Table of Contents

Will Fraudsters Use AI Agents Against Web Applications?

Almost certainly. The important change will not be smarter phishing copy—it will be software that can navigate applications, interpret responses, and adapt fraud workflows in real time.

Traditional fraud automation is brittle.

A bot follows a script: open a page, enter predefined data, press a button, and check for an expected response. If the application changes its layout, introduces a new verification step, or returns an unfamiliar error, the bot often fails.

AI agents can operate differently. They can inspect the current interface, decide what action to take, interpret the result, and revise their plan. Instead of simply replaying a sequence, an agent can pursue an objective.

That makes agents a natural tool for application fraud.

The transition has already started

Fully autonomous fraud is not yet the dominant model. Most AI-enabled scams still involve human operators using generated scripts, translations, images, and suggested responses.

But the direction is clear.

INTERPOL’s 2026 financial-fraud assessment says agentic AI can support the planning and execution of fraud schemes, including victim research, credential collection, target selection, financial analysis, and personalized communications. It also describes fraud-as-a-service platforms that combine automated phishing infrastructure, synthetic identities, victim-management tools, and payment services. INTERPOL’s assessment predicts that AI-enabled financial fraud will continue to expand as automation lowers operating costs.

Google Threat Intelligence has separately reported a transition from experimental AI use toward the industrial integration of models into adversarial workflows. Google’s May 2026 threat assessment describes malicious activity becoming more adaptive, scalable, and connected to agent tooling.

The first generation of fraud agents will therefore not appear from nowhere. They will evolve from existing automation with more perception, reasoning, and error recovery added to it.

What makes an agent different from a bot?

A traditional bot is usually built around known pages and expected outcomes.

An agent can potentially:

  • Recognize buttons and fields from their visual or semantic meaning

  • Navigate a workflow it has not seen before

  • Interpret validation messages

  • Compare several possible actions

  • Maintain state across multiple pages

  • Use external tools and data sources

  • Ask a human operator for help when uncertain

  • Resume the process after the operator responds

Computer-use models already demonstrate this general pattern. OpenAI’s Computer-Using Agent, for example, was designed to perceive screenshots, reason about what to do, and perform actions with a virtual mouse and keyboard. OpenAI’s technical overview describes agents completing browser tasks without requiring a website-specific API.

These capabilities have legitimate purposes. They can help people book travel, manage accounts, and operate inaccessible legacy systems. But the application itself cannot assume that every agent represents an honest user.

How fraud agents may be used against applications

The most likely early applications do not require agents to discover sophisticated software vulnerabilities. They involve automating abuse of ordinary product workflows.

Exploring application rules

Fraudsters currently inspect applications manually to learn how onboarding, promotions, payments, refunds, loyalty programs, and support processes work.

An agent could accelerate this research. It could navigate different workflows, record how the application responds, compare policy outcomes, and identify where business rules appear inconsistent.

This is not necessarily technical exploitation. Often, the target is a gap between what the software permits and what the business intended.

Automating account creation and onboarding

Agents could fill forms, interpret errors, select appropriate options, and maintain many partially completed application sessions.

When combined with synthetic identity services, generated documents, or manipulated media, this creates pressure on onboarding systems. An agent does not have to defeat every control autonomously. It can move through routine steps and escalate difficult decisions to a human operator.

This human-agent combination is likely to be more common than completely unattended identity fraud in the near term.

Coordinating multi-account abuse

Many fraud schemes depend on relationships between accounts rather than the behavior of one account.

Agents could manage account inventories, track their status, distribute activity over time, and select which identity or payment instrument to use for a particular interaction. They could also stop using an account when the application begins challenging it.

The defensive implication is important: evaluating each session independently becomes less effective when one controller can coordinate many apparently unrelated users.

Manipulating customer support

Support channels are an attractive target because they contain human discretion.

An agent could maintain a consistent narrative across chat, email, and forms; summarize previous interactions; adjust its tone; and provide requested information quickly. It could also manage several support conversations simultaneously.

The goal would not necessarily be to fool a support agent with extraordinary creativity. Consistency, persistence, and scale may be enough to make existing support-based fraud significantly more economical.

Scaling returns, refunds and promotion abuse

Retail and marketplace fraud often exploits workflows that are individually legitimate: refunds, coupons, returns, referrals, account credits, or seller protections.

Agents could navigate these processes, assemble supporting material, monitor deadlines, and adapt when a request is rejected. Computer vision could help them interpret product pages, account dashboards, or evidence-review screens.

The agent’s advantage is not that it invents a new form of abuse. It can make existing abuse cheaper to operate across more accounts and applications.

Managing marketplace personas

Fraudsters operating fake stores, rental listings, investment schemes, or romance scams must maintain believable identities over time.

Agents could keep track of profile histories, previous conversations, product descriptions, promises, and personal details. They could communicate in multiple languages and ensure that one persona does not contradict itself across different channels.

This is where language models, image generators, and voice systems may converge into one fraud workflow.

Account takeover orchestration

Agents may also help operators manage compromised accounts.

At a high level, an agent could determine what services are available, inspect account state, recognize valuable features, and decide which actions warrant human approval. The dangerous capability is adaptive navigation, not merely the generation of malicious code.

Applications should therefore treat unusual post-login automation as seriously as suspicious login activity.

Interacting with other agents

As legitimate commerce becomes agentic, some fraudulent agents may not interact with humans at all.

They could communicate with shopping agents, customer-service agents, merchant systems, or payment assistants. The attack surface then moves from “Can this bot imitate a person?” to “Is this agent authorized, and does its stated intent match the person it claims to represent?”

Google’s introduction of a fraud platform intended to distinguish legitimate humans, bots, and agents reflects this emerging problem. Google Cloud Fraud Defense is explicitly positioned around trust in an agentic web.

Which models are fraudsters likely to use?

The answer depends on the operator’s technical skill and infrastructure.

Model or familyWhy it may appealMain constraintLikely use
GPT and ChatGPT agentsStrong browser use, reasoning and familiarityProvider safeguards and monitoringHuman-supervised research and occasional tasks
Gemini agentsFast multimodal and UI-control capabilitiesCentralized access and abuse controlsResearch, visual workflows and high-volume tasks
Claude computer useStrong reasoning, coding and browser controlProvider monitoring and policy enforcementComplex supervised workflows
Qwen3.5Open-weight, multilingual and native GUI-agent capabilityFlagship still requires significant hardwareBroad open-model fraud automation
Kimi K2.5Multimodal agents, visual coding and tool orchestrationOne-trillion-parameter footprintSophisticated hosted or shared deployments
Gemma 4Capable smaller models and local multimodal operationLess reliable on very long autonomous tasksLow-cost local agents
LlamaMature ecosystem and broad framework supportNo longer the capability leaderExisting automation stacks
gpt-ossStructured reasoning and practical local deploymentText-onlyBackend workflow orchestration
GLM-5.2 and DeepSeek-V4Strong coding, reasoning and long-horizon workVery large infrastructure requirementsAdvanced organized operations

Including a model here does not imply that its developer enables or condones fraud. These are general-purpose systems with overwhelmingly legitimate uses.

Commercial agents will be used—but they are a fragile criminal dependency

Mainstream models are likely to remain common because they are convenient.

A fraudster can access a commercial agent without purchasing hardware, configuring an inference server, or maintaining an agent framework. Commercial frontier models may also be more reliable when a workflow is ambiguous.

Their weakness from the fraudster’s perspective is centralized control. Providers can monitor activity, restrict high-risk actions, suspend accounts, introduce confirmation steps, and cooperate with investigations.

This will lead to repeated use of disposable accounts and underground services that resell or wrap commercial models. Google has already found supposedly independent malicious AI services that were actually built on commercial APIs and open-source agent components.

Commercial agents will therefore be common, especially among less technical users, but unreliable as long-term criminal infrastructure.

Qwen3.5 is the most likely open foundation

Among current open-weight models, Qwen3.5 is the strongest candidate for widespread application-fraud use.

It combines three particularly relevant properties:

  • Native understanding of visual interfaces

  • Strong multilingual capability

  • Agent and tool-use training

Qwen’s own demonstrations include autonomous interaction with computers and mobile applications. The Qwen3.5 release describes it as a foundation for GUI agents and complex desktop workflows.

Its flagship model is large, but the broader Qwen ecosystem includes more deployable variants and extensive support from inference and agent frameworks. That makes it more accessible than other large multimodal models.

If fraud groups want an open agent that can both understand an interface and manage multilingual communication, Qwen is the most likely default family.

Kimi K2.5 may appeal to sophisticated multimodal operations

Kimi K2.5 is designed around native multimodal agents. It can combine text, images, video, tools, and parallel task decomposition.

That could make it attractive to organized groups working with visual application flows or large collections of identity material. Its “agent swarm” approach is also relevant to operators interested in dividing work across several specialized agents.

The practical barrier is enormous. Kimi K2.5 contains roughly one trillion parameters. Most fraudsters will not self-host it. They are more likely to access it through a hosted provider or an intermediary service.

Kimi is therefore a capability concern, but probably not the most common locally deployed fraud model.

Smaller models may drive more abuse than frontier models

Gemma, gpt-oss, smaller Qwen variants, and existing Llama models may be more important in practice than the largest open releases.

A model does not need frontier-level reasoning to fill forms, classify application responses, generate messages, maintain account state, or decide when to ask a human for help.

Smaller models offer:

  • Lower hardware costs

  • Faster responses

  • Easier replication

  • Better throughput

  • Greater operational independence

  • Compatibility with established automation systems

A fraud operation may reserve an expensive frontier model for difficult decisions while using smaller local models for thousands of routine actions.

The most likely architecture is hybrid

The most capable fraud operation will probably not use one autonomous agent from beginning to end.

It will combine:

  • A commercial frontier model for planning and difficult reasoning

  • An open local model for repetitive, high-volume activity

  • A visual model for understanding application interfaces

  • Specialist image, document, voice, or video systems

  • Traditional automation for deterministic steps

  • Human operators for important decisions and unusual challenges

This hybrid arrangement is more reliable and economical than expecting one model to do everything.

It also makes attribution difficult. The wording in a support conversation might come from one model, while application navigation is controlled by another.

When will this become a serious application threat?

The threat will emerge in stages.

During 2026 and 2027, the dominant pattern is likely to be human-supervised agents handling routine work and escalating exceptions. This alone can significantly increase the number of applications, accounts, and victims a fraud group can manage.

Between 2027 and 2029, agents are likely to become more autonomous in well-understood workflows such as marketplace abuse, promotion fraud, support manipulation, and account management.

Completely unattended fraud will arrive first in applications with weak identity controls, predictable workflows, and limited monitoring across accounts. High-value financial applications with strong transaction controls will retain more human involvement, from both attackers and defenders.

The important threshold is not complete autonomy. Fraud becomes more scalable as soon as one human can supervise dozens or hundreds of agents.

How applications should prepare

Blocking every agent will not be a viable strategy. Legitimate customers will increasingly authorize agents to shop, book, compare, and manage accounts for them.

Applications instead need to distinguish authorized delegation from abusive automation.

Give agents identities

Agents should authenticate as agents, not impersonate human browser sessions. Applications need to know who operates the agent, which person authorized it, and what permissions were delegated.

Evaluate sequences, not isolated requests

One form submission may look legitimate. A coordinated pattern across accounts, devices, payments, support interactions, and beneficiaries may not.

Risk systems need graph and sequence awareness.

Bind consequential actions to authorization

High-impact actions should be linked to explicit user intent, appropriate confirmation, and scoped permissions. An agent authorized to compare products should not automatically inherit authority to change payment details or redirect funds.

Apply controls to business objects

Rate limits should not exist only at the IP address or session level. Applications should also monitor activity involving promotions, identities, payment instruments, refund destinations, devices, and other shared resources.

Harden support workflows

Support agents need clear controls for account recovery, refunds, payment changes, and identity exceptions. Persuasive conversation should never replace verifiable authorization.

Treat voice and video as evidence, not proof

Synthetic media makes visual or verbal familiarity insufficient for approving consequential actions. Identity decisions should combine device, account, transaction, document, and behavioral signals.

Preserve agent-level audit trails

Applications should record what agent acted, which identity authorized it, what tools or interfaces it used, and how a transaction changed over time.

The conclusion

Yes, fraudsters will use AI agents against applications. In limited, human-supervised forms, they already are.

The most commonly abused agents will initially be commercial systems from providers such as OpenAI, Google, and Anthropic because they are powerful and convenient. Provider monitoring will push more persistent operations toward open models and underground wrapper services.

Among open models, Qwen3.5 is the most likely general-purpose foundation for application fraud because it combines multilingual communication, visual interface understanding, and agent capabilities.

Gemma, gpt-oss, Llama, and smaller Qwen variants are likely to power cheaper local automation. Kimi K2.5, GLM-5.2, and DeepSeek-V4 are more likely to appear in sophisticated or hosted operations because their infrastructure requirements are much higher.

The central risk is not an AI agent that suddenly becomes a master criminal. It is a persistent, inexpensive operator that can navigate ordinary workflows, recover from small failures, maintain dozens of identities, and ask a human for help only when necessary.

Applications designed around the assumption that automation is rigid—and that every browser session represents one person—will be the first to feel the difference.

Author

  • Mickey Boodaei

    Mickey is the CEO and Co-Founder of Transmit Security where he passionately leads the product and development teams in Tel Aviv, Israel. As a pioneer and serial entrepreneur with over 30 years of experience Mickey has co-founded leading cyber companies such as Imperva (IMPV) and Trusteer (acquired by IBM in 2013) and personally invested in over a dozen startups in the field including Armis, Apiiro, and Island.

    View all posts