#26: Inside the AI Agent Surge: What Fraud Fighters Need to Know
The buzz around agentic AI has officially reached a fever pitch. From security teams to e-commerce giants, everyone is trying to figure out how autonomous AI agents will reshape digital experiences. But as new use cases emerge, so do new fraud risks—especially when the builders of these tools aren’t asking the right questions.
This week, we’re breaking down how AI agents are being deployed, where they may already be exploited, and why fraud teams can’t afford to treat this as a far-off trend.
NATE'S TAKE - APRIL 8, 2025
Top Three This Week
- AI Agents Are Already Testing Security—and They’re Just Getting Started
- Amazon’s “Buy for Me” Is a Glimpse Into the Future of Agent-Led Commerce
- The Real Risk Isn’t AI Agents—It’s What We’re Not Watching
1. AI Agents Are Already Testing Security—and They’re Just Getting Started
According to a new piece in MIT Technology Review, AI agents are moving beyond passive roles and being trained to carry out complex tasks autonomously. Think: clicking buttons, filling out forms, navigating websites, and even exploiting vulnerabilities in real time. In one research example, agents were able to autonomously carry out simulated cyberattacks after being given a target goal and environment.
While many of these tests are still in controlled settings, the implications are real: we’re entering an era where fraudsters don’t just deploy bots—they deploy agents capable of mimicking legitimate users across entire customer journeys.
The big concern? Blind trust in human-like behavior. If your fraud detection still relies heavily on known device fingerprints, traditional velocity checks, or assumptions about navigation patterns, AI agents will eventually fly under the radar. They can pause, scroll, hover, and act “human enough” to evade basic defenses.
The takeaway for fraud teams: if you’re not inspecting the full journey behavior—and connecting identity, intent, and session-level signals—you’re going to miss attacks that look like clean traffic.
2. Amazon’s “Buy for Me” Is a Glimpse Into the Future of Agent-Led Commerce
Amazon just launched a new feature called “Buy with Alexa” that allows AI agents to shop on your behalf. While the capability is still limited to certain branded products and a curated experience within the Amazon Shopping app, it signals a big shift: the normalization of autonomous purchasing agents.
This has major implications for fraud strategy.
On the user side, more consumers may start to delegate shopping tasks to AI—creating a new type of buyer that behaves more like automation than a person. On the attacker side, it’s easy to imagine how similar flows could be co-opted. Fraudsters could weaponize agent-style automation to complete guest checkouts, exploit limited-time offers, or mass-test stolen credentials—all while appearing as legitimate “buying assistants.”
If agents become a standard part of the shopping flow, fraud teams will need to distinguish between good automation and malicious automation, and develop context-aware defenses that don’t rely solely on front-end behavior.
3. The Real Risk Isn’t AI Agents—It’s What We’re Not Watching
A Forbes article this week explores how agentic AI is being used to improve cybersecurity, including autonomous threat detection and response. While promising, the piece also points to a recurring theme: a heavy focus on defense, and very little discussion of how attackers might use these same tools.
That’s a problem.
Fraudsters are early adopters. They don’t wait for maturity—they exploit gaps while systems are still being built. And most AI agent frameworks today lack visibility, accountability, and secure guardrails. When agents act independently and can operate across apps, APIs, and browser environments, it’s incredibly hard to know what’s actually happening behind the scenes.
If these tools are compromised—or used maliciously from the start—they become near-perfect fraud vehicles: autonomous, adaptable, and hard to trace.
The biggest blindspot? Many builders of AI agents still assume their users are acting in good faith. Fraud teams know better.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
