Fraud in Europe: Changes over the last couple of years

That is why the most interesting change in Europe’s fraud landscape over the last year or so is not really about card fraud at all. It is about identity, manipulation, and scale. The center of gravity has shifted from “can the attacker bypass SCA?” to “can the attacker manipulate the user, hijack the account, or industrialize the fraud operation somewhere outside the narrow point where SCA is applied?” In a  threat assessment by Europol in 2024 they described phishing as the most prevalent fraud attack vector, notes that smishing was the most common phishing type, highlights “quishing” as an emerging threat, and explicitly warns that AI tools and deepfakes are expanding social-engineering opportunities for criminal actors. The European Payments Council, for its part, says social engineering and phishing are still increasing and are increasingly leading to authorized push payment fraud. 

That shift matters because it changes what “good security” looks like. If a customer is tricked into making the payment themselves, or into approving access, or into handing over enough information for an account takeover, then the old mental model of fraud prevention starts to look incomplete. Europol also points to account takeover as a continuing threat, driven by illicit trade in personal data and supported by cybercrime-as-a-service markets. In other words, the attacker no longer needs to be especially talented. They can buy the tooling, buy the credentials, rent the infrastructure, and focus on exploiting the human layer. 

We are also seeing a more mature merger between classic fraud and cybercrime. The old distinction between “payment fraud,” “identity theft,” “phishing,” and “malware” is becoming less useful in practice. A phishing message leads to credential theft. Credential theft leads to account takeover. Account takeover leads to fraudulent onboarding, APP fraud, or abuse of digital services. Malware steals sessions and cookies. Those sessions are sold in criminal marketplaces. Someone else uses them to impersonate the victim. An example is the Genesis Market  which showed exactly how industrialized this has become, with more than 1.5 million infected devices and over 2 million stolen digital identities tied to the marketplace at the time of the takedown.

Another part of this story is that telecom infrastructure and authentication channels are now much more clearly part of the fraud battleground. We have written before about SIM-swap risk and how it sits awkwardly beside SCA rather than neatly inside it. That concern has only become more relevant. The SIMCARTEL operation in October 2025 exposed a large criminal setup involving around 1,200 SIM-box devices and 40,000 active SIM cards, with authorities linking it to thousands of fraud cases and millions of euros in losses. This is a reminder that any security model built around SMS, phone-number trust, or weak recovery flows is exposed to an ecosystem that is now highly professionalized. 

The same goes for corporate fraud. Europol continues to flag business email compromise, CEO fraud, and digital skimming as major threats. What changes now is not merely that these attacks exist, but that generative AI lowers the cost of making them convincing. A bad phishing email used to be easier to spot. A fake executive voice used to be difficult to produce. A multilingual scam operation used to need more human effort. The quality threshold for deception is falling, while the reach of attackers is rising.

So where does that leave SCA? In a better place than its critics sometimes suggest, but in a narrower role than some supporters might have hoped. SCA still matters. It is still one of the key controls in the European payment stack. But it is increasingly one control in a much broader fraud environment, not the defining answer to it. That is also why the PSD3 discussion is interesting: it moves the conversation toward transaction monitoring, clearer liability, cooperation between providers, and more systematic information sharing. That is a tacit acknowledgement that fraud prevention in Europe now has to be behavioral, cross-channel, and collaborative. Authentication alone is not enough.

That is also part of why our own offer is evolving. As we wrote recently, SCA remains a cornerstone for reducing fraud, but it only answers one part of the problem: whether the person authorizing a payment appears to be the right person at that moment. It does not, by itself, establish whether the identity behind the account is genuine, nor does it fully secure high-risk moments such as onboarding, re-enrollment, device change, or account recovery. In an environment shaped by account takeover, stolen digital identities, and deepfake-assisted impersonation, those lifecycle points matter more than ever.

And that is why we increasingly see KYC and SCA as complementary rather than separate controls. Strong KYC at onboarding, paired with device binding, cryptographic trust anchors, and robust SCA throughout the account lifecycle, creates a much stronger chain of trust. In practice, this is how we are adapting our offer to the threat landscape as it evolves: helping customers secure not only the transaction itself, but also the identity and device relationship behind it. SCA is still fundamental. But fundamental does not mean sufficient on its own. The direction of travel in Europe is toward fuller lifecycle security, where onboarding, authentication, re-enrollment, and fraud monitoring work together rather than as isolated steps.

The advice is simple: Focus less on whether your authentication step is formally strong, and more on whether your overall customer journey is resilient to manipulation, account takeover, recovery abuse, session theft, and fraudulent payee changes.

That means better risk monitoring, better recovery security, stronger device and session binding, and much more serious attention to scam prevention as a product problem rather than just a compliance problem. It also means that banks, fintechs, and identity providers should stop thinking of fraud as something that happens only at the moment of payment. Increasingly, the real compromise happens earlier, somewhere in the surrounding digital environment, and the payment is just the final visible symptom. 

The move to fraud coming before the payment is the real fraud story in Europe right now. We are moving beyond the era where the main question was whether SCA had been applied. The more important question is whether the whole ecosystem around the customer can withstand an attacker who is patient, well-equipped, and increasingly able to make fraud look like normal behavior. 

Is this a topic you’re interested in? Follow us on LinkedIn and subscribe to our newsletter!