TL;DR: Human fraud farms defeat bot-focused fraud controls by using real people, real devices, residential IPs, and low-volume coordinated activity that looks legitimate in each session, according to Arkose Labs. The failure is structural: detection models built to separate humans from machines break down when the attacker is human by design, not a bot.
NHIMG editorial — based on content published by Arkose Labs: Human Fraud Farms, Why Your Fraud Defenses Were Never Built for This
Questions worth separating out
Q: How should fraud teams detect human fraud farms that look legitimate per session?
A: They should move the analysis from single-session signals to campaign-level correlation.
Q: Why do challenge-response tests fail against human fraud farms?
A: They fail because they were designed to distinguish humans from bots, and human fraud farms use real humans.
Q: How do you know if fraud detection is missing coordinated abuse?
A: Look for many clean-looking sessions that cluster across accounts, devices, or payment flows without a single obvious trigger.
Practitioner guidance
- Correlate activity across sessions and accounts Join device, IP, email pattern, and transaction telemetry so that fraud review operates on campaign-level clusters instead of isolated logins or purchases.
- Re-score flows that look normal individually Review registration, sign-in, payment, OTP, and account-update paths together, because fraud farms switch between them when one flow becomes harder to exploit.
- Treat challenge-response as a narrow bot control Keep challenge-response in place for automation, but do not rely on it as the primary defence against human-operated abuse.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- How human fraud farms shift between registration, payment, OTP, and account-update flows when one control tightens
- The operational breakdown of why challenge-response, IP reputation, and velocity checks fail at the campaign level
- Examples of the behavioural and infrastructure patterns that correlate coordinated fraud across sessions
- The article's discussion of what a deterrence-first response looks like in practice
👉 Read Arkose Labs' analysis of how human fraud farms evade bot-focused defences →
Human fraud farms: what fraud teams are missing in detection?
Explore further
Human fraud farms expose a control assumption that fraud teams still over-trust single-session distinctiveness: the prevailing model assumes suspicious activity will look different from legitimate activity inside the session boundary. That assumption was designed for bots and scripted abuse, not for real humans operating at scale. The implication is that fraud governance has to be judged on campaign-level correlation, not on whether one session looks clean.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What should security and fraud teams do when human fraud farms switch between flows?
A: They should review registration, sign-in, payment, OTP, and account-management paths as one abuse surface. Fraud farms often route around friction by moving to whichever flow has the least resistance, so containment depends on seeing the operation across the whole journey.
👉 Read our full editorial: Human fraud farms expose the limits of bot-focused fraud defenses
Human fraud farms expose a control assumption that fraud teams still over-trust single-session distinctiveness: the prevailing model assumes suspicious activity will look different from legitimate activity inside the session boundary. That assumption was designed for bots and scripted abuse, not for real humans operating at scale. The implication is that fraud governance has to be judged on campaign-level correlation, not on whether one session looks clean.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: What should security and fraud teams do when human fraud farms switch between flows?
A: They should review registration, sign-in, payment, OTP, and account-management paths as one abuse surface. Fraud farms often route around friction by moving to whichever flow has the least resistance, so containment depends on seeing the operation across the whole journey.
👉 Read our full editorial: Human fraud farms expose the limits of bot-focused fraud defenses