$3.05 billion in reported losses to business email compromise in 2025 (FBI IC3).See the numbers by country →
€153M

in fraudulent credit transfers reported by Spanish payment providers, across 86,382 fraudulent transactions — the rail supplier invoices are paid on

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

Waivable

Spain's payment-fraud reimbursement rules are legally binding only for consumers and micro-enterprises — for any larger business, the bank may contractually disapply them

Real Decreto-ley 19/2018 (Spain's PSD2 transposition) · Real Decreto-ley 19/2018, in force

The numbers

What Spain loses to payment fraud.

9%

of business consultations to INCIBE's national helpline concerned fraude del CEO, and 18% concerned impersonation — INCIBE publishes no euro loss attached to either

INCIBE, Balance de Ciberseguridad 2025 · Calendar 2025

45,445

online-fraud incidents handled by Spain's national cybersecurity institute — up 19%, and four of every ten incidents it dealt with

INCIBE, Balance de Ciberseguridad 2025 · Calendar 2025

1.83M/day

Verification of Payee checks run daily by 120+ Spanish institutions since the service launched on 5 October 2025 — but the Banco de España confirms the check is optional for business bulk payments

Iberpay / Banco de España · Live since 5 October 2025

74%

of fraudulent credit-transfer value across the EU/EEA came from "manipulation of the payer" — the account holder was deceived into authorising the transfer themselves (up from 65% in 2023)

EBA/ECB 2025 Report on Payment Fraud · Calendar 2024

Behind the numbers

How these losses actually happen.

Spanish payment providers reported €153,027,315 in fraudulent credit transfers in 2024, across 86,382 transactions, in the EU's supervisory data. Card fraud was a comparable €141 million — but spread across vastly more transactions, at much smaller values. Transfers are where the large single losses happen.

Spain's crime statistics cannot take you further than that. The Ministerio del Interior recorded 429,677 "fraude informático" offences in 2025, nearly 90% of all recorded cybercrime — but it does not break out CEO fraud, BEC, invoice fraud, or supplier impersonation as distinct categories at all. No Spanish official source publishes a euro figure for invoice fraud. Anyone who quotes you one is not quoting an official statistic.

The closest official signal comes from INCIBE, Spain's national cybersecurity institute, which handled 45,445 online-fraud incidents in 2025, up 19%. Of the consultations it received specifically from businesses, 18% concerned impersonation and 9% concerned fraude del CEO — a meaningful share, though INCIBE publishes no loss figure attached to them.

The Banco de España's complaints data shows where the system's attention actually sits: fraud made up 14% of complaint subject matter in 2024, in a record year of 56,099 complaints — but 98% of those complaints came from consumers. The bank-liability criteria Spanish regulators publish are built almost entirely on consumer disputes, not business ones.

What the system covers

Under ten employees, you are a consumer. Over ten, you are on your own.

Spain's PSD2 transposition, Real Decreto-ley 19/2018, gives payers a strong reimbursement right for unauthorised transactions: the bank must refund immediately unless it proves the user acted with intent or gross negligence. But the scope of who that right is guaranteed to is the part that matters for a business.

Those protections are legally mandatory — incapable of being contracted away — only for consumers and micro-enterprises: fewer than 10 employees and turnover or balance sheet at or below €2 million. For any payment service user that is neither a consumer nor a micro-enterprise, which means most SMEs and every larger company, the protections are dispositive: the bank and the business may agree to disapply them, in whole or in part, in the account terms.

So a mid-size Spanish company may have no automatic statutory reimbursement right at all, depending on what it signed. And the case law offers no rescue: the Tribunal Supremo's April 2025 ruling (STS 571/2025), which put a demanding, quasi-objective liability standard on banks in phishing cases, is explicitly framed as a consumer dispute. There is no equivalent Supreme Court precedent extending it to corporate account holders.

Verification of Payee launched in Spain on 5 October 2025, ahead of the EU deadline, and now runs 1.83 million checks a day across more than 120 institutions. But the Banco de España's own guidance confirms two limits that matter to accounts payable: the check is optional for non-consumer bulk payment files, and if it flags a mismatch and you proceed anyway, the IBAN — not the name — remains the legally definitive identifier, and the bank is not liable.

What this means for you

Spanish PYMEs: protected if you are tiny, exposed the moment you grow.

The micro-enterprise line in Real Decreto-ley 19/2018 is the single most consequential fact for a Spanish business on this page. Under 10 employees and €2 million, you are treated as a consumer and your reimbursement rights cannot be contracted away. Cross that threshold and they can be — which means the protection a growing Spanish company relies on may quietly have been signed away in its bank's standard terms.

Spain publishes no invoice-fraud loss figure to size the risk with, and its crime statistics fold everything into "computer fraud". What official data does exist points the right way: fraude del CEO accounts for 9% of the business consultations INCIBE's national helpline receives, and impersonation another 18%.

With the statutory backstop uncertain and the bank's name check optional on exactly the bulk payment files a finance team uses, the control has to sit inside the company. PayHQ checks every incoming invoice against your verified supplier record and flags a changed account before the transfer is released.

FAQ

Common questions about fraud in Spain.

What does Spain lose to invoice fraud specifically?

No official Spanish source publishes that figure. The Ministerio del Interior folds everything into a single "fraude informático" category with no breakout for invoice fraud, CEO fraud, or supplier impersonation.

Can a Spanish bank refuse to reimburse my company?

Potentially, yes — by contract. Under Real Decreto-ley 19/2018, reimbursement protections are legally mandatory only for consumers and micro-enterprises (under 10 employees, ≤€2m). For larger businesses they are dispositive and may be disapplied in the account terms.

Does Verification of Payee cover business payments in Spain?

Not necessarily the ones that matter most. The Banco de España confirms the check is optional for non-consumer bulk payment files — precisely the batch runs an accounts-payable team uses — and if you proceed past a mismatch, the IBAN remains the definitive identifier and the bank is not liable.

Sources & methodology

Where these numbers come from.

Every statistic on this page was checked against the named source in July 2026. Spain's police statistics record a single "fraude informático" category and do not break out invoice fraud, CEO fraud, or supplier impersonation, so no Spanish loss figure for those crimes exists. The credit-transfer figure here comes from the EU's supervisory data, which is collected on a comparable basis across the EU/EEA. Figures describe what each source measures — reported losses are not the same as total losses, and most fraud goes unreported. National figures are not directly comparable between countries, because each country counts differently. When a figure cannot be verified against a primary source, we remove it rather than keep it.

Other countries

Compare with other EU markets.

Protect your supplier payments in Spain.

PayHQ checks every incoming invoice against your verified supplier records and flags changed bank details before the payment goes out.