The yearly update of the “Payment Threats and Fraud Trends Report” provides an overview of the most important threats and other “fraud enablers” in the payments landscape, with focus on recent attacks and outline of the broader attack vector landscape including:
- Social engineering
- Malware
- Advanced persistent threats (APTs)
- Distributed denial of service (DDoS)
- Botnets
- Third-party vendor risks
- Monetisation channels
- Liability aspects of social engineering fraud
For each threat or ‘fraud enabler’, an analysis of the impact and context is provided, along with suggested controls and mitigations. An overview matrix listing the threats with the main controls and mitigation measures is provided in Annex.
The 2025 update of the report focussed on providing additional relevant and concrete examples in the section that describes the most significant attacks and fraud modus operandi that were observed in the last year by the communities represented in the EPC and on the impact of the use of AI by both attackers and defenders.
The document also elaborates on how these threats impact the payment-relevant processes of Onboarding, Payment Request, Payment Initiation and Authentication, and Payment Execution, and discusses appropriate countermeasures. And it details the threats and types of fraud in relation to the different payment instruments (cards, SEPA Credit Transfer (SCT), SEPA Direct Debit (SDD), SEPA Instant Credit Transfer (SCT Inst), and mobile wallets) and to supporting schemes (SEPA Request-to-Pay (SRTP), Verification of Payee(VOP)).
With this report the EPC intends to raise the awareness and provide insight amongst all stakeholders involved in payments space on the various threats that exist and the techniques used by fraudsters to enable them to take better decisions on possible prevention and mitigation measures.