Cyprus continued to record relatively low levels of payment fraud in 2024, even as European banking supervisors warn that the overall risk landscape is evolving, with criminals increasingly shifting tactics rather than disappearing.

According to a joint report by the European Banking Authority (EBA) and the European Central Bank ECB), the value of fraudulent card transactions in Cyprus amounted to €2.3 million last year, representing 0.015 per cent of card transaction value.

Fraud involving credit transfers reached €2.7m, equivalent to 0.001 per cent, while losses linked to e-money transactions and cash withdrawals remained marginal, at €42,300 and €26,800 respectively.

In volume terms, fraudulent card transactions accounted for around 0.01 per cent of total card payments, with even lower shares recorded for other payment instruments .

Across the European Economic Area (EEA) as a whole, payment fraud remained contained in relative terms in 2024, despite a steady rise in absolute losses.

The total value of fraudulent payment transactions increased to €4.2 billion, from €3.5 billion in 2023 and €3.4 billion in 2022.

Even so, the annual fraud rate held broadly stable at around 0.002 per cent of the total value of transactions, emphasising that fraud continues to account for only a very small fraction of overall payment activity.

In value terms, fraud remained concentrated in credit transfers and card payments across almost all countries. Fraud involving credit transfers rose sharply to €2.5bn in 2024, while fraudulent card transactions using EU- or EEA-issued cards reached €1.3bn.

By contrast, fraud linked to direct debits, cash withdrawals and e-money transactions remained far lower in absolute terms, although growth rates varied across jurisdictions.

In volume terms, card payments dominated fraud by a wide margin, particularly in larger retail markets such as Germany, France, Italy and Spain, where high transaction volumes increase exposure to low-value, high-frequency card fraud.

The report notes that this pattern reflects the nature of card fraud, which often involves repeated small transactions designed to avoid detection or exploit exemptions from strong customer authentication.

Credit transfer fraud, by contrast, was less frequent by number of transactions but resulted in significantly higher average losses per case across most countries.

Differences in fraud types were also evident across payment instruments and jurisdictions. In most fraudulent card payments, cash withdrawals and e-money transactions, the payment order was issued directly by the fraudster, typically using stolen credentials, compromised card details or lost and stolen cards.

This pattern was consistent across both euro area and non-euro area EEA countries.

For credit transfers, however, manipulation of the payer emerged as the dominant fraud type in nearly all reporting countries.

This category, which includes authorised push payment scams and impersonation fraud, accounted for more than half of total fraud by value across the EEA and an even larger share in some countries.

The report emphasises that this trend was particularly pronounced in countries with high usage of online and mobile banking, including the Netherlands, the Nordic states and several Central and Eastern European economies.

The data further distinguish between remotely and non-remotely initiated transactions, showing a strong preference among fraudsters for digital channels.

While most card payments by value and volume continue to be made non-remotely at the point of sale, the majority of card fraud occurs in remotely initiated transactions across all countries.

In contrast, credit transfers and e-money transactions are overwhelmingly initiated remotely in both legitimate and fraudulent cases, reinforcing the vulnerability of digital channels to social-engineering-based attacks.

The report confirms the beneficial impact of strong customer authentication requirements introduced under the revised EU Payment Services Directive (PSD) in 2020.

Transactions authenticated with Strong customer authentication (SCA) were generally less vulnerable to fraud than those without it, particularly for card payments.

In 2024, SCA was applied to the majority of electronic payments by value across the EEA, with the highest shares recorded in credit transfers.

In volume terms, however, the share of transactions authenticated with SCA was lower for card payments and e-money, reflecting the widespread use of contactless payments at the point of sale.

This pattern was consistent across most countries, particularly in Northern and Western Europe, where contactless payments have become the dominant method for everyday purchases.

The report also examines the reasons why SCA is not applied and how fraud behaves under different exemptions. For credit transfers, secure corporate processes, payments between accounts held by the same user, trusted beneficiaries and recurring transactions accounted for the majority of non-SCA payments across countries.

Fraud rates under secure corporate protocols remained extremely low in all jurisdictions, while higher rates were observed in some trusted beneficiary and “payment to self” scenarios.

For card payments, contactless transactions represented the largest share of non-SCA payments in non-remote settings across the EEA.

In remote card payments, exemptions based on transaction risk analysis were widely used, particularly in larger markets, alongside merchant-initiated transactions.

The report notes that fraud rates were consistently higher for non-SCA transactions across all countries, reinforcing the effectiveness of authentication requirements despite differences in national payment habits.

Geography played a decisive role throughout the analysis. Fraud rates were consistently higher in cross-border transactions than in domestic ones, particularly when payments involved counterparties outside the EEA.

In card payments, fraud was around 17 times higher when the recipient was located outside the EEA, a pattern observed across both large and small member states.

A significant share of card fraud by value was linked to transactions outside the EEA, even though most payment activity remains domestic.

Losses due to fraud were distributed unevenly between payment service users, payment service providers and other entities, with sharp differences across countries and instruments.

In 2024, users bore around 85 per cent of fraud losses related to credit transfers across the EEA, reflecting the prevalence of scams in which payments were technically authorised by the user.

This pattern was particularly evident in countries with high exposure to authorised push payment scams, including several Western and Northern European markets.

For card payments, the share of losses borne by users varied widely. In a number of countries, users bore more than half of card fraud losses, while in others the burden fell predominantly on payment service providers.

Countries such as France and Denmark showed a relatively balanced distribution of losses between users and providers, reflecting differences in national liability frameworks and redress mechanisms.

The country-by-country analysis also highlights distinct patterns for cash withdrawals. In more than half of reporting countries, including Cyprus, Greece, Austria, Belgium, Bulgaria, Croatia, Hungary, Lithuania, Poland, Romania and Slovenia, users bore more than 70 per cent of cash-withdrawal fraud losses.

In Greece, Lithuania, Romania and Slovenia, users bore all reported losses.

By contrast, Denmark and Ireland stood out, with payment service providers covering more than 85 per cent of such losses, while Spain and France showed a more even split of responsibility.

In Cyprus, Croatia and the Netherlands, a particularly large share of fraud losses fell under the category of ‘Other Entities’, pointing to more complex liability arrangements involving multiple payment service providers or third parties.

In Cyprus, 63 per cent of losses were attributed to this category, compared with 30 per cent borne by users and 7 per cent by providers.

The report also notes the growing use of instant credit transfers across the EEA. While fraud rates for instant payments remain low in relative terms, average losses per case tend to be higher, reflecting the speed and irrevocability of these transactions.

The authorities point to forthcoming safeguards, including verification of payee, as key to limiting future risks as instant payments become more widespread.

The EBA and the ECB conclude that while payment fraud remains low relative to the scale of Europe’s payment systems, the steady rise in absolute losses and the increasing reliance on social-engineering and exemption-based attacks mean that vigilance remains essential.

They said they would continue to monitor fraud trends and publish detailed data to support evidence-based policy decisions and supervisory action across the European Union and the wider EEA .