By NHI Mgmt Group Editorial TeamPublished 2026-06-25Domain: AnnouncementsSource: Arkose Labs

TL;DR: Telco fraud losses reached $41.82B globally in 2025, mobile messaging fraud hit $80.5B, and 76% more telecom account takeovers were reported as attack volumes and tooling complexity outpaced internal expertise, according to Arkose Labs and CFCA 2025. The governance gap is no longer just detection quality; it is whether identity and access controls can keep pace with bot, fraud, and AI-driven abuse.


At a glance

What this is: This is Arkose Labs' telco fraud analysis, which argues that bot, account takeover, and AI-driven abuse are colliding with weak detection and mitigation capacity.

Why it matters: It matters because telco fraud is now an identity problem as much as a security problem, with implications for customer accounts, authentication flows, and the governance of non-human access.

By the numbers:

👉 Read Arkose Labs' analysis of telco fraud, bots, and account takeover risk


Context

Telco fraud is the abuse of authentication, customer access, and automated decisioning to create financial loss at scale. In this case, the security gap is not a single compromised account but the gap between real-time abuse and the controls used to detect and stop it.

Arkose Labs frames the issue around bots, AI agents, and bad actors moving faster than static controls and stretched teams can respond. For IAM, this is a reminder that customer identity, bot defense, and fraud governance are now tightly connected rather than separate operating domains.

The article's starting position is typical for high-volume consumer sectors: attackers do not need to break the whole platform, only enough identity trust to turn volume into loss.


Key questions

Q: How should telcos reduce account takeover risk without blocking legitimate customers?

A: Use layered identity signals, device reputation, and behavioural analytics to distinguish normal customer actions from automation and takeover attempts. The goal is not to block every anomaly, but to create graduated challenge and intervention points where risk is highest, such as login, recovery, and payment flows.

Q: Why do bots and AI agents make fraud harder to contain in telecom?

A: They increase the attacker’s speed, variation, and persistence, which reduces the value of static rules and one-off detections. In telecom, that means abuse can move from testing to monetisation quickly, especially when account recovery and messaging flows are easier to reuse than infrastructure-level controls.

Q: What do security teams get wrong about bot mitigation in customer identity flows?

A: They often treat bot defence as a perimeter or UX problem instead of an identity assurance problem. When customer access can be automated at scale, the real question is whether the organisation can recognise repeated abuse patterns early enough to interrupt trust before loss occurs.

Q: Who should own fraud controls when identity and revenue risk overlap?

A: Ownership should be shared across IAM, fraud operations, and security leadership, with clear decision rights for escalation and blocking. If each team only sees its own slice of the problem, attackers will keep using the gaps between them to create loss.


How it works in practice

How bot-driven account takeover turns identity trust into revenue loss

Account takeover in telco usually begins with automated credential abuse, synthetic account creation, or phishing-driven session theft. Once an attacker has enough identity assurance to pass the first control layer, they can pivot into SIM swap abuse, messaging fraud, or fraudulent transaction flows. The core technical issue is that customer-facing controls often treat each event in isolation, while the attacker treats identity as a reusable pathway. That mismatch lets low-value probes scale into high-value abuse across channels.

Practical implication: correlate authentication, device, and behavioural signals before the attacker converts a trusted session into monetised fraud.

Why AI agents and bots change fraud detection thresholds

AI-assisted abuse changes the economics of fraud because it increases speed, persistence, and variation. Rather than repeating the same obvious pattern, automated actors can rotate identifiers, alter timing, and probe decision thresholds until they find a path through. That means traditional rules based only on single events or fixed velocity checks degrade quickly. Detection needs to work across sequence, context, and adversarial adaptation, especially where the same actor can present as many users or devices.

Practical implication: tune controls for adaptive behaviour, not just static signatures, and review threshold logic continuously.

What always-on mitigation means for telco identity governance

Always-on mitigation is the ability to interrupt suspicious activity in real time, not after investigation. In identity terms, that means the platform must be able to challenge, slow, or deny access based on risk rather than waiting for manual review. For telcos, this matters because customer journeys move quickly and fraud losses compound in minutes. The architectural question is whether decisioning can act early enough to change attacker ROI without degrading legitimate customer access beyond tolerance.

Practical implication: define risk-based interruption points in account recovery, messaging, and API workflows before attackers exploit them at scale.


NHI Mgmt Group analysis

Fraud defence in telco is now an identity control problem, not a perimeter problem. The article's numbers point to an environment where attackers are monetising weak identity assurance across customer journeys rather than breaching infrastructure first. That shifts the centre of gravity from network defence to access confidence, especially for account recovery, messaging, and high-risk transaction paths. Practitioners should treat fraud tooling as part of identity governance, not a separate fraud silo.

Bot traffic becomes a governance issue once it can impersonate legitimate access paths. If automated abuse can repeatedly test login, recovery, and payment flows, then the real failure is not detection alone but the inability to distinguish human intent from machine-scale repetition. That is where customer IAM, behavioural analytics, and fraud response intersect. The implication is that teams need shared ownership across IAM, security, and fraud operations.

Identity trust debt is the right named concept for this problem. The more a platform tolerates low-friction access without strong challenge, the more accumulated trust can be converted into loss when automation arrives. Telco environments are especially exposed because the business model rewards speed and convenience, while attackers exploit that convenience at industrial scale. Practitioners should measure where trust is being issued faster than it is being verified.

The personnel gap is an operating model problem, not just a skills problem. When 67% of telcos report insufficient AI and cybersecurity expertise, the issue is not simply hiring. It is whether the organisation has enough integrated capability to turn telemetry into timely action across identity, fraud, and customer experience. The implication is that governance structures must match the scale of automated abuse, not the org chart.

AI-assisted abuse is compressing the response window available to telcos. Faster adversarial iteration means static rules age badly, and manual escalation is often too slow to protect revenue. That does not make controls obsolete; it means decisioning must be risk-driven and operationally current. Practitioners should rework thresholds, escalation paths, and ownership boundaries accordingly.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Another finding from the same research shows that only 52% of companies can track and audit the data their AI agents access, leaving 48% with a compliance and breach-investigation blind spot.
  • For teams assessing autonomous risk alongside fraud and bot abuse, OWASP Agentic AI Top 10 provides a useful next lens on how agent behaviour can break trust boundaries.

What this signals

Telco operators should expect fraud controls, customer IAM, and bot mitigation to merge into a single operating model. The practical signal is that identity telemetry now has to support both real-time abuse interruption and post-event investigation, because volume attacks will keep compressing the time available to respond.

Identity trust debt: when customer journeys accumulate weakly verified access, attackers can convert that trust into fraud faster than manual teams can unwind it. Organisations that still separate fraud, security, and IAM reporting will miss the full abuse pattern.

Use Ultimate Guide to NHIs , 2025 Outlook and Predictions as a broader reference point for how non-human access patterns are expanding across enterprise environments. The telco lesson is that governance has to follow machine-speed abuse, not just human-scale workflows.


For practitioners

  • Unify fraud and IAM telemetry Correlate login behaviour, device signals, recovery attempts, and transaction context so suspicious identity patterns are visible across the full customer journey. This is the only way to catch repeated low-signal probes before they become account takeover or toll fraud.
  • Harden recovery and step-up flows Treat password resets, SIM swaps, and MFA recovery as high-risk identity events with additional challenge steps and tighter approval logic. Fraud actors routinely target these paths because they can convert weak trust into durable account control.
  • Review bot mitigation as governance Use the 52 NHI Breaches Analysis and OWASP NHI Top 10 to pressure-test how automated abuse could exploit customer identity flows, especially where volume, retries, and synthetic identities are hard to distinguish from legitimate demand.
  • Set risk-based interruption points Define where the platform should slow, challenge, or block activity when behavioural confidence drops, particularly in account creation, messaging, and payment actions. Real-time interruption is more effective than post-event review when fraud scale is high.

Key takeaways

  • Telco fraud is an identity governance problem because attackers exploit trust in customer access paths, not only technical vulnerabilities.
  • Arkose Labs cites major fraud losses and rising account takeovers, showing that automated abuse is already affecting revenue at industrial scale.
  • The most effective response is to correlate identity, device, and behavioural signals, then interrupt high-risk journeys before fraud can be monetised.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Bot abuse and account takeover expose weak identity assurance across customer journeys.
NIST CSF 2.0PR.AC-4Least-privilege and access governance matter when customer sessions are reused for fraud.
NIST Zero Trust (SP 800-207)PR.AAContinuous verification supports risk-based interruption of suspicious telco sessions.

Map customer-facing identity controls to NHI-01 and tighten assurance at login, recovery, and payment steps.


Key terms

  • Account Takeover: Account takeover is the unauthorised capture of a legitimate user or customer session, usually through stolen credentials, recovery abuse, or session replay. In telco, it becomes a fraud enabler when the attacker can reuse the trusted account for messaging, payments, or identity recovery.
  • Bot Mitigation: Bot mitigation is the set of controls used to detect and interrupt automated activity that imitates legitimate users. In identity-heavy environments, it relies on behavioural, device, and sequence signals rather than a single challenge, because attackers adapt quickly and operate at scale.
  • Identity Assurance: Identity assurance is the confidence that a person, system, or session is genuinely who or what it claims to be. For customer-facing telecom services, assurance levels need to vary by risk, because low-friction access can be exploited to turn trusted identity into revenue loss.
  • Risk-Based Interruption: Risk-based interruption is the practice of slowing, challenging, or blocking a session when signals indicate elevated abuse probability. It is useful when fraud moves faster than investigation, because it changes attacker economics before the transaction or account change completes.

What's in the full announcement

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

  • Sector-specific fraud loss benchmarks and customer takeover trend data for telecom teams that need board-level evidence.
  • Product-level explanation of how the detection engine combines 225+ signals to identify suspicious activity.
  • Examples of mitigation and decisioning approaches used to respond to account takeover, SMS toll fraud, API security abuse, and phishing.
  • Commercial and platform context around Arkose Titan Agent Trust Manager, Bot Manager, and related controls.

👉 Arkose Labs' full article covers the industry loss figures, detection approach, and mitigation context in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org