Search
Choose a style
Dark
Light
Time to read: 4 min

How fraudsters exploit behaviour to avoid PSD2 safeguards

Fraudster shaking hands with a man, while holding a white mask behind his back.
Editorial credit: photobyphotoboy / Shutterstock.com

While figures are limited on fraud levels since the launch of VoP across Europe, earlier data suggest the measure may do little to stop fraudsters’ current tactics.

New figures from the Central Bank of Cyprus have shown low fraud rates are masking rising high-value credit transfer scams.

In the central bank’s report on payment fraud for the first half of 2025, Cyprus continued to report relatively contained fraud levels compared with euro area averages. Card fraud accounted for just 0.021% of total card payment value, while other payment methods recorded even lower ratios.

However, the total value of fraudulent payment transactions rose 66% year-on-year to almost €4m ($4.73m), while volumes increased 30% to 16,000 cases, suggesting losses are rocketing even though overall fraud rates remain low.

The increase in volumes was mainly attributed to card payments, which accounted for 92% of fraudulent transaction volumes but only 45% of total fraud value, with an average fraudulent card payment of €106. 

Card fraud was also around 24 times more likely to occur in cross-border transactions than domestic ones, with 97% of fraudulent card payments linked to online activity rather than physical point-of-sale transactions.

Despite representing a far smaller share of fraudulent transaction volumes, credit transfers are the reason for fraud value surging. This type of transaction was responsible for 54% of total fraud value in the period, amounting to €1.9m. 

The average fraudulent credit transfer reached €5,472, which is more than double the euro area average, showing how fraudsters are targeting a smaller number of higher-value scams. 

Screenshot from Central Bank of Cyprus report on fraud.
Screenshot from Central Bank of Cyprus report, showing levels of fraud by type of payment service in value terms.

Not just in Cyprus

The trends seen in Cyprus are by no means confined to the island because a joint report from the European Banking Authority and the European Central Bank found credit transfer fraud across the European Economic Area reached €2.5bn in 2024, making it the largest contributor to total payment fraud losses.

The report highlighted manipulation-of-the-payer scams, where customers are deceived into authorising payments themselves, as the main driver of credit transfer fraud.

Cyprus’ data indicates the same pattern, with 59% of fraudulent credit transfers in the first half of 2025 stemming from payer manipulation rather than unauthorised account access.

The UK has faced similar challenges over recent years with authorised push payment (APP) fraud. According to the UK Finance 2025 Annual Fraud Report, mobile banking accounted for 74% of APP scams. While overall fraud volume fell 7% year-on-year, total losses rose 22% to £203m, showing how fraudsters can bypass technical security measures and focus on fewer, higher-value scams by exploiting behaviour.

Current fraud controls are effective but not a solution

The report does explain regulatory safeguards are having a measurable impact, finding fraud rates for card payments authenticated using Strong Customer Authentication (SCA) were significantly lower than those without it. 

Looking at the numbers, fraud rates were 0.006% for SCA-authenticated transactions compared with 0.018% for those without SCA. Whereas in value terms, the gap was 0.011% versus 0.037%.

The findings also reinforce the positive effect of PSD2-era authentication rules within the EEA. However, fraud rates remain much higher in cross-border transactions, particularly where counterparties are outside the EEA and SCA requirements may not apply.

Given Verification of Payee (VoP) only became mandatory on 9 October, 2025 and these figures are from before that date, it is yet to be seen what impact this new regulation will have on fraud trends. 

However, it is not a reach to predict VoP will likely have little influence on these trends as it shares an inherent limitation with SCA. Both security measures can verify identity and account details, but they cannot prevent a customer from being manipulated into sending money.

Subscribe to our newsletter