On 7 December 2023, the European Payments Council (EPC) published its yearly update of ‘Payment Threats and Fraud Trends Report’.

The report provides an overview of the most important threats and other ‘fraud enablers’ in the payments landscape including social engineering, malware, botnets, and distribution denial of service.

For each threat, an analysis is made on the impact and context and suggested controls and mitigations are described. An overview matrix listing the threats with the main controls and mitigation measures is provided in Annex I of the report.

Key points in the report include:

  • Social engineering attacks and phishing attempts are still increasing, and they remain instrumental often in combination with malware, with a shift from consumers, retailers, SMEs to company executives, employees (through “CEO fraud”), payment service providers (PSPs) and payment infrastructures and more frequently leading to authorised push payments fraud.
  • Malware – existing in various forms – remains a major threat, in particular ransomware has been on the rise during the past year, requiring new mitigating measures.
  • One of the most sophisticated and lucrative types of payment fraud now and for the future seems to be Advanced Persistent Threat (APT). It must be considered as a potential high risk not only for payment infrastructures but also for all network related payment ecosystems.
  • Third-party vendors are more and more critical for PSPs, and they can introduce new risks. Therefore, the management of relations with suppliers is of crucial importance in banking and financial legislation to prevent consequences such as data breaches, financial losses, and operational failures.