EBA/ECB ¦ 2025 Report on Payment Fraud

2025 EBA/ECB Report on Payment Fraud – Key Findings and Implications for Financial Crime Prevention

The 2025 joint report by the European Banking Authority and the European Central Bank synthesizes semi‑annual industry data for H1 2022 through H2 2024 on payment fraud across the EU/EEA. Total reported fraud reached EUR 4.2 billion in 2024, up 17% year‑on‑year. Credit transfers and card payments drove most of the value lost: fraudulent credit transfers amounted to EUR 2.5 billion and card‑related fraud to EUR 1.3 billion. By volume, card fraud dominates: roughly 17 million fraudulent card transactions were recorded in 2024, out of some 111 billion card payments with EU/EEA‑issued cards. Overall fraud rates remain very low relative to transaction volumes and values, but the patterns and distributions of fraud and losses highlight structural vulnerabilities and practical lessons for those fighting financial crime.

Where fraud concentrates and why that matters

Credit transfers carry the largest absolute fraud value even though their fraud rate is low, reflecting the high average value per transaction. The average fraudulent credit transfer was over EUR 2,000 in 2024, far above the average fraudulent card or e‑money payment. That concentration of value makes authorised push payment (APP) scams and payer manipulation especially damaging. Indeed, manipulation of payers is now the dominant fraud type for credit transfers, rising to account for more than half the total fraud value for that instrument.

Card fraud, by contrast, is concentrated in remote channels. Although most card transactions are non‑remote (point‑of‑sale), approximately 80–85% of card fraud value in 2024 came from remote card payments. Remote card fraud is typically carried out by attackers who use stolen card details or card‑not‑present credentials; counterfeit card use and lost/stolen card incidents also remain relevant in non‑remote contexts. The typical fraudster strategy for cards is high frequency, low value testing of credentials to avoid detection and exploit strong customer authentication (SCA) exemptions.

E‑money fraud shows mixed patterns: largely remote, with rising use of exemptions such as trusted beneficiaries and low‑value flows; in some countries e‑money fraud concentrates where e‑money adoption is higher.

The role and effect of strong customer authentication (SCA)

SCA is widely applied in value terms, especially for credit transfers (around 77% by value in 2024). Yet the share of transactions authenticated via SCA is lower for card and e‑money channels in volume terms (around 40% and 38% respectively) because contactless and other point‑of‑sale exemptions are prevalent.

The data indicates a protective effect of SCA. Fraud rates for SCA‑authenticated card transactions are materially lower than for non‑SCA card transactions, and fraud rates are substantially higher when the acquiring counterparty lies outside the EEA – a region where SCA may not apply. For card payments, fraud rates were many times higher for transactions acquired outside the EEA relative to domestic ones. For credit transfers, SCA‑authenticated transactions sometimes show higher fraud rates; the report explains that this is not evidence that SCA is ineffective but rather that SCA tends to be applied to higher‑value or higher‑risk transactions that are inherently more attractive to fraudsters.

SCA exemptions and abuse vectors

Exemptions in the RTS for SCA (for contactless low‑value payments, recurring flows, trusted beneficiaries, TRA, corporate protocols, payments to self, and certain merchant‑initiated transactions) have legitimate usability rationales, but the data highlights where they are most used and where risk concentrates. Contactless and low‑value exemptions account for the lion’s share of non‑SCA point‑of‑sale card payments and non‑remote e‑money transactions. For remote card payments, TRA and merchant‑initiated transaction (MIT) categories are common exemptions.

Crucially, certain exemptions show higher fraud rates. Remote card and e‑money transactions exempted under TRA, MIT, or classified as “other” frequently recorded fraud rates well above instrument averages. That suggests fraudsters adapt to target flows that commonly fall under exemptions. The report also notes instances where transactions were reported as outside SCA scope despite clarifications that some card flows remain within scope; that finding points to inconsistent interpretation or reporting and warrants further supervisory attention.

Bastian Schwind-Wagner _Follow

"The 2025 EBA/ECB payment fraud data shows fraud remains a small share of overall payments but concentrates in high‑value credit transfers and remote card channels, exposing consumers and PSPs to asymmetric losses. Strong customer authentication reduces risk where applied, yet exemptions and cross‑border flows sustain opportunities for fraudsters.

To mitigate these trends, firms must pair technical defenses (device binding, tokenization, anomaly detection) with consumer protection measures, clearer liability allocation and tighter oversight of SCA exemptions. Improved cross‑border cooperation and higher data quality in reporting will be essential to reduce arbitrage and enable timely, targeted interventions."

Loss allocation and consumer exposure

Losses reported to PSPs in 2024 totaled substantially more than prior years and were unevenly allocated among parties. PSUs bore most of the losses for credit transfers (around 85% of reported losses). For card payments PSUs bore about 38% of losses, while for e‑money PSPs and others usually absorbed the majority. The distribution of losses across countries varies widely; in some countries PSUs shoulder most of the impact of card fraud, while in others PSPs cover the bulk of the loss. Differences in national liability regimes, interpretations of authorisation and gross negligence, effectiveness of redress mechanisms, consumer awareness, and reporting practices all appear to contribute to variation in who ultimately pays.

Geographical patterns and cross‑border risk

Most transactions are domestic, but fraud is disproportionately cross‑border. Card fraud and a large share of credit transfer and direct debit fraud are cross‑border. A notable proportion of card fraud value (around 30% in 2024) involves transactions outside the EEA; those flows often lack the SCA and technical safeguards required in the EEA, raising exposure. Cross‑border fraud rates (both within and outside the EEA) are generally substantially higher than domestic rates across instruments, with the largest multipliers observed for card payments.

Operational and policy implications for financial crime practitioners

1. Prioritize payer manipulation and APP scam mitigation for high‑value rail protection. The increasing share of credit transfer fraud due to manipulation of payers means prevention programs must go beyond technical controls. Detection, consumer education, robust verification of payee identity (e.g., Verification of Payee), and strong dispute and reimbursement processes are critical to reduce the heavy consumer losses tied to APP scams.
2. Focus anti‑fraud controls on remote card channels. Remote card payments account for the majority of card fraud value and volume. Enhanced credential protection (tokenization, device binding), anomaly detection tuned for CNP attack patterns, rapid sharing of compromised credential indicators across PSPs and schemes, and more conservative reliance on TRA where abuse patterns are emerging will help reduce remote card fraud.
3. Review the application and governance of SCA exemptions. The data shows particular exemptions (TRA, MIT, “other”) carry higher fraud rates. Firms should apply granular monitoring of exempted flows, carry out frequent ex post reviews of TRA decisions, and safeguard the onboarding and ongoing monitoring of trusted beneficiaries and corporate protocol exceptions.
4. Improve cross‑border cooperation and technical harmonization. Cross‑border transactions, particularly those involving non‑EEA acquirers, present elevated fraud risk. Greater cross‑jurisdictional data sharing, harmonized standards for liability attribution and evidence requirements, and wider adoption of SCA‑equivalent controls beyond the EEA would reduce arbitrage opportunities for fraudsters.
5. Address uneven liability burdens through clearer dispute rules and supervision. The finding that PSUs bear a disproportionate share of credit transfer losses in many jurisdictions suggests that, despite PSD2 protections, national practices and interpretations of key legal concepts may erode consumer redress. Supervisors and industry should ensure consistent interpretation of authorisation, gross negligence and the burden of proof and promote accessible dispute resolution and reimbursement procedures where fraud occurs.
6. Enhance reporting accuracy and unified taxonomies. The report documents remaining data quality, coverage and classification issues. Accurate, harmonized reporting of fraud types, initiation channels and SCA treatment across PSPs and jurisdictions is a precondition for targeted interventions and meaningful benchmarking; regulators should insist on remediation of misclassifications and full coverage where feasible.
7. Combine technical controls with social engineering countermeasures. Given the dominance of payer manipulation for some instruments and remote attack methods for others, a combined approach is required: technical authentication and anti‑credential‑theft tools plus consumer education, fraud awareness campaigns, phishing/ smishing/ vishing detection, and proactive alerting when unusual payee or payment patterns occur.

Concluding perspective

Overall fraud levels remain low relative to payment volumes and values, but the evolution of types and channels of fraud underscores shifting criminal tactics and persistent vulnerabilities. The data confirms SCA’s protective effect within the EEA, yet it also highlights that exemptions, cross‑border flows and payer manipulation provide profitable avenues for attackers. Effective mitigation will require a mix of tighter operational controls, smarter use of exemptions, cross‑border coordination, clearer liability frameworks, and ongoing, high‑quality data collection and analysis. For investigators and financial crime teams, the report provides actionable priorities: concentrate effort on remote card fraud and APP scams, monitor exemption usage and outcomes closely, and push for better reimbursement processes to protect consumers while preserving incentives for PSPs to prevent fraud.

Dive deeper

• EBA ¦ Joint EBA-ECB report on payment fraud: strong authentication remains effective but fraudsters are adapting ¦ Link
• ECB ¦ Joint EBA-ECB report on payment fraud: strong authentication remains effective but fraudsters are adapting ¦ Link