Fraud that combines automated and human-operated steps across more than one control surface. The campaign may start with bot-driven account creation, then shift to manual abuse using stolen credentials, legitimate devices, or reused sessions.
Expanded Definition
Hybrid fraud is a blended abuse pattern that combines automation and human judgment across multiple control surfaces, such as signup, authentication, device trust, session reuse, payment verification, and support workflows. The automation phase often creates scale, while the human phase adapts to defenses and exploits edge cases that bots cannot reliably navigate.
Definitions vary across vendors, but in NHI and IAM operations the term is most useful when the same campaign shifts execution mode rather than staying purely bot-driven or purely manual. That distinction matters because controls that block scripted traffic may not stop an operator using legitimate devices, stolen credentials, or reused sessions. For governance context, NIST’s NIST Cybersecurity Framework 2.0 is helpful for mapping detection and response outcomes, while NHIMG’s Ultimate Guide to NHIs shows why account and secret hygiene are central to limiting the blast radius of hybrid abuse.
The most common misapplication is treating hybrid fraud as a single channel problem, which occurs when teams tune only bot mitigation or only manual review and ignore the way attackers pivot between both.
Examples and Use Cases
Implementing hybrid fraud detection rigorously often introduces review friction and instrumentation overhead, requiring organisations to weigh faster user journeys against stronger cross-surface correlation.
- Bot-assisted account creation seeds thousands of new accounts, then a human operator uses a few high-value accounts to test payment cards, refund flows, or promotional abuse.
- Credential stuffing succeeds on a small set of accounts, after which a person takes over sessions from a legitimate device and performs low-and-slow exfiltration or fraudulent transfers.
- Automated scraping gathers valid usernames, then a manual operator social-engineers support staff to reset MFA or change recovery details.
- Abuse begins with scripted signups, then shifts to human-operated device farming that rotates IPs, fingerprints, and sessions to evade velocity rules.
- Account takeover campaigns exploit weak NHI hygiene, especially where reused service workflows or exposed secrets enable access paths that look legitimate to fraud controls; NHIMG’s Ultimate Guide to NHIs is a useful reference for the surrounding identity-risk context.
In payment and marketplace environments, hybrid fraud often looks like normal customer behavior until the attack has already moved beyond signup into monetisation.
Why It Matters in NHI Security
Hybrid fraud is especially dangerous in NHI-heavy environments because service accounts, API keys, automation tokens, and reused sessions can blur the line between legitimate machine activity and attacker-controlled activity. When identities are weakly governed, attackers can move from bot noise to human precision without changing the underlying access path. NHIMG reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and that only 5.7% of organisations have full visibility into their service accounts. That combination makes hybrid campaigns harder to detect, because the machine-to-human handoff often hides in normal operational traffic.
Practitioners should treat hybrid fraud as both a security and governance issue: detection must correlate identity posture, device trust, session anomalies, and credential lineage, not just traffic volume. Controls aligned to NIST Cybersecurity Framework 2.0 help translate this into monitor, protect, and respond outcomes. Organisations typically encounter hybrid fraud only after a fraud ring has already combined automated enrollment with manual account takeover, at which point identity controls and fraud controls become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Hybrid fraud often exploits exposed secrets and weak NHI lifecycle control. |
| NIST CSF 2.0 | PR.AC | Access control and identity verification are core to stopping cross-surface abuse. |
| NIST AI RMF | Risk management guidance helps assess automated plus human abuse across systems. |
Correlate identity, device, and session signals to detect and contain blended abuse.
Related resources from NHI Mgmt Group
- Why do hybrid fraud controls work better than a single detection layer?
- What is the difference between a rules-based secret scanner and a hybrid scanner?
- Why do static credentials create more risk in hybrid infrastructure?
- How can organisations secure third-party privileged access in hybrid environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
