Identity-adjacent fraud

Expanded Definition

Identity-adjacent fraud is abuse that depends on the appearance of legitimacy rather than on a live compromise of the target account. The attacker leverages trust signals such as a familiar display name, a convincing invoice trail, a cloned portal, a lookalike domain, or a staged workflow that seems routine to the user.

In NHI and IAM operations, this matters because the fraud may sit outside classic authentication failure paths. A session can be unused, a password can remain uncompromised, and a service account can stay untouched while a victim is induced to approve payment, share a token, or redirect a workflow. That is why NHI Management Group treats this as a trust failure across identity presentation, not just a credential issue, a distinction also reflected in the broader control logic of NIST Cybersecurity Framework 2.0.

Usage in the industry is still evolving because definitions vary across vendors: some tools treat these events as phishing, others as business email compromise, and others as impersonation fraud. The most common misapplication is assuming normal IAM telemetry will detect it, which occurs when teams look only for account takeover indicators and ignore deception that happens before any account is compromised.

Examples and Use Cases

Implementing detection for identity-adjacent fraud rigorously often introduces more review friction, requiring organisations to weigh faster workflows against stronger verification of who is requesting action.

• A finance user receives a payment request from a vendor domain that differs by one character, and the attacker never touches the company mailbox.
• A help desk agent approves a reset because the requester sounds authoritative and references a real project, even though no account was breached.
• A developer is asked to paste a token into a “support” portal that mimics a legitimate internal tool, echoing patterns seen in the JetBrains GitHub plugin token exposure and related credential theft incidents.
• A fraudster clones a partner onboarding flow and uses a convincing identity narrative to obtain payout changes or API access approvals.
• Security teams review patterns from the 52 NHI Breaches Analysis alongside guidance from NIST Cybersecurity Framework 2.0 to separate deception from true account compromise.

Why It Matters in NHI Security

Identity-adjacent fraud is especially dangerous in NHI environments because machine accounts, API keys, and delegated workflows already depend on trust at scale. When a human is tricked into authorising access, changing a callback endpoint, or approving a new integration, the attacker can create durable exposure without ever defeating authentication. That makes it a governance issue as much as a security issue.

NHI Management Group research shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, and 79% have experienced secrets leaks, with 77% of those incidents causing tangible damage. Combined with the findings in the Ultimate Guide to NHIs, this illustrates how fraud, secret exposure, and identity misuse reinforce each other. The Top 10 NHI Issues further shows that visibility gaps and weak offboarding make deception easier to operationalise after the initial lure succeeds.

Organisations typically encounter the operational impact only after an invoice is paid, a token is issued, or a third party is onboarded under false pretences, at which point identity-adjacent fraud becomes unavoidable to contain.

Related resources from NHI Mgmt Group

• Identity Blast Radius
• Should customer identity teams use fraud trends to prioritise controls?
• How can IAM teams prepare for AI-driven identity fraud?
• How should organisations protect human identity journeys from deepfake-enabled fraud?