Navigating payment fraud in Europe - Insights from the December 2025 EBA ECB report
- frederic lebeau
- Dec 19, 2025
- 4 min read
Updated: Dec 22, 2025
Payment fraud continues to challenge the European financial ecosystem, evolving in complexity and scale. The December 2025 report by the European Banking Authority (EBA) and the European Central Bank (ECB) sheds new light on this issue based on 2024 figures... The one for 2025 will most probably be even worst. In this blog post we explore the key findings of the report and our analysis focusing on the structural mismatch between current fraud methods and existing regulations, the two main fraud models, and the critical role of social engineering. Understanding these elements is essential for stakeholders aiming to strengthen payment security across Europe.
The evolving face of payment fraud in Europe
The EBA–ECB report clearly shows that payment fraud in Europe is not static. Fraudsters continuously adapt to new technologies and regulatory frameworks, often staying one step ahead of defensive measures. While the current regulatory environment has significantly improved protection—particularly through mechanisms such as Strong Customer Authentication (SCA)—it is increasingly struggling to keep pace with the evolving fraud landscape.
This growing gap creates exploitable vulnerabilities and highlights why upcoming regulations such as PSD3 and the Payment Services Regulation (PSR) must go beyond.
One of the report’s key insights is the structural mismatch between the speed at which fraud evolves and the way protection mechanisms are designed. SCA has been highly effective at ensuring that the right user is executing a transaction, dramatically reducing traditional forms of unauthorised fraud. However, fraudsters have rapidly adapted their approach: instead of bypassing authentication, they now manipulate legitimate users into authorising payments themselves.
As a result, fraud increasingly passes through strong authentication rather than around it—exposing the limits of controls that focus on identity and execution, but not on intent, context, or manipulation.
Card fraud and credit transfer fraud
The report identifies two primary fraud models that dominate the European payment fraud scene:
Card fraud: High volume, Low value
Card fraud involves a large number of transactions, each typically involving small amounts. Fraudsters use stolen card details to make numerous purchases or cash withdrawals. This model relies on volume to generate significant illicit gains. Examples include:
Card-not-present fraud where online transactions are made using stolen card information.
Skimming devices installed at ATMs or point-of-sale terminals to capture card data.
The high volume nature of card fraud means it often goes unnoticed until aggregated losses become significant.
Credit transfer fraud: Low volume, High value
Credit transfer fraud involves fewer transactions but with much larger sums. Fraudsters often target businesses or individuals through sophisticated scams, such as:
Bank impersonation, in which fraudsters impersonate a trusted bank to create urgency or fear, manipulating customers into authorising high-value credit transfers.
Invoice fraud where fake invoices are sent to companies, tricking them into transferring funds to fraudulent accounts.
Investment scams, where victims are persuaded to transfer funds to fraudulent accounts under the promise of high or guaranteed returns
Because each transaction often involves substantial sums, the financial and emotional impact on victims can be severe—even when the total number of incidents is relatively low. Unlike card fraud, these transactions are usually authorised, authenticated, and executed as designed, making detection and recovery significantly more complex.
Card fraud | Credit transfer fraud |
Automated | Human-driven |
High-volume | Low-volume |
Low value (~€70/case) | High value (€2,000–€3,000/case) |
Infrastructure-focused | Psychology-focused |
The role of social engineering in payment fraud
Social engineering continues to be a potent tool for fraudsters. The report highlights that most credit transfer fraud cases start not with technical hacking but through the manipulation of individuals. Fraudsters leverage trust, urgency, and authority to circumvent security measures.
Since social engineering targets human psychology, it is challenging to combat with technology alone. The report recommends that stronger authentication methods are essential, but fraudsters still exploit the weakest link: the user.
More than three-quarters of the total fraud value is now due to:
Social engineering
Impersonation
Manipulation of the payer
Importantly, the report reveals that in most of these cases:
Authentication is successfully completed
SCA is applied correctly
Transactions are technically legitimate
This leads to an uncomfortable but unavoidable conclusion:
PSD2 accomplished its intended purpose. The “pipes” are secure. The controls function. The failure point is no longer the transaction — it is the decision that precedes it. Fraud has shifted upstream, from systems to situations.
Why customers bear the losses — and why this alarms regulators
One of the most sensitive findings in the EBA–ECB report is illustrated by the comparison of fraud loss allocation across payment instruments:
For card payments, the majority of fraud losses are absorbed by payment service providers.
For credit transfers, customers bear approximately 85% of the losses.
This imbalance is not accidental. It reflects the current legal framework:
The customer formally authorised the payment.
The payment service provider executed the transaction as instructed.
No technical or procedural failure can be identified.
However,
Victims are manipulated rather than negligent.
Individual losses are often severe and sometimes life-changing.
Trust in digital payments and online banking is progressively weakened.
While the report stops short of calling for specific regulatory reforms, the evidence it presents clearly feeds into the ongoing PSD3 and Payment Services Regulation (PSR) discussions, particularly around liability and prevention obligations.
From strong authentication to situational awareness
For the past decade, fraud prevention has been built around a single, dominant question:
“Is this the right user?”
The EBA–ECB data makes it clear that this question is no longer sufficient.
The defining challenge of the next decade will be:
“Is this user being manipulated in this moment?”
Answering that question requires a fundamental shift in approach:
Understanding behaviour in context, not in isolation
Detecting abnormal intent, not just abnormal credentials
Turning weak, fragmented signals across ecosystems into coherent, actionable intelligence
Crucially, this shift applies to the entire fraud lifecycle:
Before the payment, by identifying manipulation patterns early and preventing harm
During the transaction, by enriching decisions with real-time contextual risk
After the event, by learning from confirmed fraud, adapting detection rules, and strengthening collective defences
In a landscape where fraud tactics evolve rapidly, continuous learning, fast adaptation, and intelligence sharing are no longer optional. They are the only way to keep pace with adversaries who innovate by design.
At Datavillage, we believe the future of fraud prevention lies in contextualising transaction, payer and payee , breaking down data silos, and shortening the cycle between prevention, detection, learning, and action—allowing fraud controls to adapt as quickly as fraud tactics evolve.
