Agentic AI, Fraud, and Why Communication Authenticity Matters

Earlier this month, we hosted a webinar with Professor Bill Buchanan OBE FRSE, Chief Innovator at LastingAsset and Professor of Applied Cryptography at Edinburgh Napier University. Bill has spent close to four decades studying how systems break, how trust is exploited, and what it takes to build something that holds. The conversation was one of the more sobering ones we have had.

This blog pulls out what matters most, and connects it to a question every organisation should be asking right now.

How is agentic AI different from traditional fraud bots?

For years, bots worked from scripts. They were fast and scalable, but rigid. A well-trained employee could spot one with a few probing questions, but that advantage is gone.

What Bill describes as agentic AI is fundamentally different. These systems do not follow a fixed sequence. They perceive, reason, and act. They remember what was said last week. They adapt to responses in real time. And they operate across every channel simultaneously: email, WhatsApp, Telegram, voice, video.

The shift, as Bill put it, is from users being operators to users being observers. The agent acts on your behalf, without you approving every step. That is useful for legitimate automation, but it is equally useful for fraud.

The barrier to running a sophisticated impersonation attack has collapsed. Tools that exist today give a low-skilled operator the equivalent capability of a trained penetration tester. The infrastructure to target hundreds of people at once, across multiple channels, with individually tailored messages, takes minutes to set up.

Why AI agents are so difficult to trace back to a human

One of the sharpest points in our conversation was about identity. Corporate systems were built for humans: usernames, passwords, Active Directory records. When an AI agent acts on someone's behalf, there is often no reliable link back to the person who authorised it.

This creates what Bill called ‘agent untraceability’. If an agent operates across jurisdictions, switches channels, and waits patiently before acting, the forensic trail becomes very hard to follow. 

The OWASP top 10 AI risks reflect this directly. Agent authentication and control sit at the top of the critical infrastructure tier, not because the problem is theoretical, but because the gap between what we have built and what these systems can exploit is already wide.

What does agentic AI mean for fraud risk in 2026 and beyond?

A single model is constrained by its training. Agents that share information, debate, and refine each other's approaches are not. As Bill mentioned on the webinar, the progression towards AGI is more likely to emerge from that kind of collaborative learning than from any single model becoming smart enough on its own.

For fraud, this means that the quality and scale of impersonation attacks will improve faster than most organisations expect. The question is not whether your team will face a convincing, targeted, AI-generated request. It is whether the controls you have in place can verify the person behind it.

Why deepfake detection tools fail against AI-driven social engineering

Most security tools were designed to catch something going wrong at a technical level: a suspicious file, an unusual login, a known malware signature. Modern AI-driven fraud does not trigger any of those signals.

The Arup case cost £20 million. The M&S incident caused an estimated £300 million in damage. In both cases, every technical control was functioning. The fraud worked at the human level, exploiting trust in a communication that looked and sounded completely legitimate.

Detection tools try to guess whether something looks fake. They compare signals against patterns. As AI improves, those patterns shift faster than the tools can follow. The guess gets worse over time. This is the core problem with a detection-first approach: it assumes the attack has a technical signature. Increasingly, it does not.

What is Communication Authenticity and how does it stop impersonation fraud?

Detection is about ‘guessing’ whether a message looks suspicious. Access controls are about securing systems. Communication Authenticity secures the conversations that happen inside them.

The question it answers is not "does this email look legitimate?" It is "is this actually the person I think I am talking to, right now, before I act on what they are asking?"

How does UnDoubt verify identity in real time before a high-risk action is taken?

When a request arrives, whether a payment instruction, a credential reset, a supplier bank change, or any other high-risk request, UnDoubt requires both parties to verify each other before action is taken. The verification is cryptographic and tied to a specific device. It cannot be spoofed by a cloned voice, a convincing email, or a real-time deepfake.

An attacker can replicate how someone sounds and how they write, but cannot answer a cryptographic challenge that only the real person's device can produce. That is what makes the attack fail.

At the start of our webinar, I sent Bill a live challenge through UnDoubt. He read back the words on his screen to confirm it was really him. That two-second exchange is the same mechanism that, in an enterprise context, sits between a payment request and an authorised transfer: cryptographic proof, not a voice that could have been cloned from a conference recording.

UnDoubt works across voice, video, and email. It sits alongside IAM and MFA, addressing the one thing those tools were never designed for: whether the person asking for an action is really who they say they are.

📲 For individuals and small businesses - download the UnDoubt app.  

💼 For security, fraud, and risk teams interested in an early access pilot: reach us directly at undoubt@lastingasset.com 

Watch the full webinar recording with Professor Bill Buchanan and Nanik Ramchandani, CEO of LastingAsset.