Almost certainly. The important change will not be smarter phishing copy—it will be software that can navigate applications, interpret responses, and adapt fraud workflows in real time.
Traditional fraud automation is brittle.
A bot follows a script: open a page, enter predefined data, press a button, and check for an expected response. If the application changes its layout, introduces a new verification step, or returns an unfamiliar error, the bot often fails.
AI agents can operate differently. They can inspect the current interface, decide what action to take, interpret the result, and revise their plan. Instead of simply replaying a sequence, an agent can pursue an objective.
That makes agents a natural tool for application fraud.
The transition has already started
Fully autonomous fraud is not yet the dominant model. Most AI-enabled scams still involve human operators using generated scripts, translations, images, and suggested responses.
But the direction is clear.
INTERPOL’s 2026 financial-fraud assessment says agentic AI can support the planning and execution of fraud schemes, including victim research, credential collection, target selection, financial analysis, and personalized communications. It also describes fraud-as-a-service platforms that combine automated phishing infrastructure, synthetic identities, victim-management tools, and payment services. INTERPOL’s assessment predicts that AI-enabled financial fraud will continue to expand as automation lowers operating costs.
Google Threat Intelligence has separately reported a transition from experimental AI use toward the industrial integration of models into adversarial workflows. Google’s May 2026 threat assessment describes malicious activity becoming more adaptive, scalable, and connected to agent tooling.
The first generation of fraud agents will therefore not appear from nowhere. They will evolve from existing automation with more perception, reasoning, and error recovery added to it.
What makes an agent different from a bot?
A traditional bot is usually built around known pages and expected outcomes.
An agent can potentially:
Recognize buttons and fields from their visual or semantic meaning
Navigate a workflow it has not seen before
Interpret validation messages
Compare several possible actions
Maintain state across multiple pages
Use external tools and data sources
Ask a human operator for help when uncertain
Resume the process after the operator responds
Computer-use models already demonstrate this general pattern. OpenAI’s Computer-Using Agent, for example, was designed to perceive screenshots, reason about what to do, and perform actions with a virtual mouse and keyboard. OpenAI’s technical overview describes agents completing browser tasks without requiring a website-specific API.
These capabilities have legitimate purposes. They can help people book travel, manage accounts, and operate inaccessible legacy systems. But the application itself cannot assume that every agent represents an honest user.
How fraud agents may be used against applications
The most likely early applications do not require agents to discover sophisticated software vulnerabilities. They involve automating abuse of ordinary product workflows.
Exploring application rules
Fraudsters currently inspect applications manually to learn how onboarding, promotions, payments, refunds, loyalty programs, and support processes work.
An agent could accelerate this research. It could navigate different workflows, record how the application responds, compare policy outcomes, and identify where business rules appear inconsistent.
This is not necessarily technical exploitation. Often, the target is a gap between what the software permits and what the business intended.
Automating account creation and onboarding
Agents could fill forms, interpret errors, select appropriate options, and maintain many partially completed application sessions.
When combined with synthetic identity services, generated documents, or manipulated media, this creates pressure on onboarding systems. An agent does not have to defeat every control autonomously. It can move through routine steps and escalate difficult decisions to a human operator.
This human-agent combination is likely to be more common than completely unattended identity fraud in the near term.
Coordinating multi-account abuse
Many fraud schemes depend on relationships between accounts rather than the behavior of one account.
Agents could manage account inventories, track their status, distribute activity over time, and select which identity or payment instrument to use for a particular interaction. They could also stop using an account when the application begins challenging it.
The defensive implication is important: evaluating each session independently becomes less effective when one controller can coordinate many apparently unrelated users.
Manipulating customer support
Support channels are an attractive target because they contain human discretion.
An agent could maintain a consistent narrative across chat, email, and forms; summarize previous interactions; adjust its tone; and provide requested information quickly. It could also manage several support conversations simultaneously.
The goal would not necessarily be to fool a support agent with extraordinary creativity. Consistency, persistence, and scale may be enough to make existing support-based fraud significantly more economical.
Scaling returns, refunds and promotion abuse
Retail and marketplace fraud often exploits workflows that are individually legitimate: refunds, coupons, returns, referrals, account credits, or seller protections.
Agents could navigate these processes, assemble supporting material, monitor deadlines, and adapt when a request is rejected. Computer vision could help them interpret product pages, account dashboards, or evidence-review screens.
The agent’s advantage is not that it invents a new form of abuse. It can make existing abuse cheaper to operate across more accounts and applications.
Managing marketplace personas
Fraudsters operating fake stores, rental listings, investment schemes, or romance scams must maintain believable identities over time.
Agents could keep track of profile histories, previous conversations, product descriptions, promises, and personal details. They could communicate in multiple languages and ensure that one persona does not contradict itself across different channels.
This is where language models, image generators, and voice systems may converge into one fraud workflow.
Account takeover orchestration
Agents may also help operators manage compromised accounts.
At a high level, an agent could determine what services are available, inspect account state, recognize valuable features, and decide which actions warrant human approval. The dangerous capability is adaptive navigation, not merely the generation of malicious code.
Applications should therefore treat unusual post-login automation as seriously as suspicious login activity.
Interacting with other agents
As legitimate commerce becomes agentic, some fraudulent agents may not interact with humans at all.
They could communicate with shopping agents, customer-service agents, merchant systems, or payment assistants. The attack surface then moves from “Can this bot imitate a person?” to “Is this agent authorized, and does its stated intent match the person it claims to represent?”
Google’s introduction of a fraud platform intended to distinguish legitimate humans, bots, and agents reflects this emerging problem. Google Cloud Fraud Defense is explicitly positioned around trust in an agentic web.
Which models are fraudsters likely to use?
The answer depends on the operator’s technical skill and infrastructure.
| Model or family | Why it may appeal | Main constraint | Likely use |
|---|---|---|---|
| GPT and ChatGPT agents | Strong browser use, reasoning and familiarity | Provider safeguards and monitoring | Human-supervised research and occasional tasks |
| Gemini agents | Fast multimodal and UI-control capabilities | Centralized access and abuse controls | Research, visual workflows and high-volume tasks |
| Claude computer use | Strong reasoning, coding and browser control | Provider monitoring and policy enforcement | Complex supervised workflows |
| Qwen3.5 | Open-weight, multilingual and native GUI-agent capability | Flagship still requires significant hardware | Broad open-model fraud automation |
| Kimi K2.5 | Multimodal agents, visual coding and tool orchestration | One-trillion-parameter footprint | Sophisticated hosted or shared deployments |
| Gemma 4 | Capable smaller models and local multimodal operation | Less reliable on very long autonomous tasks | Low-cost local agents |
| Llama | Mature ecosystem and broad framework support | No longer the capability leader | Existing automation stacks |
| gpt-oss | Structured reasoning and practical local deployment | Text-only | Backend workflow orchestration |
| GLM-5.2 and DeepSeek-V4 | Strong coding, reasoning and long-horizon work | Very large infrastructure requirements | Advanced organized operations |
Including a model here does not imply that its developer enables or condones fraud. These are general-purpose systems with overwhelmingly legitimate uses.
Commercial agents will be used—but they are a fragile criminal dependency
Mainstream models are likely to remain common because they are convenient.
A fraudster can access a commercial agent without purchasing hardware, configuring an inference server, or maintaining an agent framework. Commercial frontier models may also be more reliable when a workflow is ambiguous.
Their weakness from the fraudster’s perspective is centralized control. Providers can monitor activity, restrict high-risk actions, suspend accounts, introduce confirmation steps, and cooperate with investigations.
This will lead to repeated use of disposable accounts and underground services that resell or wrap commercial models. Google has already found supposedly independent malicious AI services that were actually built on commercial APIs and open-source agent components.
Commercial agents will therefore be common, especially among less technical users, but unreliable as long-term criminal infrastructure.
Qwen3.5 is the most likely open foundation
Among current open-weight models, Qwen3.5 is the strongest candidate for widespread application-fraud use.
It combines three particularly relevant properties:
Native understanding of visual interfaces
Strong multilingual capability
Agent and tool-use training
Qwen’s own demonstrations include autonomous interaction with computers and mobile applications. The Qwen3.5 release describes it as a foundation for GUI agents and complex desktop workflows.
Its flagship model is large, but the broader Qwen ecosystem includes more deployable variants and extensive support from inference and agent frameworks. That makes it more accessible than other large multimodal models.
If fraud groups want an open agent that can both understand an interface and manage multilingual communication, Qwen is the most likely default family.
Kimi K2.5 may appeal to sophisticated multimodal operations
Kimi K2.5 is designed around native multimodal agents. It can combine text, images, video, tools, and parallel task decomposition.
That could make it attractive to organized groups working with visual application flows or large collections of identity material. Its “agent swarm” approach is also relevant to operators interested in dividing work across several specialized agents.
The practical barrier is enormous. Kimi K2.5 contains roughly one trillion parameters. Most fraudsters will not self-host it. They are more likely to access it through a hosted provider or an intermediary service.
Kimi is therefore a capability concern, but probably not the most common locally deployed fraud model.
Smaller models may drive more abuse than frontier models
Gemma, gpt-oss, smaller Qwen variants, and existing Llama models may be more important in practice than the largest open releases.
A model does not need frontier-level reasoning to fill forms, classify application responses, generate messages, maintain account state, or decide when to ask a human for help.
Smaller models offer:
Lower hardware costs
Faster responses
Easier replication
Better throughput
Greater operational independence
Compatibility with established automation systems
A fraud operation may reserve an expensive frontier model for difficult decisions while using smaller local models for thousands of routine actions.
The most likely architecture is hybrid
The most capable fraud operation will probably not use one autonomous agent from beginning to end.
It will combine:
A commercial frontier model for planning and difficult reasoning
An open local model for repetitive, high-volume activity
A visual model for understanding application interfaces
Specialist image, document, voice, or video systems
Traditional automation for deterministic steps
Human operators for important decisions and unusual challenges
This hybrid arrangement is more reliable and economical than expecting one model to do everything.
It also makes attribution difficult. The wording in a support conversation might come from one model, while application navigation is controlled by another.
When will this become a serious application threat?
The threat will emerge in stages.
During 2026 and 2027, the dominant pattern is likely to be human-supervised agents handling routine work and escalating exceptions. This alone can significantly increase the number of applications, accounts, and victims a fraud group can manage.
Between 2027 and 2029, agents are likely to become more autonomous in well-understood workflows such as marketplace abuse, promotion fraud, support manipulation, and account management.
Completely unattended fraud will arrive first in applications with weak identity controls, predictable workflows, and limited monitoring across accounts. High-value financial applications with strong transaction controls will retain more human involvement, from both attackers and defenders.
The important threshold is not complete autonomy. Fraud becomes more scalable as soon as one human can supervise dozens or hundreds of agents.
How applications should prepare
Blocking every agent will not be a viable strategy. Legitimate customers will increasingly authorize agents to shop, book, compare, and manage accounts for them.
Applications instead need to distinguish authorized delegation from abusive automation.
Give agents identities
Agents should authenticate as agents, not impersonate human browser sessions. Applications need to know who operates the agent, which person authorized it, and what permissions were delegated.
Evaluate sequences, not isolated requests
One form submission may look legitimate. A coordinated pattern across accounts, devices, payments, support interactions, and beneficiaries may not.
Risk systems need graph and sequence awareness.
Bind consequential actions to authorization
High-impact actions should be linked to explicit user intent, appropriate confirmation, and scoped permissions. An agent authorized to compare products should not automatically inherit authority to change payment details or redirect funds.
Apply controls to business objects
Rate limits should not exist only at the IP address or session level. Applications should also monitor activity involving promotions, identities, payment instruments, refund destinations, devices, and other shared resources.
Harden support workflows
Support agents need clear controls for account recovery, refunds, payment changes, and identity exceptions. Persuasive conversation should never replace verifiable authorization.
Treat voice and video as evidence, not proof
Synthetic media makes visual or verbal familiarity insufficient for approving consequential actions. Identity decisions should combine device, account, transaction, document, and behavioral signals.
Preserve agent-level audit trails
Applications should record what agent acted, which identity authorized it, what tools or interfaces it used, and how a transaction changed over time.
The conclusion
Yes, fraudsters will use AI agents against applications. In limited, human-supervised forms, they already are.
The most commonly abused agents will initially be commercial systems from providers such as OpenAI, Google, and Anthropic because they are powerful and convenient. Provider monitoring will push more persistent operations toward open models and underground wrapper services.
Among open models, Qwen3.5 is the most likely general-purpose foundation for application fraud because it combines multilingual communication, visual interface understanding, and agent capabilities.
Gemma, gpt-oss, Llama, and smaller Qwen variants are likely to power cheaper local automation. Kimi K2.5, GLM-5.2, and DeepSeek-V4 are more likely to appear in sophisticated or hosted operations because their infrastructure requirements are much higher.
The central risk is not an AI agent that suddenly becomes a master criminal. It is a persistent, inexpensive operator that can navigate ordinary workflows, recover from small failures, maintain dozens of identities, and ask a human for help only when necessary.
Applications designed around the assumption that automation is rigid—and that every browser session represents one person—will be the first to feel the difference.



