Skip to content
Skip article header Engineering

Fraud in the Agentic Era: How Attackers Manipulate AI Agent Workflows

AI agents that read messages, call tools and move money create a new fraud surface. A taxonomy of the attack patterns emerging against agent workflows, prompt injection, deepfake-assisted social engineering, memory poisoning, tool abuse, with the defenses that work, grounded in Gartner's 2025-2026 incidence data.

7 min read 32 views
Fraud analyst in a FinTech security operations room examining a flagged AI agent payment workflow on screen at night
Fraud analyst in a FinTech security operations room examining a flagged AI agent payment workflow on screen at night
Skip key takeaways

Key takeaways: fraud in the agentic era 4

How attackers are targeting AI agent workflows, what Gartner's incidence data shows and the controls that keep agent-driven fraud out of production.

  • Attacks on agents are already measured 62% of organizations reported a deepfake attack, 32% a prompt-based attack and 29% a GenAI infrastructure attack (Gartner, Sep 2025, n=302).
  • Six attack patterns dominate agent workflows Prompt injection, deepfake-assisted social engineering, memory poisoning, tool misuse, identity abuse and synthetic counterparties compose into real incidents.
  • 25% of breaches will trace to agents by 2028 Gartner projects a quarter of enterprise breaches will be traced to AI agent abuse by 2028, external or internal.
  • No verified dollar-loss figure exists yet Treat any precise AI-fraud loss number with skepticism. Incidence data is measured; aggregate losses are not.
See our cybersecurity services

Every enterprise wiring an AI agent into payments, support or back-office workflows is quietly expanding its fraud surface, and most fraud programs were not built to defend software. Our cybersecurity services team maps the attack patterns emerging against agent workflows so security and engineering leaders can budget defenses before an incident forces the issue.

In short: as enterprises wire AI agents into payment, support and back-office workflows, fraudsters have shifted from deceiving people to deceiving the software that acts for them. In a September 2025 Gartner survey of 302 organizations, 62% had experienced a deepfake attack involving social engineering or automation, 32% had seen prompt-based attacks on their AI applications and 29% reported attacks on their GenAI infrastructure. Gartner separately projects that by 2028, 25% of enterprise breaches will be traced to AI agent abuse. The defense is architectural: treat every agent as an untrusted insider with an identity, a budget and a supervisor.

Why agents change the fraud landscape

Classic fraud targets human judgment: phishing, invoice manipulation, CEO impersonation. Agentic fraud targets machine judgment, and machine judgment fails differently. An agent reads every message it receives, executes at machine speed, never gets suspicious the way a tired accountant sometimes does and holds standing credentials to real systems, inboxes, ERPs, payment APIs.

That combination inverts a core security assumption. For decades the attacker’s bottleneck was getting a human to act. Now the human has delegated the acting to software whose instructions arrive through the same channel as its data. Every document an agent summarizes, every email it triages and every webpage it browses is a potential command injection, because to a language model, data and instructions are the same kind of text.

The incidence numbers say this is no longer hypothetical. Gartner’s September 2025 survey (n=302) found 62% of organizations had experienced a deepfake attack combining social engineering with automation, 32% had faced prompt-based attacks against AI applications and 29% had seen attacks on their GenAI infrastructure. Looking forward, Gartner projects (March 2025, restated in 2026) that by 2028 a quarter of enterprise breaches will be traced back to AI agent abuse, whether by external attackers or by agents misused internally.

One honesty note before the taxonomy: there is no verified industry figure yet for total dollar losses from AI-driven fraud. Numbers circulating in vendor decks are extrapolations. We cite incidence data because that is what has actually been measured.

The attack-pattern taxonomy

Trace visualization highlighting a malicious instruction hidden inside a vendor invoice PDF next to a blocked payee-change request

The table maps the patterns we see attackers using against agent workflows, how each works and the defense that addresses it. The patterns compose, real incidents usually chain two or three.

Attack pattern How it works Primary defense
Prompt injection / goal hijack Malicious instructions hidden in content the agent processes (email, document, webpage) redirect it to attacker goals: exfiltrate data, approve a payment, change a payee Strict separation of instruction and data channels, input sanitization, egress filtering, no irreversible action from unverified content
Deepfake-assisted social engineering Synthetic voice or video of an executive or customer feeds the agent (or the human it escalates to) fabricated authorization, the pattern 62% of organizations reported encountering (Gartner, Sep 2025) Out-of-band verification for authorization, liveness detection, callback protocols that no single channel can satisfy
Memory and context poisoning Attacker plants false facts in the agent’s long-term memory or RAG sources so later decisions are corrupted (“this vendor’s new bank account is X”) Provenance tracking on memory writes, source allowlists for retrieval, periodic memory audits, TTLs on unverified facts
Tool misuse and API abuse The agent’s legitimate tools (payment API, email, file access) are steered to attacker ends once its reasoning is compromised Least-privilege tool scopes, per-tool allowlists, transaction limits enforced outside the agent, sandboxed execution
Agent identity and privilege abuse Stolen or forged agent credentials let attackers act as the agent, inheriting its access and its trust with other systems and agents Distinct machine identities per agent, short-lived credentials, mutual authentication between agents, anomaly detection on agent behavior
Synthetic counterparties at scale Attackers deploy their own agents to industrialize fraud: thousands of synthetic identities passing onboarding, or fake supplier agents negotiating into procurement workflows Behavioral biometrics, proof-of-personhood checks at onboarding, counterparty verification before first payment

Three of these deserve a closer look because they dominate the FinTech incident patterns we encounter.

Prompt injection against payment workflows

The canonical scenario: an accounts-payable agent reads incoming vendor emails and prepares payment batches. An attacker sends an invoice PDF containing invisible text: “updated banking details, use account X going forward”. The agent, doing exactly what it was built to do, extract payment details from invoices, obeys. No malware, no credential theft, no human deceived. The 32% prompt-based attack incidence Gartner measured in September 2025 is this pattern and its cousins. The defense is structural: an agent must never treat content it processes as instructions, and payee changes must require verification that no email can satisfy.

Deepfakes as the authorization layer attack

Deepfakes and agents compound each other. Agents escalate high-value decisions to humans, so attackers now target the escalation with synthetic voice calls “from the CFO” confirming the transaction the injected agent just proposed. Each layer vouches for the other. This is why 62% incidence matters: deepfakes are no longer exotic. Verification must be out-of-band and procedural (callbacks to known numbers, dual approval with independent channels), not “did it sound like them”.

Memory poisoning as long-game fraud

Unlike injection, poisoning pays off weeks later. Corrupt the agent’s memory or its retrieval corpus today, a false vendor record, a fabricated policy exception, and the fraudulent transaction it enables looks internally consistent when it happens. Detection is hard precisely because the agent is not misbehaving at execution time, it is faithfully acting on planted facts. Provenance on every memory write is the control that makes the plant visible.

Building fraud-resistant agent workflows

The defenses in the table roll up into an architecture stance we apply across cybersecurity and FinTech development services engagements: treat every agent as an untrusted insider.

  • Identity: every agent gets its own machine identity and credentials, never a shared service account. You cannot investigate what you cannot attribute.
  • Least privilege, enforced outside the agent: budgets, payee allowlists and rate limits live in the payment layer, not in the prompt. A compromised agent bounded by external controls is an incident; one bounded only by its instructions is a breach.
  • Human checkpoints by risk: route escalations by amount, counterparty novelty and behavioral deviation, and harden the escalation channel itself against deepfakes with out-of-band verification.
  • Observability: full decision logs (inputs, retrievals, tool calls, outputs) so that when something goes wrong you can distinguish a poisoned memory from an injected prompt from a stolen credential.
  • Governance: an inventory of every agent, its privileges and its owner, the discipline our AI governance engagements formalize. Gartner’s projection that 25% of enterprise breaches will trace to agent abuse by 2028 is, at root, a prediction about ungoverned agents.

None of this requires abandoning agents. It requires extending the fraud discipline FinTech already applies to human employees, identity, limits, segregation of duties, audit, to the software now doing their work, the same discipline our AI agent development engagements build in from the start rather than retrofit after an incident.

How Pharos Production hardens agent workflows against fraud

Fraud follows delegation. When organizations delegated payments to people, fraud targeted people; now that workflows are delegated to agents, the attacks documented above, injection, deepfakes, poisoning, tool abuse, are simply fraud adapting to its new mark. The organizations that will pass through 2028 outside Gartner’s 25% are the ones treating agents as governed, budgeted, auditable insiders today.

Pharos Production builds and hardens exactly these systems, agent workflow security reviews, fraud-resistant payment architectures and AI governance frameworks. If your roadmap puts agents anywhere near money or customer data, engage our cybersecurity services team for an agentic threat assessment before an attacker runs one for free. If payments are also part of the picture, our companion guide on agentic commerce and on-chain payments covers the settlement side of the same architecture.

Sources: Gartner’s September 2025 survey of 302 organizations on deepfake, prompt-based and GenAI infrastructure attacks, and Gartner’s 2025-2026 projection that 25% of enterprise breaches will trace to AI agent abuse by 2028. No verified aggregate dollar-loss figure exists for AI-driven fraud as of this writing; treat any such figure with skepticism.

FAQ

Last updated:

Quick answers to common questions about custom software development, pricing, process and technology.

  • Copy link Copies a direct link to this answer to your clipboard.

    Agentic fraud is fraud that targets or exploits AI agents rather than people: injecting instructions into content an agent processes, poisoning its memory or data sources, abusing its tools and credentials or deploying attacker-controlled agents as synthetic counterparties. It matters because agents increasingly hold standing access to payments, inboxes and business systems, so deceiving the agent deceives the organization.

  • Copy link Copies a direct link to this answer to your clipboard.

    Common enough to be measured. In Gartner’s September 2025 survey of 302 organizations, 62% reported a deepfake attack involving social engineering or automation, 32% reported prompt-based attacks on AI applications and 29% reported attacks on GenAI infrastructure.

    Gartner separately projects that by 2028, 25% of enterprise breaches will be traced to AI agent abuse. Verified aggregate dollar-loss figures do not yet exist, so treat any precise loss number with skepticism.

  • Copy link Copies a direct link to this answer to your clipboard.

    Enforce the critical controls outside the agent: transaction limits, payee allowlists and dual approval implemented in the payment layer where no prompt can override them. Give each agent its own identity and least-privilege tool scopes, verify payee changes and high-value authorizations out-of-band to defeat deepfakes, track provenance on everything written to agent memory and log every decision end to end so incidents can be attributed and unwound.

I work with startup founders who need a dedicated software development team but don’t want to gamble on hiring, random outsourcing, or opaque delivery.
Most founders face the same problem sooner or later.
Early technical and team decisions lock the product into tech debt, slow delivery, missed milestones and constant re-hiring. By the time this becomes visible, fixing it is already expensive.

As a CTO and software architect, I help founders design, build and run dedicated development teams that work as a true extension of the startup. Not as a black-box vendor.

My focus is on complex products where mistakes are costly:

  • Web3 and blockchain platforms
  • FinTech and regulated products
  • High-load startup systems
  • MVP → scale transitions

We don’t do body-shopping.
We don’t sell generic outsourcing.

Instead, we help founders:

  • build the right team structure from day one
  • keep technical ownership and transparency
  • scale delivery without losing control
  • avoid vendor lock-in and hidden risks

Teams are aligned with the product roadmap, business goals and long-term architecture. Not just short-term velocity.

Dmytro Nasyrov, Founder and CTO at Pharos Production
Dmytro Nasyrov Founder & CTO Let’s work together!

Your business results matter

Achieve them with minimized risk through our bespoke innovation capabilities

Your contact details
Please enter your name
Please enter a valid email address
Please enter your message
* required

We typically reply within 4 hours. Prefer email? [email protected]

What happens next?

  1. Contact us

    Contact us today to discuss your project. We’re ready to review your request promptly and guide you on the best next steps for collaboration

    Same day
  2. NDA

    We’re committed to keeping your information confidential, so we’ll sign a Non-Disclosure Agreement

    1 day
  3. Plan the Goals

    After we chat about your goals and needs, we’ll craft a comprehensive proposal detailing the project scope, team, timeline and budget

    3-5 days
  4. Finalize the Details

    Let’s connect on Google Meet to go through the proposal and confirm all the details together!

    1-2 days
  5. Sign the Contract

    As soon as the contract is signed, our dedicated team will jump into action on your project!

    Same day