The revised Payments Services Directive (PSD2) was designed to facilitate open banking in the European Union while also providing consumers with protections in the new digital payments paradigm. Although these measures have largely achieved their objectives, the evolving fraud threat has continued to drive losses.
A joint study by the European Banking Authority (EBA) and the European Central Bank (ECB) found that, even though the incidence of fraud in the EU remained stable from 2023 to 2024, the total cost of fraud increased from €3.5 billion in 2023 to €4.2 billion in 2024.
These losses occurred despite the largely successful implementation of the Strong Customer Authentication (SCA) requirements under PSD2 in 2020. The report highlighted that transactions leveraging the protocol were generally less susceptible to fraud than those that did not, especially card payments.
Despite this success, the ECB and EBA noted that fraud has persisted because bad actors have adapted their tactics, either by targeting transactions which occur outside of SCA or by tricking consumers into initiating payments themselves.
Stepping Up Scams
These social engineering techniques are part of a broader trend. As the impacts of fraud have grown, many companies and governments have bolstered fraud defenses and controls to rein in bad actors.
As a result, criminals have turned to scams that target consumers directly. Some of the most common scams involve criminals posing as legitimate entities, such as in fake emails from major retailers asking for urgent account action or phony text messages from government agencies demanding payment for unpaid tolls or fines.
While the primary goal of these messages is to trick users into sending funds, there has also been an increasing incidence where consumers being used as money mules—either willingly or unwittingly—to move money for nefarious purposes.
Shifting the Focus
This shift in focus to the end user is why fraud has continued to accelerate despite better regulations and defenses.
ECB/EBA’s data underscores this challenge. Even though SCA protocols were adopted just five years ago and have been successful, cybercriminals rapidly shifted their tactics to account for it. This is largely because bad actors don’t have to go through pilot programs or review boards to implement their operations.
For organizations to catch up to these cybercriminals—especially as technology has evolved—they will have to shift their mindset and think outside the box.
