TL;DR: Frank Abagnale’s Vision 2023 webinar argues that older fraud techniques still succeed because attackers adapt the same social-engineering patterns to modern environments, with the FBI and more than 14,000 organisations using his insights as a prevention reference. The identity lesson is that human trust, approval, and verification workflows remain soft targets even when technology changes.
At a glance
What this is: A Vision 2023 fraud webinar argues that legacy scam techniques still work because attackers adapt them to modern business workflows.
Why it matters: It matters to IAM practitioners because fraud succeeds where identity checks, approval paths, and human verification processes are easy to imitate or bypass.
👉 Read Abnormal AI's Vision 2023 webinar on fraud tactics and emerging scams
Context
Fraud remains an identity problem when attackers exploit how people approve requests, trust familiar names, and respond under pressure. In practice, that means human identity controls, verification workflows, and escalation paths can be turned into attack surfaces even when the underlying systems are technically sound.
The webinar uses Frank Abagnale’s experience to frame a basic governance issue: many organisations still design controls for known, stable interaction patterns, while scammers adapt the social steps around those controls. For IAM teams, the useful question is not whether the scam is old, but which identity checks still fail when the request looks routine.
Key questions
Q: How should organisations reduce fraud risk in identity approval workflows?
A: Organisations should require independent verification for any high-risk request that changes money, access, or sensitive records. The key is to remove single-person approval paths wherever an attacker can impersonate authority. Training helps, but the control must be procedural: clear callbacks, out-of-band confirmation, and documented escalation when a request feels urgent or unusual.
Q: Why do old fraud tactics still work in modern enterprises?
A: Old fraud tactics still work because they target human decision-making, not just systems. Attackers reuse urgency, authority, and familiarity because those cues still push people to act quickly. Modern tools do not help if the process lets a requester bypass verification by sounding plausible or by using a normal business channel.
Q: What breaks when fraud prevention is left to awareness training alone?
A: Awareness training breaks down when the workflow still allows a single person to approve a risky action. People may recognise a scam in theory and still make the wrong decision under time pressure. Fraud resistance requires process design, verification steps, and accountability that do not depend on perfect judgment in the moment.
Q: Who is accountable when a fraudulent request slips through identity controls?
A: Accountability should sit with the teams that own the approval path, not only with the security team. If finance, HR, service desk, or IAM accepts a request without validation, that business process is part of the failure. Clear ownership for verification, escalation, and exception handling is what closes the gap.
Background and context
Social engineering as an identity control failure
Social engineering succeeds when an attacker does not need to break authentication, only the decision process around it. That often means impersonation, urgency, or authority cues are enough to get a person to approve access, disclose information, or bypass a check. In identity programmes, this exposes the gap between technical authentication and human validation. The control failed is often not the login stack, but the procedure that trusted the requester too quickly.
Practical implication: harden approval and verification steps so no single human cue can authorise access or sensitive action.
Why legacy fraud techniques still scale
Older fraud tactics persist because the underlying psychology does not change as quickly as the tooling. Attackers repeatedly reuse impersonation, pretexting, and urgency because these patterns bypass attention and exploit routine business behaviour. In IAM terms, the issue is not that organisations lack controls in theory, but that controls are inconsistently applied when the request appears familiar. That makes the weakness operational, not technical.
Practical implication: test whether identity checks still hold when requests come through email, phone, chat, or delegated business workflows.
Fraud readiness is a governance problem, not only a security problem
Fraud prevention depends on more than security tooling. It requires clear ownership for verification rules, escalation handling, and user education across finance, HR, service desks, and IAM teams. When fraud controls are fragmented, attackers find the gaps between processes rather than the gaps inside one system. That is why fraud readiness has to be managed as a cross-functional identity governance issue.
Practical implication: assign explicit owners for identity verification steps across business and security functions, not only in the SOC.
NHI Mgmt Group analysis
Fraud remains an identity governance failure when humans are the approval layer. The article points to a familiar pattern: attackers do not need to defeat authentication if they can persuade a person to act as the control. That makes fraud a governance issue as much as a security issue, because the decision boundary sits inside the workflow. Practitioners should treat verification paths as part of identity control design, not as informal business etiquette.
Legacy scam patterns persist because routine business behaviour is predictable. Attackers reuse old tricks because urgency, authority, and familiarity still move people faster than policy review. This is why fraud programmes cannot rely on awareness alone. The practitioner lesson is that repeatable social patterns deserve the same scrutiny as repeatable technical ones.
Named concept: identity pressure gap. This article illustrates the gap between how identity controls are designed and how people actually make decisions under pressure. Fraudsters exploit the moment when a user recognises a request but does not verify it. The implication is that security programmes must account for decision fatigue and social pressure, not just access rights.
Fraud readiness belongs in cross-domain identity governance. Finance, HR, service desks, and IAM all influence whether a fraudulent request succeeds. When each team owns only its own slice, attackers use the handoff points as the attack surface. Practitioners should treat fraud-resistant identity governance as a shared control model, not a point solution.
Security teams should measure process trust, not just control presence. A verification step that exists on paper but is routinely bypassed is not a control in practice. The real test is whether the process still resists impersonation when the request comes through a normal-looking channel. Practitioners should look for where policy and behaviour have drifted apart.
From our research:
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- For a broader identity baseline, Ultimate Guide to NHIs shows that 97% of NHIs carry excessive privileges, which is why governance must focus on both behaviour and access scope.
What this signals
Identity pressure gap: fraud programmes should now be read as control-design programmes, because attackers win when people are asked to make fast decisions inside weak process boundaries. That is especially true in organisations where identity-sensitive approvals cross multiple teams and no one owns the final verification step.
If your programme depends on staff recognising scams in the moment, it will fail under urgency, hierarchy, or routine channel abuse. The more resilient model is to make high-risk actions verifiable by procedure, not by memory, and to back that with logged exception handling and clear ownership.
For teams using the Top 10 NHI Issues as a baseline, the same principle applies across machine and human workflows: if trust is easy to imitate, the control is too soft. Fraud resistance, like NHI governance, is strongest when the process itself limits what a single request can achieve.
For practitioners
- Rework verification paths for high-risk requests Require independent confirmation for payment changes, credential resets, and third-party access requests. The goal is to remove reliance on a single human cue or a single communication channel.
- Map fraud-prone handoffs across business teams Document where finance, HR, IT support, and IAM each approve or relay identity-sensitive requests. Focus on the places where responsibility changes hands and no one owns final verification.
- Test impersonation scenarios in tabletop exercises Walk through email, phone, and chat-based pretexts that target ordinary approvals. Use realistic examples so staff see how routine requests can become fraud events.
- Track whether users verify under pressure Measure how often staff follow the full verification process when a request is urgent, familiar, or supposedly executive-directed. That tells you more than awareness training completion rates.
Key takeaways
- Fraud succeeds when identity controls rely on human judgment at the point of pressure rather than on verifiable process design.
- Legacy scam techniques keep working because attackers target authority, urgency, and familiarity, not the strength of authentication alone.
- The practical response is to harden verification, assign clear ownership across teams, and remove single-step approval paths for high-risk actions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | Fraud resistance depends on user awareness and behaviour under pressure. |
| NIST SP 800-63 | Identity proofing and authentication workflows fail when human verification is bypassed. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Least privilege is weakened when business processes allow identity-sensitive exceptions. |
Train users on impersonation tactics and test whether they follow verification procedures under stress.
Key terms
- Social Engineering: Social engineering is the use of deception, urgency, authority, or familiarity to get a person to reveal information or approve an action. In identity programmes, it bypasses technical controls by targeting the human decision point that sits around authentication and authorisation.
- Identity Approval Workflow: An identity approval workflow is the sequence of checks and sign-offs that authorises access, resets, payments, or other sensitive actions. When the workflow depends on a single person or a single channel, it becomes easy to imitate, redirect, or rush past under fraudulent conditions.
- Fraud Resistance: Fraud resistance is the ability of a process to reject deceptive requests even when they appear routine or urgent. It depends on verification design, escalation ownership, and exception handling, not only on employee vigilance or security awareness training.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: a Vision 2023 webinar featuring Frank Abagnale on fraud tactics and emerging scams. Read the original.
Published by the NHIMG editorial team on 2026-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
