Know Your Agent: The New Frontier of Fraud Prevention | "What The Fraud?" Podcast

THOMAS TARANIUK: Hello and welcome to What The Fraud?, a podcast by Sumsub, where digital fraudsters meet their match. I'm Thomas Taraniuk, currently responsible for some of our very exciting partnerships here at Sumsub, a global verification platform helping businesses verify users, companies, and transactions.

Today, we're diving into the world of AI agents. The future of AI means agents will no longer just assist us, but operate on our behalf—booking travel, managing subscriptions, handling tax bills, and carrying out day-to-day tasks we used to handle ourselves. But, and this is a big but, how much can we actually trust them? And how do we know what's been legitimately authorized and what's crossed the line?

My guest today is Mick Amelishko, AI advocate and Senior Engineering Manager here at Sumsub, responsible for promoting and developing AI agents and tools within the company. Mick, welcome to What The Fraud?

MICK AMELISHKO: Hey, Tom. Excited to be here.

THOMAS TARANIUK: So Mick, let's start with the absolute basics. What actually are AI agents? How are they different from traditional automation or scripts—services that we're used to?

What are AI agents?

MICK AMELISHKO: An AI agent is a piece of software that can make decisions on its own. You set the goal for it, and it's up to the agent to figure out the right path—the steps it needs to take to reach that goal.

As opposed to classical automation or scripting, where you define all the steps step by step—do this, do that, if it fails, do this—and that's it. If something fits your script, you're golden. You'll get the results you want: fast, precise, exactly what you expect. But if it's not in the script—if something unexpected happens—you're out of luck. The script will just return nothing.

To bring this to life, let's say I call a doctor's office to get an appointment. With a scripted system, I encounter a telephone menu: for office hours, press one; if you're a first-time customer, press two. That kind of thing. More often than not, it can't understand what you're saying. It understands the beeps, but if you say something, there's a high likelihood it will fail because it's scripted.

In my case, I usually end up saying, "Give me an operator, give me an operator." I can figure it out with a human much faster. Then I end up in a queue—you're number 10 in line—and I'm stuck for 20 minutes, hoping I eventually get what I want.

Now let's compare this with the experience I'd have if, instead of a basic script, there were an AI agent behind the phone line. When I call, it picks up and says, "Hi, I'm the assistant at the doctor's office. How may I help you?" Then I just say what I want—for example, an appointment next week, preferably in the morning.

Under the hood, it transcribes what I said into text and analyzes it. It uses a large language model, which works really well with text, and looks through the tools it has to decide which one fits my request best. Most likely, it uses something like a calendar or appointment-booking tool. It checks the doctor's calendar, finds available slots next week, and proposes one.

Then it generates a response: "Dr. Johnson can see you on Tuesday at 9 in the morning." I say, "Yes, that works for me," and it's done. I'm happy because it took a minute and I got what I wanted.

That's the difference. This is a basic example, but agents can be much more sophisticated. They're already being integrated into companies to automate day-to-day tasks—and you may have used them without even knowing.

How does an agent build a complete picture of a user?

THOMAS TARANIUK: And some of these agents can retain context from different interactions, right? Build a profile around users. Could you give some practical examples of how an agent builds a complete picture of a user—their habits, their interests—maybe in a healthcare setting, but also across a broader network?

MICK AMELISHKO: This is where the power of agents really comes in. Agents can maintain a large amount of context in their memory. For example, a personal assistant agent working with you over time might learn that you prefer evening appointments, like to sleep in, and always want to keep an hour for lunch. Every time it suggests a lunch slot, you reject it, so it learns your preference. It can also learn from your calendar and your email, if you give it access. Maybe something isn't in your calendar, but you've booked a flight—it can detect that and block time in your schedule automatically.

This is what makes things really interesting. One of the most talked-about developments right now is something called OpenClaw.

THOMAS TARANIUK: Right.

MICK AMELISHKO: I assume a lot of people have heard about it. It's a personal assistant that can perform tasks on your behalf. I was experimenting with OpenClaw and tried to get it to call a doctor. It initially said it couldn't, but when I pushed further, it reasoned that if it installed a voice library and registered with a phone provider, it could potentially do it.

This is where we're heading. It's just the beginning. I think all major AI providers will bring something like this to the market very soon.

The risks of AI agents

THOMAS TARANIUK: So OpenClaw is an AI agent that acts on behalf of users like you and me, handling tasks that make our lives easier. But that convenience comes with risks, especially when it operates autonomously. The question of trust changes. We're giving these agents a massive amount of power—access to our personal data, emails, and financial apps. For example, if you tell an agent to book a holiday with a budget of 5,000, but it spends 10,000 because it misunderstands your instructions or permissions—how can we trust these agents not to go rogue?

MICK AMELISHKO: I just want to warn all the listeners—please don’t trust OpenClaw with your personal data. It’s just too early. The thing is not stable or secure yet. If you want to run it, it’s fun. If you want to play with it, run it in an isolated environment, like a virtual machine or something similar. But please don’t trust it.

Suggested read: From AI Agents to Know Your Agent: Why KYA Is Critical for Secure Autonomous AI

It’s gullible, it can be hijacked, your data can be leaked, and it can delete your emails. The internet is already full of horror stories where OpenClaw went rogue and destroyed parts of people’s lives.

Overall, I think there is a path forward. There is a way to build safe and secure AI agents, and personal assistants in particular. They should have very strong guardrails. Those guardrails can include things like: if you’re not sure what to do, ask the operator—ask the user, ask a real person.

There should also be limits on transactions. Before calling any potentially dangerous tool, the agent should ask the user. I think the early personal assistants from leading labs like Anthropic and OpenAI are doing a good job here. They’re not as fun to use as OpenClaw—they’re more limited—but that’s exactly why they’re safer. Those bigger players are taking more time to make things secure. When it comes to trusting personal data, I’m more willing to trust the big labs. I’d allow them to access my calendar or my email—especially with Google, since they already have my email anyway. The additional risk is probably not that high.

Still, I would be very cautious with finances. If I want an agent to buy something, one option is to let it open the payment window and I enter my credit card details myself. That way, the data doesn’t go through the agent.

Another option is to create a one-off burner credit card with a small amount on it that expires after a single transaction. This way, you can be sure it won’t overspend.

THOMAS TARANIUK: Got you. That makes sense, especially since a lot of agents are now creating one-off debit cards. When the user is indistinguishable from the agent, and vice versa on the other side, it becomes very difficult to govern.

When someone tells an AI, “Book my travel,” and we set a budget of 5K, that actually involves multiple systems—loyalty rewards, payments, maybe even third-party systems like accounting tools.

So my question is: how do you prevent an agent from slowly expanding or deviating from its permissions while carrying out these tasks on behalf of you or me?

How do you prevent an agent from deviating from its permissions?

MICK AMELISHKO: There’s a software engineering approach called the least privilege approach. You should give the agent access only to the tools necessary for the exact task.

You don’t need to share more than necessary. If it’s about booking an appointment, a calendar should be enough. If it’s about buying something, then a payment method—and maybe email for confirmation. Not more, not less—just what’s required.

Some agents already help manage this, but more often than not, they give you options like “trust this action now.” Sometimes they also include a button like “always do this without confirmation,” and that’s where it can get dangerous.

At the end of the day, we still don’t fully know what’s happening under the hood of these models. There is still a risk—small, but real—that they can be hijacked through prompt injection or similar attacks. So I’d say: be cautious and approve sensitive actions one by one.

THOMAS TARANIUK: Ongoing consent is a major concern as well, and the user needs to continuously provide that to the agent. Looking at the bigger picture, though, we’re seeing major progress in other areas too—especially in software engineering and development roles like yours.

So tell us—how is that playing out? Is AI going to take your job?

Is AI going to take jobs?

MICK AMELISHKO: We’ll see. But right now, software engineering is going through a revolution. It’s a really exciting time.

Programming feels fun again. It reminds me of when I first started—writing a few lines of code and seeing something work exactly as I intended. That feeling is back. You start small, then scale up, and it just keeps getting more exciting. The reason is that I can now automate or delegate all the boring parts—the boilerplate code and repetitive tasks—to AI. That lets me focus on the creative side: understanding what the customer actually wants and solving the right problems.

Working with coding agents also forces you to think more about the problem itself, rather than individual lines of code or patterns. Those still matter, but now you have more time to focus on what actually brings value—what makes the software useful. So I think this is one of the areas where we’re seeing the biggest gains from AI right now.

THOMAS TARANIUK: At the end of the day, we’ve talked about the ways AI agents can genuinely help us in our day-to-day lives, but increased autonomy also opens up new opportunities for fraudsters looking for a quick return. So Mick, can you walk us through how a bad actor might actually use an AI agent to their advantage?

How can fraudsters use an AI agent to their advantage?

MICK AMELISHKO: There are multiple things that keep me up at night—some pretty scary thoughts about what AI makes possible in fraud.

First, it’s about scale. It’s much easier to carry out fraud at scale with AI. Scammers using social engineering previously relied on scripts, but there was still a lot of human involvement, which led to things like “human farms” where people carried out fraud manually. Now, much of this can be automated because AI is very good at speaking and chatting with people online. That’s a real attack vector right now.

The problem is that it makes financial sense for fraudsters. The cost of AI is relatively low, and the outcomes justify the price.

The second issue is data exposure. If you share a lot of data and credentials with your personal assistant, what happens if it gets hijacked? An attacker could gain access to a large amount of your personal data. If they can control your AI agent, they can make actions on your behalf that are difficult to detect. This is a new kind of attack vector.

THOMAS TARANIUK: It certainly is. It’s difficult to determine intent—whether the user actually approved an action or the agent acted on its own. What signals are we seeing now in terms of bad behavior? For example, agents acting outside a user’s directive or being used to facilitate financial crime.

Signals of bad behavior

MICK AMELISHKO: I think we’re at a point where we understand that agents can act on behalf of users—it’s already happening, and it’s becoming normal.

So instead of assuming that every agent is malicious, we need to look for patterns. For example, if an agent typically operates in a European time zone and suddenly starts acting in US or Asian time zones, that’s a signal worth investigating.

Another signal is speed and volume. If an agent suddenly performs a large number of actions very quickly—like draining accounts—that’s easier to detect. That said, sophisticated attackers will try to avoid obvious patterns, so it won’t always be that simple.

THOMAS TARANIUK: Let’s imagine a worst-case scenario. An attacker gains access to a user account connected to an AI agent. What could they realistically do or scale that they couldn’t before?

Worst-case scenario: What happens if an attacker takes control of an AI agent?

MICK AMELISHKO: That’s the really scary part. Imagine you trust your AI assistant with your calendar, email, payment methods, files, notes, maybe even business plans, and personal data. An attacker gains control over all of that—and can also control the agent.

To the outside world, it looks like everything is authorized. The attacker can act as you. They could fire people, send messages, drain your bank accounts, or even attempt to take out loans if they have enough data.

This is why it’s critical to be careful about what you trust your AI agents with. At the same time, external systems need to be aware of these risks and require additional verification for sensitive actions.

THOMAS TARANIUK: Absolutely. If you think about a user connected to multiple systems—banking, tax, marketplaces—it becomes a single point of failure. The potential damage is huge, especially since agents can act very quickly. If an agent has access to your email, it could reset passwords and expand access into other systems. That’s essentially account takeover at scale—impersonating a user across multiple platforms.

So let me ask: can agents create synthetic identities, pass verification, and open accounts on platforms like Revolut?

Can AI agents create synthetic identities, pass verification and open accounts?

MICK AMELISHKO: For now, we’re relatively safe. Financial apps typically have strong KYC protections. They require things like liveness checks, identity documents, and proof of address. Even though deepfakes exist, these systems are usually multi-layered, so they can detect most attempts.

I’ve tried pushing OpenClaw to perform some simpler tasks, like buying a deepfake or registering a phone number, and it failed. That said, it was a basic setup. Someone more determined and skilled could probably push it further.

THOMAS TARANIUK: That makes sense. Systems today are quite good at detecting bots. But when legitimate users—and fraudsters—use agents, automation is no longer a clear red flag.

So how do platforms like Revolut distinguish between a legitimate agent and malicious automation?

How do platforms distinguish between a legitimate agent and malicious automation?

MICK AMELISHKO: It will take time, but we’re already seeing early signs of what’s coming.

I experimented with OpenClaw and tried to buy a phone number. It got blocked by Cloudflare’s bot detection. The issue is—I was a legitimate customer. I wanted to register in my name and pay with my card. I just wanted automation because I didn’t want to manually fill out forms.

The result? Both sides lost. I didn’t complete the purchase, and the provider lost revenue.

This is where agent identification will evolve quickly. Once you can tie the identity of the bot or agent to the identity of a real person, you can start trusting the agent and allow it to make purchases.

THOMAS TARANIUK: AI agents are clearly becoming part of our daily lives, so they need to be part of how we govern and manage interactions from a merchant perspective. That brings us to the idea of “Know Your Agent,” or KYA. What does that actually mean in practice?

What is Know Your Agent?

MICK AMELISHKO: It’s a new concept, and there’s still some confusion because different vendors define it differently. From my perspective, KYA is a risk management strategy that extends KYC—Know Your Customer. First, the merchant identifies that the interaction is coming from an automated entity—an agent or bot. Second, it identifies the platform running that agent. Third, it identifies the person who authorized the agent’s actions.

It’s more complex than traditional KYC, but it’s necessary for this new ecosystem.

THOMAS TARANIUK: From an engineering perspective, when a user clicks a button, you can infer intent. But when an agent clicks that button, the trust boundary changes. So how do you prove that an agent’s action was actually authorized by the user?

MICK AMELISHKO: Under the hood, this relies on cryptography. Each agent should have a digital signature—like a secure stamp. When a merchant receives a request, it can verify that signature to ensure it’s valid and hasn’t been tampered with.

The system checks this with the issuing authority through cryptographic verification. That confirms the agent’s identity and the platform behind it.

The next step is linking that agent instance to a real person who has passed KYC—identity verification, proof of address, liveness checks. So it becomes a multi-layered system based on cryptography that ensures both security and speed.

THOMAS TARANIUK: That makes sense. But there will be multiple issuers in this space. So who do we actually trust to verify that connection between user and agent?

Who do we trust to verify the connection between the user and the agent?

MICK AMELISHKO: The platforms that already provide KYC—like Sumsub—are natural candidates. They already have verified user data and can link that to a specific agent instance.

THOMAS TARANIUK: So once we’ve established that an agent is verified and authorized to act, where does responsibility lie if something goes wrong?

For example, if an agent performs a harmful action instead of completing a legitimate task—who is responsible? The user, the provider, or the merchant?

MICK AMELISHKO: Right now, responsibility is shared. The most protected party is usually the customer. The agent provider and the payment processor carry most of the responsibility. However, the customer still needs to follow basic security practices. It’s similar to credit card usage—if you intentionally share your card details, you may not be refunded.

THOMAS TARANIUK: So in practical terms, everyone in the chain needs to do their part?

MICK AMELISHKO: Exactly. The user needs to set boundaries, limits, and clear instructions. The agent provider needs to protect personal and payment data and ensure compliance. And the payment provider operates similarly to traditional systems, with shared liability. Everyone has a role to play.

THOMAS TARANIUK: I want to explore how we can use AI agents for good—for ourselves, for merchants, and for super apps—in the fight against fraud.

We’ve talked about how AI agents are used by fraudsters to make a quick buck—but how can they help compliance and fraud teams in their fight against fraud?

How can AI agents help compliance teams?

MICK AMELISHKO: Agents also have strong applications here.

If you look at the work of a compliance officer, they go through a large number of documents, correlate them, perform cross-checks, and analyze massive transaction logs. This work is critical, but also complex and data-heavy.

AI is very good with data. It can identify patterns, perform cross-checks, and do so more consistently than humans, who can get tired. An agent can process all this information and present findings to a compliance officer. The key point is that the final decision—whether to approve or reject a transaction—should remain with the human. Why? Because while AI handles large volumes of data well, it can miss contextual judgment.

For example, if you move to another city, a system might flag unusual activity. Or if you have a wedding and suddenly spend more money than usual, that could also be flagged.

A human can interpret these situations correctly. From a legal perspective—especially in the European Union—you can’t rely on AI alone for final decisions. So in this case, AI acts as a copilot, helping people gain insights and make more accurate decisions.

THOMAS TARANIUK: So it can sift through massive amounts of data, triage it for an AML analyst, consolidate information into specific cases, and make it easier to digest—allowing the human in the loop to make the final decision without doing all the groundwork.

We trust these AI agents, but when they let us down, it can be devastating. From a psychological perspective, do we take that into account enough? Once trust is lost between a human and their agent, can it be regained?

MICK AMELISHKO: That’s a really interesting and important question, and I think we’re only just beginning to explore it.

I expect a lot of research on human–AI relationships in the coming years. This is where things can become both fascinating and concerning.

People can become victims, and fraudsters are masters of emotional manipulation. They can weaponize fear, urgency, and even empathy. Understanding this isn’t just about prevention, it’s also about understanding human psychology more deeply. There’s still a lot to learn.

THOMAS TARANIUK: There are many ways people can educate themselves on how to use AI effectively. But from a business perspective, rather than an individual one, is a hybrid approach—combining AI and human oversight—still the best way to fight fraud?

Is a hybrid approach still the best way to fight fraud?

MICK AMELISHKO: Yes, it works very well. There’s also a new approach emerging with Know Your Agent, where the identity of the user is tied to the agent.

You can think of it as multi-level validation. Imagine a merchant: someone “knocks on the door.” First, you check—is it a human or a bot? If it’s a human, you proceed.

If it’s a bot, you go to the next layer. Is it just a random bot, or is it an agent with a verifiable identity tied to a real person? If it’s tied to a verified user, you can allow it to proceed because you trust the cryptographic signatures behind it.

However, there’s always a risk that the agent is hijacked or misconfigured. So for higher-risk actions—like expensive purchases—you introduce another layer.

You might require real-time confirmation from the user. For example, the agent prompts the user to confirm the action through a liveness check, a PIN code, or a simple approval in their app.

This layered approach improves security while maintaining convenience for both users and merchants.

THOMAS TARANIUK: That makes sense. Many companies are now moving quickly in this space, building AI agents for various use cases and industries.

For example, companies like Google Cloud are partnering with payment providers to explore how AI agents can securely initiate payments, while payment companies are exploring how AI assistants can interact safely with payment networks.

There’s clearly a big focus on real-time systems—fraud prevention, merchant onboarding, and tamper-resistant records.

But what are the real-world impacts of this for users and businesses? And how much of this is just hype?

MICK AMELISHKO: There’s definitely a lot of hype and noise. Everyone wants to be first to market. Many people are still figuring out what agent commerce really is and how it should work.

But despite the noise, we’re moving toward an agent-driven era of e-commerce.

Instead of going to a platform, clicking through options, and completing a purchase manually, you’ll simply ask your personal assistant to do it for you. I’ve already started trying this. Sometimes it works, sometimes it doesn’t. But this is where things are heading.

THOMAS TARANIUK: This feels like the direction the world is heading right now, and at the end of the day, it means there are going to be a lot of changes. What changes do you see for everyday users like you and me, and how do you see end users using AI agents safely?

MICK AMELISHKO: I think everyone will have a personal assistant, and frankly, I’ve been waiting for it for years—since the first Siri announcement. Apple had a really bold vision, but Siri still hasn’t lived up to those expectations. Maybe this year… while I was talking, I actually activated Siri. That’s funny.

THOMAS TARANIUK: What should we, as individuals, actually be doing to protect ourselves?

What should individuals do to protect themselves?

MICK AMELISHKO: We should be very mindful about the control and data we give to agents. I know most people will be influenced by marketing and convenience, but I urge everyone to think carefully about what they’re consenting to, the data they’re sharing, and to be a bit more paranoid.

Everyone is enthusiastic about it, but I’d add a bit of skepticism.

THOMAS TARANIUK: Just a sprinkle, right? Because there are always early adopters—like with crypto—who will trust it with small amounts, but not with bigger ones, like 5K or 10K for a holiday.

At the start, I wouldn’t expect a large group of people to fully adopt this approach—opening up their bank accounts without limits and saying, “Go and buy this.” But do you see a trajectory by 2027, 2028, or 2029 where a sizable portion of the population is using copilots for their own benefit?

MICK AMELISHKO: I think with copilots, the genie is already out of the bottle. It’s happening. With recent releases, everyone is excited. In China, Tencent is helping people install these tools, and there are government subsidy programs supporting startups that use them.

All major AI players will release their own versions because the demand is clear—everyone wants a great personal assistant.

THOMAS TARANIUK: That’s certainly the case. But at the end of the day, doesn’t every fraudster want a great personal assistant?

MICK AMELISHKO: Or an army of great personal assistants.

THOMAS TARANIUK: An army of them. If they can scale what they’re doing and automate it with agents, that’s a scary thought.

MICK AMELISHKO: Absolutely. But we already have strong approaches and best practices, like the hybrid model you mentioned, to prepare for this.

THOMAS TARANIUK: And I think we are prepared—the people working to protect businesses and users around the world. As we always do, let’s close with a bit of fun. We’ll go through five quick-fire questions. No overthinking—are you ready?

Quick-fire round

MICK AMELISHKO: Yeah, shoot.

THOMAS TARANIUK: If you could ban one risky online behavior, what would it be?

MICK AMELISHKO: Sharing too much on social media. People share a huge amount of personal information, and it drives me crazy. With the right AI agent, you can build a very precise profile of someone just from their social media. I think accounts should be private. It may sound alarmist, but social media is a big risk.

THOMAS TARANIUK: I don’t think that’s alarmist at all. I don’t even have Instagram. But imagine having an AI agent managing your social media.

MICK AMELISHKO: That defeats the purpose.

THOMAS TARANIUK: Have you ever been a victim of fraud yourself?

MICK AMELISHKO: Yes. Not long ago, I was walking in the city and received an SMS from a name that matched a crypto exchange in my contacts. It said there was an attempt to withdraw funds and asked me to call a number to approve or reject it. My immediate reaction was that it looked legitimate. So I called. It took me about three to five minutes to realize it was a scam. Then I remembered I didn’t even have funds there.

The caller started asking broad questions about what financial products I use. That’s when I realized they were trying to profile me and link my personal data to other services for further attacks.

I hung up, reported everything to the exchange, and closed the account. But I was really embarrassed. I complete security training every year, and I still fell for it.

THOMAS TARANIUK: There are so many new attack vectors now, so I wouldn’t be embarrassed. Anyone can become a victim of fraud—that’s something we always emphasize. Would you personally trust an AI agent today to handle something important in your life?

MICK AMELISHKO: I think I have a risk model in my head. If something is low-risk and has limited monetary value, and I understand the steps involved, I can trust the agent.

For example, booking dinner or even a plane ticket—if it shows me all the details and steps before payment, maybe even proves it found the best price, I’d trust it.

But for high-risk things, like taxes—I don’t even fully trust my accountant. I always double-check. So I’d only trust agents with tasks I can validate myself.

THOMAS TARANIUK: I think we’re aligned on that. What’s one thing about fraud prevention that people underestimate?

MICK AMELISHKO: How powerful social engineering is. I realized this when I read a book by Kevin Mitnick as a kid.

Social engineering is often more effective than technical hacking. People imagine hackers as someone in a hoodie breaking into systems, but in reality, they’re often very persuasive people who understand human behavior.

THOMAS TARANIUK: And finally, if you could have any other career, what would it be?

MICK AMELISHKO: Something music-related—maybe a musician or a record producer. Music has always been a big part of my life. I’ve even released some records and had some airplay as a hobby.

It’s interesting—my guitar teacher once pointed out how similar music and software engineering are. Both are creative and require abstract thinking. You can’t see music—you imagine it, you hear it—and once it’s played, it’s gone.

THOMAS TARANIUK: I know you’ve got a few guitars there, so hopefully you’ll play after this. Thanks so much for joining us on What The Fraud? It’s been great having you.

MICK AMELISHKO: My pleasure. Thanks for having me—it was really fun.

THOMAS TARANIUK: If you enjoyed today’s conversation, make sure to follow the podcast wherever you listen. And if you can, leave us a review—we’d love to hear your thoughts. It also helps others find the show and learn how to avoid the latest scams. In the next episode, we’ll dive into modern fraud attacks, focusing on camera injection and emulator farms.