The yearly update of the “Payment Threats and Fraud Trends Report” provides an overview of the most important threats and other “fraud enablers” in the payments landscape, with focus on recent attacks and outline of the broader attack vector landscape including:

  • social engineering, 
  • malware, 
  • advanced persistent threats (APTs), 
  • distributed denial of service (DDoS), 
  • botnets,
  • third-party compromise,
  • monetisation channels,
  • liability for social engineering fraud.

For each threat, an analysis is made on the impact and context and suggested controls and mitigations are described. An overview matrix listing the threats with the main controls and mitigation measures is provided in Annex I.

The description of the threats is followed by a section that elaborates on how the identified threats impact payment-relevant processes: On-boarding/ Provisioning, Request-to-Pay/ Invoicing, Initiation/ Authentication, and Execution.

The types of fraud related to specific payment instruments (cards, Single Euro Payments Area (SEPA) schemes - SEPA Credit Transfer, SEPA Direct Debit, SEPA Instant Credit Transfer - and mobile wallets) and supporting schemes such as SEPA Request-to-Pay, are described in the next section. A dedicated section sets out a relevant list of threat patterns that have been observed since the publication of the previous version, while conclusions are presented in the final section.

The report attempts to create awareness amongst stakeholders involved with payments to allow them to decide on possible mitigating measures in this respect.

Document download