Green doesn’t mean ‘go’ with the rise of all-green interaction fraud

As fraudsters become more adept at using artificial intelligence, the authors warn of a new threat to financial services organizations. Instead of using AI to forge flawless documents, attackers are now training systems to imitate legitimate customers’ activities to make fraudulent transactions. 

When the user logged into their account in early February 2026, the regional bank’s fraud-monitoring dashboard indicated it was a routine customer session.

The user logged in on a familiar device. The IP address matched the customer’s region. The behavioral biometric score, analyzing the user’s activity patterns, registered a 98.7% confidence match. Nothing unusual.

The user navigated to the transfer page. The cursor moved naturally across the screen, pausing briefly over account balances like they were reviewing recent transactions. The cursor hovered over the “Add Beneficiary” field. Perfectly normal.

The typing cadence matched the customer’s historical profile, including bursts of typing followed by brief pauses.

The cursor hesitated for two seconds before clicking the confirmation button. Seconds later, the user submitted a transfer request of $18,500 to a new beneficiary account.

The dashboard remained “green,” and no error message indicated a questionable transaction. No anomalies were detected from the user’s device, location or behavior.

But a few hours later, the receiving account triggered an anti-money laundering alert after the $18,500 transfer, spurring internal fraud investigators to take a closer look at the transaction.

When investigators contacted the user, they denied logging in during that session. Investigators determined the transaction had been executed entirely by an artificial-intelligence-driven system trained to mimic the customer’s behavior. Yet the bank’s fraud-monitoring dashboard reported a perfectly normal session.

This scenario depicts what some anti-fraud investigators have recently observed in incident reports. They’re calling it “all-green interaction fraud,” as fraud-monitoring systems fail to detect abnormal activity and allow sessions to continue. So far these incidents have been reported in financial institutions, but brokerage firms, retirement funds, fintech firms and payment processors could all be vulnerable to these attacks.

The “all-green interaction” session

Fraud monitoring dashboards are designed to provide signals to electronic or human monitors indicating whether an online transaction is normal or possibly fraudulent. Dashboards frequently use color indicators similar to traffic lights:

• Red: High risk — stop.
• Yellow: Suspicious activity — caution.
• Green: Normal behavior — go.

In most fraud incidents, investigators see a mix of colors. But in “all-green interaction fraud” all indicators are green, meaning a normal transaction may proceed. Device fingerprints match historical records. IP addresses align with the geographic location. Behavioral scores match the account holder’s past activity.

Sessions are indistinguishable from a customer’s typical login; investigators don’t see unusual activity in the system logs. Satisfying the system, rather than bypassing it, is why the attack succeeds. A fraudulent session looks legitimate to a system designed to thwart it.

From forged artifacts to forged agency

In our column for the March/April 2026 issue of Fraud Magazine, we examined generative artificial fraud perpetrators (GAFP), in which AI systems create fraudulent documents. However, fraudsters’ skills are advanced enough now to reproduce customer behavior and imitate how they appear and behave online.

The idiosyncratic ways that humans interact with their devices — behaviors biometric systems were designed to detect — have long been considered defenses against digital identity theft. But recent fraud reports suggest that AI systems have passed a motor-skill Turing test of sorts, with the ability to replicate subtle human motor behavior that deceives detection systems.

These incidents aren’t immediately obvious because monitoring systems recognize the online activity as routine. A customer logs in, navigates to their account and initiates a transfer as expected.

The idiosyncratic ways that humans interact with their devices — behaviors biometric systems were designed to detect — have long been considered defenses against digital identity theft. But recent fraud reports suggest that AI systems have passed a motor-skill Turing test of sorts, with the ability to replicate subtle human motor behavior that deceives detection systems. Some anti-fraud investigators call this “synthetic presence,” where a fraudster’s automated system reproduces a legitimate user’s behavioral signals so well that fraud-monitoring systems deem the transaction legitimate, giving the session a green light to continue (hence the “all-green” name).

The end of passive electronic signatures

Behavioral biometric systems were developed to be passive authentication layers. Instead of asking users to constantly verify their identity online, these tools operate quietly in the background, analyzing thousands of micro-signals about users’ interactions with their devices.

Typical behavioral indicators include:

• Keystroke dynamics: dwell time (how long a key is pressed) and flight time (the delay between keystrokes).
• Mouse or touch fluency: curvature, velocity and subtle movements of the cursor or touchscreen gestures.
• Navigation patterns: the sequence and pace at which users traverse an application.
• Cognitive timing: the hesitation or pause before confirming a transaction.

Over time, these signals create distinctive user-behavioral profiles. Like handwriting or voice cadence, interaction patterns are unique to each person. They can be stored and later used to confirm the legitimacy of a user. Historically, these signals were effective anti-fraud measures because fraudulent automated scripts (bots) don’t behave like humans. Bots move in straight lines, execute commands instantly and won’t hesitate when making a decision. Fraud analysts could spot automated fraudulent transactions within seconds by replaying user sessions. However, attack patterns have shifted and unauthorized-party schemes, in which criminals successfully impersonate legitimate users, now account for 71% of fraud incidents in U.S. financial institutions, according to a 2026 PYMNTS study. The result is a paradox. Signals designed to protect identity are targets for imitation.

Traditional bots versus synthetic presence in all-green interaction fraud

Traditional fraud bot behavior provides clues for fraud investigators to follow. But synthetic presence used to perpetrate all-green fraud doesn’t. Figure 1 highlights these differences.

Figure 1: Traditional fraud bots versus synthetic presence

Online Behavior	Traditional Fraud Bots	Synthetic Presence
Cursor movement	Straight lines	Curved paths with jitter
Typing	Constant speed	Variable cadence
Decision-timing	Immediate	Simulated hesitation
Detection score	Red or yellow	All-green

The more a bot behaves like a human, the less likely a monitoring system will be able to detect synthetic presence.

The telemetry harvest

While the GAFP model relies on training data to produce fraudulent documents, all-green interaction fraud relies on human interface device (HID) telemetry. In fraud investigations, telemetry is referred to as behavioral analytics (UBA) data, where fraud detection platforms collect signals to profile users’ behaviors. Recent threat intelligence reports indicate that attackers are compromising legitimate credentials to mimic normal user activity rather than attacking systems with malware.

 

Modern information-stealing tools collect far more than passwords or session cookies. They capture behavioral telemetry, including cursor trajectories, typing cadence, scrolling behavior, page dwell times and navigation patterns. Perpetrators then use this data to construct behavioral twins of legitimate customers.

Datasets are traded in underground marketplaces in “session bundles,” that often include stolen credentials, browser fingerprints, device metadata and archived behavioral telemetry. On the dark web, fraudsters can buy entire behavioral session profiles to reproduce legitimate sessions. Industry behavioral-analytics providers have reported significant increases in account-takeover attempts with remote-access tools or session-replication techniques to mimic a victim’s computing environment.

The attacker doesn’t have to defeat behavioral detection systems directly. Instead, they train automation tools to replicate the user’s interaction patterns. By the time the fraudulent session begins, the attacker has been studying the victim’s digital habits for weeks.

The “hesitation” algorithm

Human-like simulated hesitation is a significant characteristic of all-green interaction fraud. Monitoring systems could initially signal that transactions are legitimate; however, with careful review of session replays, investigators may notice something strange. Human-like hesitations and other movements are almost too deliberately human. For example, the timing of each hesitation would be identical because it wasn’t created by a human; human hesitations wouldn’t match.

 

Financial risk researchers who’ve observed these attacks say they’re remarkably precise, down to the pause before clicking on a button. According to ThreatMark CEO Michal Tresner in an interview with Thomson Reuters, incidents that don’t trigger fraud controls — like all-green interaction fraud — will be a significant challenge for financial institutions in 2026.

With all-green fraud tools, the bot deliberately introduces delays such as:

• The cursor hovers briefly over the confirmation button.
• The pointer drifts away as if rechecking details.
• Characters are mistyped and corrected with backspaces.
• Transactions are confirmed after realistic pauses.

Some attacker-controlled AI systems use large language models (LLMs), a type of AI system trained on massive text datasets to learn patterns and structures of human language, to interpret screen content and estimate how long it takes someone to read before responding.

In addition to simulated hesitation, advanced automation introduces jitter injection, an artificial timing variation that produces small random “jitters,” like shaking or hesitation from a human hand. Cursor movements are designed to look imperfect as the attacker teaches the machine to hesitate.

Active identity is the new frontier

As behavioral fraud tactics evolve, some financial institutions have implemented adaptive identity verification instead of static rules. According to a 2026 PYMNTS survey, more than two-thirds of banks are now investing in advanced analytics and AI-driven fraud detection tools to defend against emerging threats.

Three defensive approaches are gaining attention, including:

1. Passive liveness detection. Some identity-verification systems now analyze subtle physiological signals and device-interaction patterns to verify human presence. These systems detect injected automation or synthetic input streams before transactions are executed.
2. Hardware-bound identity. Authentication technologies, such as passkeys and hardware security keys, provide cryptographic proof that users interacted with devices during authentication. Security experts increasingly view hardware-backed identity as a critical defense against AI-assisted impersonation.
3. Verification architecture reform. Rather than evaluating individual signals in isolation, some experts recommend analyzing the entire verification workflow for weaknesses that attackers could exploit.

Searching in the computational shadows

With AI-created synthetic presence replicating how humans interact with digital systems, and all-green fraud-monitoring dashboards no longer guaranteeing authentic user sessions, investigators must look beyond the dashboard to the tiny statistical regularities of computational shadows. [See “Forensic indicators of the computational shadow” at the end of this article.]

For example, bots can replicate human cursor movements and respond 50 milliseconds after a page renders — much faster than human visual processing. People need time to perceive, interpret and react to user-interface elements, but an automated system can interact with a platform’s programming interface, or its document object model (DOM), immediately. This difference creates a perception gap where small but measurable delays exist between human cognition and machine execution, a signature most difficult for automation to conceal. [See “Audit questions for behavioral mimicry and all-green interaction fraud” at the end of this article.]

As these microscopic timing patterns help reveal the machine hiding behind otherwise perfect behavior, fraud examiners can no longer rely on verifying identities alone to distinguish genuine human interactions from the systems trained to imitate them.

Zachary Kelley is an associate professor of instruction in the Department of Information Systems and Analytics at Texas State University in San Marcos, Texas. Contact him at zachkelley@txstate.edu.

Carolyn Conn, Ph.D., CFE, CPA, is a clinical associate professor in the Department of Accounting at Texas State University in San Marcos, Texas. Contact her at cc31@txstate.edu.

---

Forensic indicators of the computational shadow

In the age of behavioral mimicry, the most normal online session may need the most scrutiny. Some indicators to consider are in the following table.

Signal Type	Human Indicator	Synthetic “All-Green” Indicator
Response latency	200–500 milliseconds of visual processing	<100 milliseconds of reaction time
Cursor pathing	Irregular arcs, overshooting targets	Optimized paths with injected jitter
Input consistency	High variance	Low variance, statistically perfect
Session low	Occasional pauses and distractions	Perfect task progression

---

Audit questions for behavioral mimicry and all-green interaction fraud

For investigators and internal auditors evaluating digital identity controls, the following questions may help identify exposure to behavioral mimicry attacks.

1. Are behavioral models trained on verified “clean” data?

Behavioral biometric systems rely on historical interaction data. If attackers can capture telemetry through malware or remote access tools, they can train automation systems that reproduce those patterns convincingly.

2. Does the fraud-detection platform monitor latency between system response and user action?

Determine whether the system measures time between server response and user interaction. Bots that process information faster than human visual perception may reveal themselves through abnormal response timing.

3. Are identity controls diversified beyond behavioral signals?

If behavioral biometrics fail, what additional signals remain? Organizations must ensure that fraud defenses combine multiple controls, such as device integrity checks, geolocation analysis, transaction-graph monitoring and hardware-bound authentication.

4. Does the platform test for automation using interface variability?

Some advanced fraud detection systems introduce small interface variations (e.g., subtle user-interface rendering changes) to detect bots trained on static interaction models.

5. Are cross-channel behavioral profiles correlated?

Legitimate users typically show consistent patterns across devices and channels. A session that perfectly mimics desktop behavior but deviates from mobile patterns may indicate automated impersonation.

6. Are investigators reviewing “successful” sessions and blocked ones?

Recent fraud research indicates that some of the largest losses occur in authenticated sessions and appear legitimate as “all-green” fraud events.