Picture an applicant who never gets tired, never makes a typo, and can fill out 400 loan applications before lunch. Now picture that same applicant generating a fresh, plausible bank statement for each one, reading your rejection emails, working out what tripped the filter and adjusting the next batch accordingly. That is not science fiction. That is agentic AI fraud, and the pieces are already on the table.
At VerifyPDF, we spend our days looking at fake documents. For years the volume was bounded by something simple: a fraudster is a person, and a person can only forge so many documents in a day. That ceiling is disappearing. When an AI agent can fill out the form, fabricate the supporting paperwork and click submit on its own, the limit on fraud stops being human effort and starts being whatever your onboarding pipeline will tolerate.
Let me be clear up front: this post is not doom-mongering, and it is not a how-to for fraudsters. Most agentic AI in finance is being built by the good guys, for underwriting, fraud detection and compliance. But the same autonomy that helps a bank also helps the person attacking it. If you onboard customers, you need to understand what changes when the applicant on the other end is software.
What agentic AI fraud actually means
Agentic AI is the step beyond a chatbot. A chatbot answers a question. An agent sets a goal, breaks it into steps, uses tools, reacts to what it sees and keeps going until the goal is met or it gives up. The IMF describes these systems as autonomous software that senses its environment, sets goals and performs multistep tasks with little human input.
Apply that to fraud and the picture gets uncomfortable. An agentic fraud workflow does not need a human babysitting each application. It can:
- Find the target. Scan for lenders, fintechs or insurers with online onboarding and weak document checks.
- Build the persona. Assemble a synthetic or stolen identity, then generate the documents that identity would plausibly have, a payslip, a bank statement, a utility bill.
- Submit and watch. Fill out the application, attach the documents and read whatever comes back.
- Adapt and repeat. If the application is rejected, change the variables that probably caused it and try again, across hundreds of attempts, all night.
That fourth step is the one that should keep compliance teams up. We are no longer talking about a static fake that you either catch or you do not. We are talking about an attacker that probes your defences and learns from them.
Why this is not hype anymore
I am usually the first person in the room to say a fraud story is overblown. We have written before about how most fake documents have nothing to do with AI and never did. So when I say agentic fraud is real, it is not because a vendor sent me a scary slide.
It is because the people building these models are reporting it themselves. In its August 2025 threat intelligence report, Anthropic disclosed that agentic AI has been “weaponized”, with models now used to carry out attacks rather than just advise on them. The report describes criminals embedding AI across every stage of their operations, profiling victims, analyzing stolen data and creating false identities, and explicitly notes a case using multiple AI agents to commit fraud. Their words, not mine: defence “becomes increasingly difficult, since these tools can adapt to defensive measures in real time.”
That phrase, adapt in real time, is the whole story. A human fraudster who gets rejected has to sit down, think and try again tomorrow. An agent gets rejected and tries again in seconds, with a tweaked document, before your coffee is cold.
The money side backs this up. The Deloitte Center for Financial Services projects that fraud losses in the US enabled by generative AI will climb from $12.3 billion in 2023 to $40 billion by 2027, a 32% compound annual growth rate. Generative AI lowers the cost of producing a convincing fake to almost nothing. Agentic AI removes the labour cost of submitting it. Put those two together and you get fraud at a volume the old defences were never designed for.
Human-speed review was already losing. Now it is impossible
Here is the part most onboarding teams have not fully absorbed.
Manual document review was already on the back foot. A trained reviewer can thoroughly check maybe 20 to 30 documents a day before fatigue sets in and error rates climb. We covered this in detail when we compared AI fraud detection against manual checks, and the conclusion was uncomfortable even before agents entered the picture: sophisticated forgeries that preserve fonts, layout and metadata simply pass visual inspection.
Now do the maths against an agent. One reviewer clears 30 documents a day. One agent can generate and submit thousands in the same window, each one slightly different, each one tuned to slip past whatever feedback it got last time. There is no number of reviewers you can hire that wins this race. You cannot out-staff a machine that works at machine speed and never sleeps.
This is the structural shift. When attacks happen at human speed, human review is a reasonable defence. When attacks happen at machine speed, human review stops being a slow defence and becomes no defence at all. The asymmetry is the problem, not the individual fake.
SAS put this neatly in its 2026 banking predictions, warning that fraud teams will face new risks “as criminals learn to hijack or mimic legitimate agents”, and that banks will need to authenticate not only people but the AI agents acting in their name. The boundary between a legitimate automated application and a fraudulent one is getting genuinely hard to see from the outside.
The fake documents an agent attaches are still PDFs
So is the situation hopeless? No. And the reason is something we say a lot on this blog, but it matters more than ever now.
An agent can be brilliant at filling out a form. It can write a flawless cover letter and answer your knowledge-based questions without breaking a sweat. But when it attaches a bank statement, that bank statement is still a PDF. It still has a file structure, metadata, fonts, object layers and a creation history. And those things either match a document that came out of a real bank’s systems, or they do not.
This is the blind spot in most onboarding flows. Everyone is racing to authenticate the applicant, liveness checks, device fingerprints, behavioural signals. Those matter. But the document itself is often waved through on a glance, exactly the weakest link an agent will aim for. As we wrote in our piece on why OCR alone cannot detect document fraud, a document can be perfectly machine-readable and perfectly fake at the same time. Reading the words is not verifying the file.
In our experience, about 80% of fake documents start as a genuine document with a small alteration. An AI agent makes that process faster and cheaper, but it does not change the physics of the file. A statement that was opened and re-saved in an editing tool carries the fingerprints of that tool. A document assembled from scratch carries the structural tells of however it was assembled. Those are forensic signals, not visual ones, which is precisely why the naked eye misses them and a machine does not.
Why source-based, machine-speed verification becomes mandatory
If the attack is automated, adaptive and operating around the clock, your defence has to match it on all three counts. That rules a few things out.
It rules out manual review as a primary control. By all means keep humans in the loop for edge cases and judgement calls, but they cannot be the gate that every document passes through. There are not enough hours.
It rules out checks that only look at the surface. An agent optimises for whatever you test. If you only check that the numbers are legible and the logo is present, the agent will produce documents with legible numbers and a present logo. You have to inspect the layer the agent cannot easily fake at scale, the internal structure of the file.
And it makes a strong case for verifying against the source wherever you can. The most resilient defence against a fabricated document is not examining the fabrication more closely, it is comparing it to data that came directly from the source. When that is not possible, and very often it is not, forensic analysis of the PDF is the next line. The point is that both of these run at machine speed, automatically, on every document, before a human ever sees it.
This is exactly the gap VerifyPDF was built to close. We analyse the internal structure of every PDF and return a risk rating, from “Trusted” to “High risk”, in under five seconds.
That speed is not a vanity metric anymore. When an agent is firing off hundreds of attempts, the only defence that keeps up is one that runs in seconds on every single document, with no fatigue and no day off. The agent never tires, so neither can your first line of defence.
Agents are not the enemy. Unverified inputs are
I want to end on a balanced note, because the alarmist version of this story is wrong and you will hear it everywhere.
Agentic AI is not inherently fraudulent. The same technology is being deployed by banks for autonomous fraud detection, by lenders to speed up legitimate loan origination and by compliance teams to triage alerts they could never clear by hand. A world where applicants use agents to gather and submit their own genuine paperwork is coming, and for honest customers that is a better experience, less friction, fewer forms, faster decisions. We are not against any of that.
The problem was never the agent. It is that most onboarding pipelines still treat the documents an applicant submits as trusted inputs rather than as evidence that needs verifying. That assumption was already shaky. Against an adversary that can fabricate and submit at machine speed and learn from your rejections, it is indefensible.
So the question for every lender, insurer and fintech is not “how do we stop AI agents”. It is “do we actually verify the documents that reach us, automatically, on every application, before we act on them”. If the honest answer is no, an agent will find that out long before you do.
Want to see what your applicants’ documents look like under the hood? Try a free document check or talk to us about building automated verification into your onboarding before machine-speed fraud builds it into your loss column.