of bank-transfer fraud losses are borne by the customer, not the bank — Banca d'Italia attributes this directly to the fact that manipulated-payer cases cannot trigger the refund available for unauthorised transactions
Banca d'Italia · H2 2024
Banca d'Italia publishes what almost no other central bank does: fraud broken out by payment instrument, with the loss split between bank and customer. For bank transfers — how Italian companies pay invoices — the split is brutal, and the central bank explains exactly why.
Last reviewed July 2026 · Every statistic card links to its source
in fraudulent bank transfers (bonifici) ordered through Italian payment providers — up 61% year on year, across roughly 25,600 fraudulent transfers (up 90%)
Banca d'Italia, report on fraudulent payment transactions · H2 2024
of bank-transfer fraud losses are borne by the customer, not the bank — Banca d'Italia attributes this directly to the fact that manipulated-payer cases cannot trigger the refund available for unauthorised transactions
Banca d'Italia · H2 2024
of bank-transfer fraud value came from "manipolazione del pagatore" — the payer was deceived into issuing the transfer themselves, the mechanism behind CEO fraud and fake-supplier fraud
Banca d'Italia · H2 2024
average value of a fraudulent ordinary bank transfer in Italy — against €87 for card fraud and €45 for e-money. Transfer fraud is business-sized fraud
Banca d'Italia · H2 2024
lost by an Italian law firm that paid its accountant's invoice to a fraudster's IBAN after a BEC actor joined the email thread — the banking arbitrator ruled neither bank was liable, because the transfer was authorised
Arbitro Bancario Finanziario, decision 9601/2025 (via Diritto Bancario) · Fraud February 2024; ABF Milano decision no. 9601, 4 November 2025
in fraudulent credit transfers reported by Italian payment providers to EU supervisors — the EU's own comparable measure
EBA/ECB 2025 Report on Payment Fraud · Calendar 2024
stolen through economic and financial cybercrime handled by Italy's Postal Police, across 27,085 cases — an aggregate figure, not broken out by BEC
Polizia di Stato, Polizia Postale · Calendar 2025
fraud rate on instant bank transfers in the first half of 2025, down from prior periods — a fall Banca d'Italia attributes to Verification of Payee taking effect in October 2025
Banca d'Italia · H1 2025
of Italian SMEs suffered at least one cyberattack or breach in the past three years — a general cyber measure, not payment-fraud-specific
Confindustria / Generali, Cyber Index PMI 2025 · Presented March 2026 (survey of 1,500+ firms)
Banca d'Italia's semi-annual fraud report is the most useful document of its kind in Europe, because it separates the instrument businesses actually use. In the second half of 2024, fraudulent bonifici reached €65.5 million — up 61% in a year — across roughly 25,600 transactions, up 90%.
The average size tells you who the victim is. The average fraudulent ordinary bonifico was €5,864, against €87 for a card payment and €45 for e-money. These are not consumer-scale losses; they are the size of a business paying an invoice.
Two thirds of that fraud value — 67% — came from what Banca d'Italia calls "manipolazione del pagatore": the payer was deceived into issuing the payment themselves. That is CEO fraud, fake-supplier fraud, and what Italy calls "man in the mail", where a fraudster inserts himself into an email thread and substitutes the IBAN on a genuine invoice.
And Banca d'Italia states the consequence plainly: customers bear 89% of bank-transfer fraud losses, because manipulated-payer cases do not qualify for the automatic refund that unauthorised transactions get. It is rare for a central bank to publish, in its own data, the precise reason its citizens are not being made whole.
Italy's PSD2 transposition, D.Lgs. 11/2010, gives an automatic refund right — by the end of the next business day — only for unauthorised transactions. Where the customer was deceived into knowingly authorising the payment, which is what CEO fraud, fake-supplier fraud and man-in-the-mail all are, that mechanism does not apply. Banca d'Italia says so in its own report, and its 89% customer-loss share is the direct consequence.
The clearest illustration is a decided case, not a hypothetical. In ABF Milano decision no. 9601, issued 4 November 2025, an Italian law firm paid its accountant's invoice to an IBAN supplied by a fraudster who had inserted himself into the email thread. It lost €28,000. The banking arbitrator found neither the sending nor the receiving bank liable: the transfer was authorised under D.Lgs. 11/2010, and the payment predated the Verification of Payee mandate. The firm recovered nothing.
There is a second trap for Italian companies. D.Lgs. 11/2010 treats micro-enterprises — under 10 employees and €2 million turnover — as consumers. For any business above that threshold, banks may contractually derogate a wide set of protections, including article 12, the core unauthorised-transaction refund right. A mid-size Italian company can be contractually stripped of most of the protections a consumer keeps automatically.
Verification of Payee (Verifica del Beneficiario) has been mandatory since 9 October 2025 for both ordinary and instant transfers, and Banca d'Italia's early data suggests it is having some effect — the instant-transfer fraud rate fell in the first half of 2025. But the mechanism cuts both ways: where VoP returns a mismatch and the payer proceeds regardless, responsibility for the loss falls squarely on the payer.
The average fraudulent Italian bank transfer is €5,864 — sixty-seven times the average fraudulent card payment. This is a crime aimed at organisations paying invoices, and the ABF 9601 case shows what it looks like at the small-firm end: a professional practice, a genuine invoice from its own accountant, a substituted IBAN, €28,000 gone, and no recovery from either bank.
Italian law helps only the smallest firms. Micro-enterprises are treated as consumers under D.Lgs. 11/2010; above that threshold, banks may contract out of the core refund protections entirely. Combined with Banca d'Italia's finding that customers bear 89% of transfer-fraud losses, an Italian PMI should assume that a payment made to a fraudster's IBAN is a payment it will not see again.
Verification of Payee raises the floor, but cannot see a hijacked email thread where the name and IBAN match. PayHQ checks each incoming invoice against the supplier record your team verified and flags a changed IBAN before the bonifico is released.
Banca d'Italia reported €65.5 million in fraudulent bank transfers in the second half of 2024 alone, up 61% year on year. The average fraudulent ordinary transfer was €5,864 — business-sized, not consumer-sized.
The company, almost always. Banca d'Italia reports that customers bear 89% of bank-transfer fraud losses, and states the reason: manipulated-payer cases cannot trigger the automatic refund that unauthorised transactions receive.
Yes. In ABF Milano decision 9601 (4 November 2025), a law firm that paid its accountant's invoice to a fraudster's IBAN — after a BEC actor joined the email thread — lost €28,000 and recovered nothing. The arbitrator found neither bank liable because the transfer was authorised.
Italy's common name for BEC invoice interception: a fraudster gets inside an email thread between a company and its supplier, and substitutes the IBAN on an otherwise genuine invoice. It falls within Banca d'Italia's "manipolazione del pagatore" category, which is 67% of transfer-fraud value.
Every statistic on this page was checked against the named source in July 2026. Banca d'Italia's figures are reported by payment providers and cover both consumers and businesses — it does not publish a business-only split. The EBA/ECB report flags Italy's fraudulent-transaction count for 2024 as overreported due to incorrect submissions, so only the value figure is quoted here, not the transaction count. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. National figures are not directly comparable between countries, because each country counts differently. When a figure cannot be verified against a primary source, we remove it rather than keep it.
PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.