$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →
€65.5M

in fraudulent bank transfers (bonifici) ordered through Italian payment providers — up 61% year on year, across roughly 25,600 fraudulent transfers (up 90%)

Banca d'Italia, report on fraudulent payment transactions · H2 2024

89%

of bank-transfer fraud losses are borne by the customer, not the bank — Banca d'Italia attributes this directly to the fact that manipulated-payer cases cannot trigger the refund available for unauthorised transactions

Banca d'Italia · H2 2024

67%

of bank-transfer fraud value came from "manipolazione del pagatore" — the payer was deceived into issuing the transfer themselves, the mechanism behind CEO fraud and fake-supplier fraud

Banca d'Italia · H2 2024

The numbers

What Italy loses to payment fraud.

€5,864

average value of a fraudulent ordinary bank transfer in Italy — against €87 for card fraud and €45 for e-money. Transfer fraud is business-sized fraud

Banca d'Italia · H2 2024

€28,000

lost by an Italian law firm that paid its accountant's invoice to a fraudster's IBAN after a BEC actor joined the email thread — the banking arbitrator ruled neither bank was liable, because the transfer was authorised

Arbitro Bancario Finanziario, decision 9601/2025 (via Diritto Bancario) · Fraud February 2024; ABF Milano decision no. 9601, 4 November 2025

€159M

in fraudulent credit transfers reported by Italian payment providers to EU supervisors — the EU's own comparable measure

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

€269M+

stolen through economic and financial cybercrime handled by Italy's Postal Police, across 27,085 cases — an aggregate figure, not broken out by BEC

Polizia di Stato, Polizia Postale · Calendar 2025

0.043%

fraud rate on instant bank transfers in the first half of 2025, down from prior periods — a fall Banca d'Italia attributes to Verification of Payee taking effect in October 2025

Banca d'Italia · H1 2025

24%

of Italian SMEs suffered at least one cyberattack or breach in the past three years — a general cyber measure, not payment-fraud-specific

Confindustria / Generali, Cyber Index PMI 2025 · Presented March 2026 (survey of 1,500+ firms)

Behind the numbers

How these losses actually happen.

Banca d'Italia's semi-annual fraud report is the most useful document of its kind in Europe, because it separates the instrument businesses actually use. In the second half of 2024, fraudulent bonifici reached €65.5 million — up 61% in a year — across roughly 25,600 transactions, up 90%.

The average size tells you who the victim is. The average fraudulent ordinary bonifico was €5,864, against €87 for a card payment and €45 for e-money. These are not consumer-scale losses; they are the size of a business paying an invoice.

Two thirds of that fraud value — 67% — came from what Banca d'Italia calls "manipolazione del pagatore": the payer was deceived into issuing the payment themselves. That is CEO fraud, fake-supplier fraud, and what Italy calls "man in the mail", where a fraudster inserts himself into an email thread and substitutes the IBAN on a genuine invoice.

And Banca d'Italia states the consequence plainly: customers bear 89% of bank-transfer fraud losses, because manipulated-payer cases do not qualify for the automatic refund that unauthorised transactions get. It is rare for a central bank to publish, in its own data, the precise reason its citizens are not being made whole.

What the system covers

A decided case: €28,000 gone, and neither bank was liable.

Italy's PSD2 transposition, D.Lgs. 11/2010, gives an automatic refund right — by the end of the next business day — only for unauthorised transactions. Where the customer was deceived into knowingly authorising the payment, which is what CEO fraud, fake-supplier fraud and man-in-the-mail all are, that mechanism does not apply. Banca d'Italia says so in its own report, and its 89% customer-loss share is the direct consequence.

The clearest illustration is a decided case, not a hypothetical. In ABF Milano decision no. 9601, issued 4 November 2025, an Italian law firm paid its accountant's invoice to an IBAN supplied by a fraudster who had inserted himself into the email thread. It lost €28,000. The banking arbitrator found neither the sending nor the receiving bank liable: the transfer was authorised under D.Lgs. 11/2010, and the payment predated the Verification of Payee mandate. The firm recovered nothing.

There is a second trap for Italian companies. D.Lgs. 11/2010 treats micro-enterprises — under 10 employees and €2 million turnover — as consumers. For any business above that threshold, banks may contractually derogate a wide set of protections, including article 12, the core unauthorised-transaction refund right. A mid-size Italian company can be contractually stripped of most of the protections a consumer keeps automatically.

Verification of Payee (Verifica del Beneficiario) has been mandatory since 9 October 2025 for both ordinary and instant transfers, and Banca d'Italia's early data suggests it is having some effect — the instant-transfer fraud rate fell in the first half of 2025. But the mechanism cuts both ways: where VoP returns a mismatch and the payer proceeds regardless, responsibility for the loss falls squarely on the payer.

What this means for you

Italian PMI: business-sized losses, consumer-grade protection only if you are tiny.

The average fraudulent Italian bank transfer is €5,864 — sixty-seven times the average fraudulent card payment. This is a crime aimed at organisations paying invoices, and the ABF 9601 case shows what it looks like at the small-firm end: a professional practice, a genuine invoice from its own accountant, a substituted IBAN, €28,000 gone, and no recovery from either bank.

Italian law helps only the smallest firms. Micro-enterprises are treated as consumers under D.Lgs. 11/2010; above that threshold, banks may contract out of the core refund protections entirely. Combined with Banca d'Italia's finding that customers bear 89% of transfer-fraud losses, an Italian PMI should assume that a payment made to a fraudster's IBAN is a payment it will not see again.

Verification of Payee raises the floor, but cannot see a hijacked email thread where the name and IBAN match. PayHQ checks each incoming invoice against the supplier record your team verified and flags a changed IBAN before the bonifico is released.

FAQ

Common questions about fraud in Italy.

Who pays when an Italian company is defrauded on a bank transfer?

The company, almost always. Banca d'Italia reports that customers bear 89% of bank-transfer fraud losses, and states the reason: manipulated-payer cases cannot trigger the automatic refund that unauthorised transactions receive.

Has an Italian ruling actually decided this?

Yes. In ABF Milano decision 9601 (4 November 2025), a law firm that paid its accountant's invoice to a fraudster's IBAN — after a BEC actor joined the email thread — lost €28,000 and recovered nothing. The arbitrator found neither bank liable because the transfer was authorised.

What is "man in the mail"?

Italy's common name for BEC invoice interception: a fraudster gets inside an email thread between a company and its supplier, and substitutes the IBAN on an otherwise genuine invoice. It falls within Banca d'Italia's "manipolazione del pagatore" category, which is 67% of transfer-fraud value.

Sources & methodology

Where these numbers come from.

Every statistic on this page was checked against the named source in July 2026. Banca d'Italia's figures are reported by payment providers and cover both consumers and businesses — it does not publish a business-only split. The EBA/ECB report flags Italy's fraudulent-transaction count for 2024 as overreported due to incorrect submissions, so only the value figure is quoted here, not the transaction count. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. National figures are not directly comparable between countries, because each country counts differently. When a figure cannot be verified against a primary source, we remove it rather than keep it.

Other countries

Compare with other EU markets.

Protect your supplier payments in Italy.

PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.