$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →
€474.2M

in fraudulent credit transfers sent by payment providers in Germany — the largest credit-transfer fraud total of any EU/EEA country in the EU's supervisory data

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

153,909

fraudulent credit-transfer transactions reported in Germany — the instrument German businesses use to pay supplier invoices

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

74%

of fraudulent credit-transfer value across the EU/EEA came from "manipulation of the payer" — the account holder was deceived into authorising the transfer themselves (up from 65% in 2023)

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

The numbers

What Germany loses to payment fraud.

~€25,000

average damage per successful cyberattack on a German SME, across all attack types

HDI Cyberstudie 2026 · Survey fielded early 2026

49%

of German companies faced social-engineering attempts — fake emails or deceptive phone calls — in the past 12 months

Bitkom, Wirtschaftsschutz 2025 · Calendar 2025 (survey of 1,002 companies)

€0.9B

estimated outflow of funds through fraud attempts against German companies — a survey-based extrapolation, not a measured or reported loss figure

Bitkom, Wirtschaftsschutz 2025 · Calendar 2025

681,354

fraud cases recorded by German police in 2025 — but the crime statistics have no separate category for CEO fraud, invoice fraud, or payment redirection, so none can be isolated

BKA, Polizeiliche Kriminalstatistik 2025 · Calendar 2025

§675e

the provision of the German civil code that lets banks contractually disapply the payment-protection rules for business customers — protections a consumer keeps automatically

Bürgerliches Gesetzbuch, §675e BGB · In force

Behind the numbers

How these losses actually happen.

Germany reports the largest credit-transfer fraud total in the EU: €474,164,942 in 2024, across 153,909 fraudulent transactions, per the EU's own supervisory data collected from payment providers. That is the rail German businesses pay suppliers on, and it is where the money goes.

What Germany does not have is a national number for invoice fraud or CEO fraud. The Polizeiliche Kriminalstatistik records 681,354 fraud cases in 2025, but it has no standalone offence code for "CEO-Fraud", "Rechnungsbetrug" or payment redirection — they are folded into broader fraud categories and cannot be separated out. Anyone quoting a precise German CEO-fraud loss total is quoting something the official statistics do not publish.

Be careful with the headline figure that circulates most. Bitkom's widely-cited estimate — €289.2 billion in annual damage to the German economy, around €202 billion of it from cyberattacks — is a survey-based extrapolation from about 1,000 companies, not a measured loss. The BKA's own cybercrime report reproduces Bitkom's number rather than measuring one itself, and says so explicitly. Within that survey, the line item for money actually flowing out through fraud attempts is €0.9 billion.

The most useful German data is fresh and specific to the Mittelstand. HDI's 2026 cyber study, published in July 2026 from a survey of around 1,100 SME and self-employed decision-makers, found 7% had already been hit by CEO fraud or payment fraud, and 27% rate it a relevant risk. Bitkom separately found 49% of German companies had faced social-engineering attempts — fake emails, deceptive phone calls — in the past 12 months.

What the system covers

German law protects consumers. For companies, it is negotiable.

German law is strong on unauthorised payments: §675u BGB makes the bank liable and requires a prompt refund, and §675w puts the burden of proof on the bank to show a transaction was properly authenticated and authorised. The BGH has enforced this — in XI ZR 107/22 (March 2024) it held that a bank that cannot prove the customer authorised a payment must refund it.

None of that reaches invoice fraud. A transfer your accounts-payable team released after being deceived is an authorised payment, not an unauthorised one, so the §675u refund machinery never engages. The BGH's July 2025 ruling (XI ZR 107/24) shows how narrow the escape route is even in phishing cases: releasing a single TAN under pressure could count as a momentary lapse, but releasing several across different days was gross negligence, and the customer bore the loss.

For businesses there is a further catch that most German company owners do not know about: §675e BGB permits banks to contractually disapply much of this protective framework for non-consumer payment service users, and German banks' business terms commonly do exactly that. A Mittelstand company can therefore have materially weaker statutory protection than a retail customer at the same bank.

Verification of Payee has been mandatory in Germany since 9 October 2025, coordinated by Die Deutsche Kreditwirtschaft and rolled out across the Sparkassen, Volksbanken and the private banks — including changes to the EBICS channel corporates submit bulk payment files through. A future EU Payment Services Regulation, politically agreed in November 2025, would add a refund right for impersonation fraud and bank liability where a Verification-of-Payee mismatch is not properly flagged — but it is not yet law, and no transposition date is set.

What this means for you

The Mittelstand carries the risk, and can be contracted out of the protection.

HDI's July 2026 study of around 1,100 German SME decision-makers is the clearest current picture: 7% have already been hit by CEO fraud or payment fraud, 27% see it as a relevant risk, and the average cost of a successful cyberattack on an SME runs around €25,000. Bitkom's broader survey puts social-engineering attempts against German companies at 49% in a year.

The legal position is the part worth acting on. Because §675e BGB lets banks disapply the consumer protection framework for business customers, a German company generally cannot rely on being made whole after an authorised transfer to a fraudster's account. The practical consequence is that internal controls — dual authorisation, and a callback on any change of bank details — are not best practice for a German business; they are the actual defence.

That is precisely the control PayHQ automates: each incoming invoice is checked against the supplier record your team has verified, and a changed IBAN is flagged for a human to look at before the payment run goes out, whether or not the bank's name check fires.

FAQ

Common questions about fraud in Germany.

How much do German companies lose to CEO fraud specifically?

No official German source publishes that figure. The police crime statistics have no separate category for CEO fraud, invoice fraud, or payment redirection. Survey data is the best available: HDI found 7% of German SME decision-makers say their company has already been hit by CEO fraud or payment fraud.

Is the €202 billion German cybercrime damage figure real?

It is a survey-based extrapolation by the industry association Bitkom, not a measured loss. The BKA's own cybercrime report reproduces Bitkom's estimate rather than measuring one, and says so. Within the same survey, the money actually flowing out through fraud attempts is estimated at €0.9 billion.

Will a German bank reimburse my company after invoice fraud?

Generally not. §675u BGB requires refunds for unauthorised payments, and a transfer your team released is authorised. Worse for companies: §675e BGB lets banks contractually disapply these protections for business customers, and business terms commonly do.

Sources & methodology

Where these numbers come from.

Every statistic on this page was checked against the named source in July 2026. Germany's police statistics have no offence code for invoice fraud or CEO fraud, so no official German loss total for them exists; the figures here come from the EU's supervisory data collected from payment providers, and from clearly-labelled industry surveys. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. National figures are not directly comparable between countries, because each country counts differently. When a figure cannot be verified against a primary source, we remove it rather than keep it.

Other countries

Compare with other EU markets.

Protect your supplier payments in Germany.

PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.