of fraudulent credit-transfer value came from "manipulation of the payer" — the victim was deceived into authorising the payment themselves (up from 65% in 2023)
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
Credit transfers are the rails every European supplier invoice rides on, and they are now the biggest fraud channel in the EBA/ECB's EU/EEA data. These are the verified numbers from the EBA and ECB's supervisory data, Europol, and national reporting.
Last reviewed July 2026 · Every statistic card links to its source
in fraudulent credit transfers sent across the EU/EEA in 2024 — up 24% in one year, making the instrument businesses pay invoices with the biggest fraud channel
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
of fraudulent credit-transfer value came from "manipulation of the payer" — the victim was deceived into authorising the payment themselves (up from 65% in 2023)
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
of credit-transfer fraud losses were borne by the customers — businesses and consumers — rather than by banks
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
total reported payment fraud across the EU/EEA in 2024, all instruments combined — credit transfers, cards, direct debits, e-money
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
Verification of Payee became mandatory: euro-area banks must offer a free name-vs-IBAN check before euro transfers — but it warns rather than blocks, and corporate bulk payment files can opt out
Instant Payments Regulation (EU) 2024/886 · In force from 9 October 2025
fraudulent transfer-order cases against French businesses and public bodies, worth €34 million — supplier bank-detail substitution and CEO fraud
Banque de France OSMP annual report, citing DNPJ · Calendar 2024
of French SMEs faced at least one fraud attempt in the past 12 months; fake-supplier fraud was the most common external technique, hitting 42% of victim companies
Allianz Trade / Odoxa fraud barometer, 2026 · 12 months to mid-2026
lost by Irish SMEs to email-related scams in two years — invoice redirection was the majority of cases, with an average loss above €22,000 per incident
Banking & Payments Federation Ireland, FraudSMART · Two years to March 2026
Europol ranks online fraud schemes as the fastest-growing area of organised crime in the EU, with business email compromise among the top profit-generating schemes
Europol, Internet Organised Crime Threat Assessment · IOCTA 2026 assessment
in card fraud on EU-issued cards in 2024, for scale — credit-transfer fraud is now almost twice the size of card fraud
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
Each country counts fraud differently, regulates it differently, and leaves the loss in a different place. These pages use each country’s own national sources — and, where a country publishes no figure for invoice fraud, they say so.
Banque de France, OSMP annual report 2024 · Calendar 2024
See the numbers →EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
See the numbers →Banca d'Italia, report on fraudulent payment transactions · H2 2024
See the numbers →EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
See the numbers →De Nederlandsche Bank (DNB) · Calendar 2025
See the numbers →EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
See the numbers →BPFI / FraudSMART · Two years to March 2026
See the numbers →Narodowy Bank Polski, quarterly report on fraudulent transactions · Q1 2025 (and Q2 2025)
See the numbers →Polismyndigheten, Nationellt bedrägericentrum · Calendar 2025
See the numbers →Payment fraud in the EU is growing again. The joint EBA/ECB report published in December 2025 — the official supervisory dataset collected from payment providers under PSD2 — puts total reported payment fraud across the EU/EEA at €4.2 billion for 2024. Credit transfers, the instrument virtually every European supplier invoice is paid with, are now the biggest channel at €2.5 billion, up 24% in a single year.
The nature of the fraud has changed. Strong customer authentication largely closed the door on stolen-credential fraud, so criminals switched to manipulating the payer instead: in 2024, 74% of fraudulent credit-transfer value came from scams where the account holder was deceived into authorising the payment themselves. Europol calls online fraud the fastest-growing area of organised crime in the EU, and names business email compromise among its top profit generators.
For businesses, the sharp end is supplier impersonation. French police logged 649 fraudulent-transfer-order cases against businesses and public bodies in 2024, worth €34 million. In Ireland, bank-reported SME losses to email-enabled scams reached €18.9 million over two years — invoice redirection was the majority of cases, at an average of more than €22,000 per incident.
The liability picture is what makes this existential: because these payments are technically authorised, banks are generally not obliged to refund them. Customers — not banks — bore roughly 85% of EU credit-transfer fraud losses in 2024.
Until 9 October 2025, a standard SEPA credit transfer never checked the payee's name — banks validated only that the IBAN was structurally valid. Under the Instant Payments Regulation, euro-area banks must now offer a free Verification of Payee check that compares the payee name against the IBAN and returns match, close match, or no match before the payer confirms. Non-euro EU countries follow by July 2027.
Two gaps matter for businesses. VoP warns but does not block — a payer can proceed past a no-match result, and generally still bears the loss if they do. And non-consumer payers submitting bulk payment files may opt out of the check entirely, which means accounts-payable batch runs can bypass it.
On refunds: PSD2 obliges banks to reimburse unauthorised transactions, but a transfer your own employee approved is authorised — and authorised push payments are generally not reimbursable. There is no EU-wide reimbursement scheme comparable to the UK's, and the pending PSD3/PSR package proposes extending bank liability only in narrow cases like bank impersonation, not supplier-impersonation invoice fraud.
EU SMEs pay virtually all supplier invoices by credit transfer — the instrument where fraud grew 24% in 2024 and where three-quarters of losses now come from deceiving the payer. The survey data shows how wide the targeting is: 60% of French SMEs faced a fraud attempt in a year, with fake-supplier fraud the most common technique, and Irish SMEs lost an average of €22,000 per invoice-redirection incident.
Unlike consumers, businesses have little safety net. Authorised payments are generally not refunded, customers bore about 85% of credit-transfer fraud losses, and the new Verification of Payee check can be opted out of in exactly the bulk payment files SMB finance teams use.
PayHQ closes the gap VoP leaves open: it checks each incoming invoice against the supplier record your team has verified — name, registration, and bank details — and flags a changed account before the payment run, whether or not your bank's name check fires.
Payment providers reported €4.2 billion in fraudulent transactions across the EU/EEA in 2024 (EBA/ECB supervisory data). Credit transfers were the largest channel at €2.5 billion, up 24% year on year.
The EBA/ECB data calls it "manipulation of the payer" — the account holder is deceived into authorising the payment. It accounted for 74% of fraudulent credit-transfer value in 2024, up from 65% in 2023. It is the same crime the UK calls authorised push payment (APP) fraud.
It helps at the moment of payment, but it warns rather than blocks, corporate bulk files can opt out, and it cannot catch the upstream problem: a supplier's bank details changed via a compromised email thread, where the name and IBAN the fraudster supplies match each other perfectly.
Generally no. PSD2 requires refunds for unauthorised transactions, but a payment your team approved is authorised — customers bore roughly 85% of EU credit-transfer fraud losses in 2024. There is no EU-wide reimbursement scheme like the UK's.
Every statistic on this page was checked against the named source in July 2026, and the figures quoted in the narrative come from the same verified set as the stat cards. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. When a figure cannot be verified against a primary source, we remove it rather than keep it.
PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.