Notifications
Clear all
Topic starter
11/06/2026 11:07 pm
TL;DR: Fraudsters are blending automation, stolen credentials, device spoofing, and manual follow-through to move from account creation to payment fraud in ways isolated bot detection or fraud tools cannot fully see, according to Arkose Labs. The governance gap is not visibility alone, but the failure to connect identity, device, and transaction signals into one trust model.
NHIMG editorial — based on content published by Arkose Labs: Fraud Prevention Countermoves against Modern Fraudsters
Questions worth separating out
A: They should correlate identity, device, and transaction signals into one investigative path.
Q: Why do hybrid fraud campaigns defeat single-purpose controls?
A: Because the attacker changes shape during the campaign.
Q: What signals indicate that an account creation spike is part of a larger fraud operation?
A: Look for reused devices, repeated session patterns, later manual logins from the same infrastructure, and downstream payment or abuse activity tied to the original signup cluster.
Practitioner guidance
- Join identity, device, and transaction telemetry Create shared case correlation across login, device reputation, account creation, and payment events so analysts can see one campaign instead of three disconnected alerts.
- Model hybrid fraud as a staged attack chain Map the sequence from automated signup to manual abuse, then test whether each control can pass context forward when the attacker changes tactics.
- Review false-negative paths across control handoffs Identify where a bot block, a clean device score, or a normal-looking login can each reset risk scoring and let the same actor continue unchallenged.
What's in the full article
Arkose Labs' full post covers the operational detail this post intentionally leaves for the source:
- Specific examples of how bot signals and fraud signals are correlated across account creation and payment abuse
- The article's breakdown of what each standalone tool sees versus what becomes visible when the signals are combined
- Operational framing for using shared intelligence to reduce false positives and catch campaigns earlier
- The vendor's own examples of automation, device reputation, and behavioural analysis working together
👉 Read Arkose Labs' analysis of hybrid fraud and shared intelligence →
Bot management and device intelligence: what IAM teams miss?
Explore further
12/06/2026 7:38 am
Hybrid fraud succeeds because defenders still separate identity signals from fraud signals. The article shows a campaign that moves from automated account creation to later human-operated fraud, which means no single control sees the whole threat. That is not just a tooling gap. It is a programme design gap that leaves account, device, and transaction context disconnected. Practitioners should treat cross-domain correlation as the control objective, not a reporting convenience.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, which shows how uneven the market remains even before hybrid fraud and identity abuse converge.
A question worth separating out:
Q: Who should own response when fraud signals span bot management, IAM, and payments?
A: Ownership should be shared, with a defined lead for correlation and containment. IAM teams should own identity history, fraud teams should own transaction abuse, and security teams should own cross-control evidence. The key is not forcing one team to own everything, but making sure no team can close a case without the others seeing the same risk picture.
👉 Read our full editorial: Bot management and fraud prevention need shared intelligence
