Online fraud is changing: while card payments are losing their appeal to fraudsters, losses from bank transfers are rising. The focus has shifted from stolen passwords to sophisticated manipulation of victims. New European rules are set to force banks to act faster and take greater responsibility.
From stolen passwords to manipulation
According to data from the European Banking Federation, fraud in card payments is declining, but it is increasing in bank transfers and jumped by roughly half between 2022 and 2023. Although their number may not be extreme, they cause the highest losses. Stronger authentication and customer behavior analytics introduced with PSD2 have worked against stolen login credentials. Fraudsters have therefore shifted the focus to psychological pressure.
Since the days of COVID and the cryptocurrency boom, scenarios targeting all age groups have proliferated. These include fake investment offers featuring well-known personalities, as well as urgent appeals to save money. Recent cases from the Czech Republic showed that attackers can impersonate managers on WhatsApp and persuade their contacts to make transfers causing losses in the millions. A credible cover story thus overcomes even technical barriers.
How APP fraud works
In so-called authorized push payments (APP), the account holder sends the money themselves—they are simply manipulated into doing so. Verification of their identity therefore passes, even though the payment destination is fraudulent. The cover story is usually urgent: a supposed police officer or banker "rescues" deposits, or an "investment advisor" promises quick profit. The money then disappears to foreign accounts, into crypto ATMs, or couriers pick it up in cash.
The scale of losses is moreover higher than official reports show, because many are ashamed to admit the fraud. The solution is to provide the payer with more information about the recipient before sending and to block techniques such as SMS message spoofing. Some legacy authentication methods are therefore to be phased out. It is also necessary to cover all channels, including ATMs and card payments, so that money cannot be "bypassed" outside online banking.
Regulation, speed, and data sharing
Incoming EU rules (PSD3/Payment Services Regulation) will fundamentally limit banks’ ability to shift losses onto the client. The only exception is to be a narrow set of cases where someone pretends to be another person (impersonation); otherwise the bank will bear responsibility. The regulation also aims to ensure that the client sees more about the payee when making a payment and to put an end to the abuse of fake SMS messages. The goal is to prevent fraud before the transaction is confirmed.
With the advent of instant payments, detection must occur within a few seconds, with typically only 300–400 milliseconds left for analytics. Banks therefore need fast algorithms, coordination across channels, and clear blocks on withdrawals or cards if a payment looks suspicious. Attackers are already using generative AI, but the same technology can help banks with investigations and mass communication with clients during waves of attacks. The new rules will also enable data sharing on fraudulent accounts between banks; in the Czech Republic a project is already emerging via the banking association, although sharing will for now be voluntary.
