure how quickly fraud patterns are detected, validated, and pushed into controls compared with how fast attackers adapt. If rule updates lag behind observed attack variants, the programme is falling behind. Useful signals include repeated failures at the same workflow step, rising exception usage, and suspicious consistency across many supposedly different sessions.

Q: What should organisations do when fraud moves faster than manual review?

A: Organisations should move high-risk decisions toward real-time, risk-based evaluation and reserve manual review for escalation rather than first-line gating. Manual queues cannot be the primary defence when attackers operate at machine speed. The right response is to automate detection, shorten feedback loops, and route only the ambiguous cases to humans.

Technical breakdown

Reverse-engineered onboarding flows

Onboarding workflows are attractive to attackers because they encode the order of checks, decision points, and fallback paths. If a fraud ring can map the steps, it can target the weakest stage with synthetic identities, stolen documents, or tampered sessions. Reverse engineering is not always about breaking a single control. It is often about finding where signals are evaluated too late, where exceptions are too generous, or where the workflow trusts prior steps too much. In identity terms, the process becomes the attack surface, not just the credentials.

Practical implication: map your onboarding decision tree and remove predictable fallbacks that attackers can rehearse against.

Camera injection attacks and emulator farms

Camera injection attacks bypass live capture assumptions by feeding pre-recorded or synthetic video into liveness checks, while emulator farms make automated fraud look like distributed legitimate device activity. Both tactics exploit the gap between what a control thinks it is observing and what it is actually receiving. The control may be technically functioning, but the trust model is wrong. This is a classic identity assurance problem: if the signal source can be spoofed at scale, the downstream decision inherits the spoof.

Practical implication: test liveness and device assurance controls against spoofed capture paths and large-scale emulation.

AI-driven fraud at machine speed

AI changes fraud economics by shrinking the cost of experimentation. Attackers can generate variants, tune payloads, and adapt to defences quickly enough that static rules age out before they are useful. That does not make AI the root cause. It makes feedback loops faster, which punishes slow review cycles and brittle policy logic. In practice, machine-speed fraud forces a shift from one-time verification to continuous risk assessment across the session and the workflow.

Practical implication: replace static, threshold-only decisions with continuously updated fraud signals tied to session behaviour and device trust.

Threat narrative

Attacker objective: The attacker wants to pass fraud controls at scale and convert manipulated identity workflows into account access, payment abuse, or synthetic identity acceptance.

1. Entry begins when attackers probe onboarding workflows, liveness checks, and device verification paths for predictable gaps they can replay or automate.
2. Credential or proofing abuse follows when camera injection, emulator farms, or synthetic identity inputs satisfy controls that trust the signal source too readily.
3. Impact arrives when manipulated workflows admit fraudulent accounts or transactions at scale, overwhelming traditional review and weakening trust in the identity layer.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fraud has become workflow abuse, not just identity spoofing. The article shows that the decisive target is now the sequence of checks, exceptions, and fallback decisions that make up onboarding and fraud detection. When attackers can reverse engineer that sequence, the control failure is structural rather than tactical. Practitioners should treat identity workflows as attack paths, not administrative plumbing.

Machine speed breaks defence models built around human review cycles. AI-driven fraud reduces the time between testing, adaptation, and replay, which means rules tuned during yesterday's attack may already be stale. This is not simply higher-volume fraud. It is an operating model where the attacker learns faster than the programme can recertify its assumptions. The implication is that static thresholds cannot carry the trust burden alone.

Camera injection attacks expose an assurance gap, not a liveness gap. Liveness controls assume the observed signal comes from the claimed subject and environment. That assumption fails when the capture channel itself is compromised or simulated. The named concept here is signal-source trust debt: the accumulated risk created when identity controls trust inputs without independently validating their provenance. Practitioners should recognise that assurance is only as strong as the integrity of the sensor path.

Emulator farms turn fraud into distributed infrastructure abuse. The article highlights an industrialised pattern where automated environments make one attacker look like many legitimate devices. That complicates device reputation, anomaly scoring, and velocity controls because the same behaviour can be replayed across fleets. The governance lesson is that fraud now behaves like infrastructure misuse, so identity and fraud teams need shared visibility into device provenance and session patterns.

Cross-industry collaboration is becoming a control, not a nice-to-have. The article’s emphasis on defenders sharing signals reflects the reality that fraud rings reuse infrastructure, patterns, and tooling across sectors. No single programme sees enough of the pattern in isolation. Practitioners should expect fraud defence to move further toward shared intelligence, coordinated response, and broader trust-network design.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For the lifecycle and privilege context behind that pattern, see 52 NHI Breaches Analysis for real-world failure modes that turn broad access into operational risk.

What this signals

Signal-source trust debt: identity programmes are increasingly failing at the point where they trust inputs from devices, cameras, and automated verification channels. That means fraud detection, IAM, and device assurance can no longer operate as separate teams if the same adversary is testing all three layers together.

With 52 NHI Breaches Analysis available as a reference point for recurring access failures, the better programme question is not whether a control exists but whether it can still distinguish legitimate from fabricated behaviour under automation pressure. Teams should expect assurance design to move closer to continuous verification and cross-signal correlation, not one-time proofing.

The broader shift is that machine-paced fraud punishes any control model that assumes slow adversary adaptation. IAM teams should watch for increasing reuse of the same workflow weaknesses, especially where identity proofing, device reputation, and manual review remain disconnected.

For practitioners

• Harden onboarding against workflow reconstruction Map every branch, fallback, and exception in your identity proofing journey, then remove predictable paths that let attackers rehearse the process. The goal is to reduce the number of ways a synthetic identity can satisfy the same approval sequence.
• Test liveness controls against spoofed capture Run controlled exercises for camera injection, replayed video, and other signal substitution techniques to see whether liveness checks still distinguish a live subject from a fabricated input. Focus on where the trust boundary sits in the capture chain.
• Correlate device trust with session behaviour Tie device reputation, emulator detection, and behavioural signals together before allowing high-risk actions. A trusted login should not automatically validate transaction or account-creation activity if the session later diverges from expected patterns.
• Create shared fraud and IAM response paths Align fraud operations, identity governance, and security monitoring so that signal sharing is routine rather than ad hoc. The same evidence should inform onboarding review, account containment, and investigations across teams.

Key takeaways

• Fraud now targets identity workflows and verification systems, not just end users or stolen credentials.
• AI and automation reduce attacker cycle time, which makes static rules and manual review too slow to serve as the primary defence.
• Teams should harden the trust chain around capture, device, and onboarding signals, then align fraud and IAM response around the same evidence.

Key terms

• Identity Proofing Workflow: The sequence of checks used to establish that a person or account is real before access is granted. In practice, it includes document review, device checks, liveness tests, and fallback decisions. Attackers target the workflow itself when they can predict or simulate the order of trust decisions.
• Camera Injection Attack: A fraud technique that feeds synthetic, replayed, or intercepted video into a liveness or verification control. The control may appear to be working, but the sensor input is not coming from a live subject. This matters because assurance fails when the capture path is not trusted.
• Emulator Farm: A coordinated set of emulated devices used to make automated fraud look like many distinct endpoints. It helps attackers distribute attempts, hide patterns, and bypass device reputation controls. For defenders, it turns a single abuse source into a fleet-shaped signal problem.
• Signal-source Trust: The degree to which a security control can trust the origin of the evidence it receives. If the source of the signal is spoofed, replayed, or manipulated, the control may still function technically while making the wrong decision. That is a trust failure, not just a detection failure.

Deepen your knowledge

Fraud workflow hardening and identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for machine-paced abuse and automation-driven fraud, it is worth exploring.

This post draws on content published by SumSub: an episode on how fraud is shifting from human deception to system manipulation. Read the original.