From LLMs to Agents

An AI agent is a large language model connected to memory, tools, and orchestration logic so it can take actions in the world, not just produce text. Agents can send messages, call APIs, browse websites, and pursue goals over time. This article covers what agents add to plain LLMs, how they change fraud economics, and why their failure patterns can give defenders a detection edge.

The Attack That Moved Too Fast

Derek watched the cases come in. Seven in the same hour, all following the same pattern.

Customer receives a fraud warning text about suspicious activity. Forty-seven seconds later, a phone call. Caller ID shows the bank's number. The voice references the exact text they just received, knows their recent transaction history, walks them through "securing" their account. By the time the call ends, the customer has read back their one-time password and approved a wire transfer.

He pulled the timing data. The gap between text and call was consistent: 45-50 seconds for every victim. The calls referenced specific account details. The voice was calm, professional, patient.

And somehow, the operation was hitting dozens of customers simultaneously.

Derek ran the numbers. Forty-seven seconds, forty-eight seconds, forty-six seconds. Same gap every time. Dozens of parallel calls. Each one adapting to the specific customer's responses.

No human call center works like this.

This story is fictional, but the pattern represents emerging capabilities.

Why This Matters

The previous article explained what LLMs are: text prediction engines that can write, summarize, and generate code, but can't take actions on their own. An LLM can draft a phishing email, but it can't send one. It can write a script, but it can't run it.

Agents change that equation.

An agent is an LLM connected to tools that let it act in the world. It can send emails, make API calls, browse websites, and coordinate multi-step operations. Anthropic's engineering guide^[1] describes them as "systems where LLMs dynamically direct their own processes and tool usage, maintaining control over how they accomplish tasks." This article explains what agents add, how they change fraud economics, and why most of what you'll hear about "agentic fraud" is still more theoretical than proven.

What Agents Add to LLMs

Think of an LLM as a brilliant advisor locked in a room. They can answer any question, draft any document, plan any operation. But they can't leave the room. They can't make phone calls. They can't check their notes from yesterday. Every conversation starts from scratch.

An agent is that same advisor, but now they have a phone, a computer, a filing cabinet, and a to-do list. They can take actions, remember what happened before, and work toward goals over time.

Memory. Agents can remember previous interactions. They can recall what worked in past attempts, what a specific target responded to, and what approaches failed. This persistence across conversations is something base LLMs lack entirely.

Tools. Agents can be connected to external systems: email servers, databases, web browsers, APIs, phone systems. Each tool expands what the agent can actually do in the world.

Orchestration. Agents can break complex goals into steps, execute them in sequence, and adapt when something fails. They can pursue objectives over hours or days, not just respond to single prompts.

The formula is simple: LLM + Memory + Tools + Orchestration = Agent

Once you have an agent, you unlock a critical capability: parallelization. A single agent system can run many operations simultaneously. Where a human team might handle a dozen phone calls, an agent system could theoretically manage hundreds of concurrent interactions. This isn't a component of an agent; it's what agents make possible.

The flip side: when an agent has tools, the question of what it's allowed to do becomes a security question. The OWASP Top 10 for LLM Applications↗^[4] lists "Excessive Agency" (LLM06:2025) as a top-ten risk for exactly this reason. An agent with permission to send emails, transfer funds, or modify records can be manipulated into doing so.

How does the economic math shift?

Here's the insight that matters most for fraud: email spam is already cheap. What's expensive is everything else.

Sending a million phishing emails costs almost nothing. The limiting factor in fraud has never been the volume of initial contact. It's what comes after: the trained callers who handle responses, the chat operators who build rapport, the coordinators who manage money mules, the developers who maintain infrastructure.

Human labor is expensive. Skilled operators need training. They need breaks, make mistakes, get tired, and can only handle one conversation at a time. Scaling a phone-based fraud operation means hiring more people, which means more cost, more coordination, and more operational security risk. Every additional person is another potential point of failure.

Agents potentially change this math. If an AI system can handle phone conversations, manage chat sessions, or coordinate mule networks, the cost structure shifts dramatically. The expensive human labor gets replaced by compute costs.

But here's what doesn't change: success rates.

Industry reporting through 2025 suggests AI-powered fraud attempts don't convert dramatically better than human-run campaigns. The advantage isn't that agents are more persuasive. It's that they can make more attempts at lower cost. If your success rate is 2%, you succeed twice as often by doubling your attempts, not by improving your pitch.

What becomes viable with agents?

Agents create economies of scale for attacks that previously required expensive human labor. This works two ways.

First, attacks that weren't economically viable become worthwhile. If an attack required four people working full-time, it had to generate enough to pay all four. Now one person with agents can run the same operation.

Second, existing attacks become profitable at smaller amounts. One fraudster with agents can do what previously required a whole team. Accept less per transaction when you don't have to split it ten ways.

This challenges existing controls: many fraud systems use amount thresholds calibrated to where attacks were historically profitable. When attacks become viable below those thresholds, detection systems need to adapt.

Vishing at scale. Phone-based social engineering has always been effective but expensive. If voice AI can handle calls convincingly, attackers could run hundreds of simultaneous vishing attempts instead of dozens.

Voice cloning. Modern AI can clone a voice from a few seconds of audio. Microsoft Research's VALL-E demonstrated zero-shot text-to-speech synthesis from just a 3-second sample of an unseen speaker.^[2] Combined with an agent that can make calls, this enables impersonation attacks that were previously impractical. The FBI's December 2024 PSA on generative-AI-facilitated financial fraud^[3] flags vocal cloning as a primary tactic, including using cloned voices to authorize wire transfers by impersonating an executive to a company's finance team.

Personalized attacks on smaller targets. When attacks require significant human time, they only make sense against high-value targets. If that cost drops to near-zero, suddenly a $500 gift card scam becomes viable to run thousands of times.

Multi-channel coordination. An agent system could potentially orchestrate SMS, email, and phone calls in tight sequences, with each channel reinforcing the others. The attack in our opening story, where texts and calls are separated by under a minute, becomes technically feasible.

24/7 operation. Agents don't sleep, don't take breaks, and don't have bad days. A fraud operation could run continuously without the staffing challenges of human teams.

The Current State: Mostly Theoretical, But Coming Fast

Here's where we need to be honest about uncertainty.

While individual components exist and work, we don't have confirmed examples of fully autonomous agentic fraud campaigns operating at scale. Voice AI exists. Email automation exists. The pieces are there. But documented cases of end-to-end autonomous fraud agents successfully running large campaigns? Those are scarce. Current fraud operations still rely heavily on human operators, even when they use AI tools for specific tasks.

But this isn't years away. The gap between "technically possible" and "reliably operational" is closing fast. Every month, the tools get more capable, more accessible, and easier to connect together. When agentic fraud does arrive at scale, it will hit like a ton of bricks for anyone who isn't prepared.

The time to understand these capabilities is now, while it's still mostly theoretical. Once it's operational, you're already behind.

How Agents Fail Differently

Here's an insight worth keeping in mind: agents don't fail like humans.

Human operators make human mistakes. They typo. Their timing varies based on mood, fatigue, and distraction. They get flustered when victims push back. They have good days and bad days.

Agents fail differently. Their patterns look like this:

This creates potential detection opportunities. Perfect consistency is its own red flag. When every communication has zero errors, when timing is precise to the second, when dozens of parallel operations follow identical patterns, something unusual is happening.

Of course, sophisticated agents can be programmed to add artificial typos, randomize timing, and simulate human variation. This is an ongoing arms race. But adding convincing imperfection is harder than it sounds, and many current tools don't bother. Early agentic attacks will likely show machine-like patterns before operators learn to mask them.

We're still developing intuitions about what "machine signatures" look like in fraud attacks. The patterns will evolve, but the underlying principle remains: understand how these systems behave differently from humans.

Same Tools for Defenders

Every capability we've discussed is equally available for defense.

If agents can analyze patterns across thousands of transactions, fraud teams can use them for detection. If agents can coordinate across multiple channels, investigators can use them to correlate suspicious activity. If agents can work 24/7 without breaks, monitoring systems can too.

The advantage defenders have: you can use these tools legally and openly. Attackers face operational security constraints. They need to hide their infrastructure, rotate their approaches, and avoid detection. You don't.

This is an arms race, not a one-sided threat. The same technology that enables new attack vectors enables new defenses. Understanding how agents work positions you to use them for protection, not just to defend against them.

Key Takeaways

• Agents add memory, tools, and persistence to LLMs. An LLM can only generate text. An agent can send emails, make calls, browse the web, and pursue goals over time.
• The economic shift is about labor costs, not success rates. Agents don't necessarily convert better than humans. They make more attempts at lower cost.
• What becomes viable: attacks that weren't worth the human labor. Vishing at scale, personalized attacks on smaller targets, tight multi-channel coordination.
• Most agentic fraud is still theoretical. Components exist, but fully autonomous fraud campaigns at scale aren't well-documented yet.
• Defenders have access to the same tools. Every capability that enables attacks also enables detection and response.

What's next: How Agents Are Built demystifies agent architecture with real examples and resources to try yourself.

Key Terms

AI Agent: An LLM connected to tools that allow it to take actions in the world, combined with memory and planning capabilities that enable it to pursue goals over time.

Tool use: The ability of an agent to call external systems like email servers, databases, APIs, or web browsers. Tools are what let agents act, not just talk.

Orchestration: The logic that coordinates an agent's actions, deciding what to do next, handling errors, and managing multi-step operations.

Multi-channel attack: A fraud attempt that coordinates across multiple communication channels (email, phone, SMS) in a unified operation.

Voice cloning: AI technology that can replicate a person's voice from audio samples, enabling impersonation in phone calls.

Vishing: Voice phishing. Social engineering attacks conducted over phone calls.

Parallelization: Running multiple operations simultaneously. Where humans handle conversations one at a time, agent systems can potentially manage many concurrent interactions.

Machine signature: Patterns in agent behavior that differ from human patterns, like perfect consistency, precise timing, and zero errors. These "too perfect" patterns can be detection opportunities.

References

1. Anthropic — Building Effective Agents (December 19, 2024)↗ - Engineering guide defining agents as "systems where LLMs dynamically direct their own processes and tool usage"

2. VALL-E: Neural Codec Language Models are Zero-Shot Text to Speech Synthesizers (arXiv:2301.02111)↗ - Microsoft Research; demonstrates voice synthesis from a 3-second enrolled recording of an unseen speaker

3. FBI / IC3 Public Service Announcement, "Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud" (December 3, 2024)↗ - Includes a section on AI-generated audio / vocal cloning used to impersonate executives and request payments

4. OWASP Top 10 for Large Language Model Applications (2025)↗ - LLM06:2025 covers "Excessive Agency" risks from agents with unbounded tool permissions