$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →
€2.5B

in fraudulent credit transfers sent across the EU/EEA in 2024 — up 24% in one year, making the instrument businesses pay invoices with the biggest fraud channel

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

74%

of fraudulent credit-transfer value came from "manipulation of the payer" — the victim was deceived into authorising the payment themselves (up from 65% in 2023)

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

€4.2B

total reported payment fraud across the EU/EEA in 2024, all instruments combined — credit transfers, cards, direct debits, e-money

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

The numbers

What the European Union loses to payment fraud.

Oct 2025

Verification of Payee became mandatory: euro-area banks must offer a free name-vs-IBAN check before euro transfers — but it warns rather than blocks, and corporate bulk payment files can opt out

Instant Payments Regulation (EU) 2024/886 · In force from 9 October 2025

60%

of French SMEs faced at least one fraud attempt in the past 12 months; fake-supplier fraud was the most common external technique, hitting 42% of victim companies

Allianz Trade / Odoxa fraud barometer, 2026 · 12 months to mid-2026

€1.3B

in card fraud on EU-issued cards in 2024, for scale — credit-transfer fraud is now almost twice the size of card fraud

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

Behind the numbers

How these losses actually happen.

Payment fraud in the EU is growing again. The joint EBA/ECB report published in December 2025 — the official supervisory dataset collected from payment providers under PSD2 — puts total reported payment fraud across the EU/EEA at €4.2 billion for 2024. Credit transfers, the instrument virtually every European supplier invoice is paid with, are now the biggest channel at €2.5 billion, up 24% in a single year.

The nature of the fraud has changed. Strong customer authentication largely closed the door on stolen-credential fraud, so criminals switched to manipulating the payer instead: in 2024, 74% of fraudulent credit-transfer value came from scams where the account holder was deceived into authorising the payment themselves. Europol calls online fraud the fastest-growing area of organised crime in the EU, and names business email compromise among its top profit generators.

For businesses, the sharp end is supplier impersonation. French police logged 649 fraudulent-transfer-order cases against businesses and public bodies in 2024, worth €34 million. In Ireland, bank-reported SME losses to email-enabled scams reached €18.9 million over two years — invoice redirection was the majority of cases, at an average of more than €22,000 per incident.

The liability picture is what makes this existential: because these payments are technically authorised, banks are generally not obliged to refund them. Customers — not banks — bore roughly 85% of EU credit-transfer fraud losses in 2024.

What the system covers

Verification of Payee warns. It doesn't block, and it doesn't refund.

Until 9 October 2025, a standard SEPA credit transfer never checked the payee's name — banks validated only that the IBAN was structurally valid. Under the Instant Payments Regulation, euro-area banks must now offer a free Verification of Payee check that compares the payee name against the IBAN and returns match, close match, or no match before the payer confirms. Non-euro EU countries follow by July 2027.

Two gaps matter for businesses. VoP warns but does not block — a payer can proceed past a no-match result, and generally still bears the loss if they do. And non-consumer payers submitting bulk payment files may opt out of the check entirely, which means accounts-payable batch runs can bypass it.

On refunds: PSD2 obliges banks to reimburse unauthorised transactions, but a transfer your own employee approved is authorised — and authorised push payments are generally not reimbursable. There is no EU-wide reimbursement scheme comparable to the UK's, and the pending PSD3/PSR package proposes extending bank liability only in narrow cases like bank impersonation, not supplier-impersonation invoice fraud.

What this means for you

EU small businesses pay by SEPA transfer. That's exactly where the fraud is.

EU SMEs pay virtually all supplier invoices by credit transfer — the instrument where fraud grew 24% in 2024 and where three-quarters of losses now come from deceiving the payer. The survey data shows how wide the targeting is: 60% of French SMEs faced a fraud attempt in a year, with fake-supplier fraud the most common technique, and Irish SMEs lost an average of €22,000 per invoice-redirection incident.

Unlike consumers, businesses have little safety net. Authorised payments are generally not refunded, customers bore about 85% of credit-transfer fraud losses, and the new Verification of Payee check can be opted out of in exactly the bulk payment files SMB finance teams use.

PayHQ closes the gap VoP leaves open: it checks each incoming invoice against the supplier record your team has verified — name, registration, and bank details — and flags a changed account before the payment run, whether or not your bank's name check fires.

FAQ

Common questions about fraud in the European Union.

What is APP fraud called in the EU?

The EBA/ECB data calls it "manipulation of the payer" — the account holder is deceived into authorising the payment. It accounted for 74% of fraudulent credit-transfer value in 2024, up from 65% in 2023. It is the same crime the UK calls authorised push payment (APP) fraud.

Does Verification of Payee stop invoice fraud?

It helps at the moment of payment, but it warns rather than blocks, corporate bulk files can opt out, and it cannot catch the upstream problem: a supplier's bank details changed via a compromised email thread, where the name and IBAN the fraudster supplies match each other perfectly.

Will my bank refund an authorised payment to a fraudster?

Generally no. PSD2 requires refunds for unauthorised transactions, but a payment your team approved is authorised — customers bore roughly 85% of EU credit-transfer fraud losses in 2024. There is no EU-wide reimbursement scheme like the UK's.

Sources & methodology

Where these numbers come from.

Every statistic on this page was checked against the named source in July 2026, and the figures quoted in the narrative come from the same verified set as the stat cards. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. When a figure cannot be verified against a primary source, we remove it rather than keep it.

Other regions

Compare with other markets.

Protect your supplier payments in the European Union.

PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.