.svg)
Fraud in the payments space is fast becoming the new go-to method for organised crime in the EU, the bloc’s policing agency has warned in a new threat assessment.
According to Europol’s latest EU Serious and Organised Crime Threat Assessment (EU-SOCTA), criminal networks are exploiting financial technology on an unprecedented scale, with payment fraud, cryptocurrency-fuelled money laundering, and AI-powered scams reshaping the landscape of organised crime.
The report highlights the increasing sophistication of payment fraud, driven by malware, automation and the digitalisation of financial services.
This comes at the same time as illicit financial flows are becoming harder to trace, with criminals harnessing decentralised finance (DeFi), crypto-swapping services, and AI-driven anonymisation techniques to launder the proceeds of their activities.
According to Europol, payment fraud remains a major concern, with an ongoing shift from physical to digital attacks.
The organisation says that traditional methods, such as the skimming of bank cards, are declining, but that criminals have adopted more advanced methods, including digital skimming and back-end malware attacks on payment processing infrastructure.
New fraud typologies
Europol said that instead of targeting individual cards, fraudsters now compromise entire systems, stealing large amounts of payment data at once.
The agency said that compromised card details are frequently traded on dark web marketplaces and used in large-scale, automated card-not-present (CNP) fraud schemes, where bots are able to execute rapid transactions across multiple platforms.
SIM-swapping attacks have also become more prevalent, allowing criminals to bypass two-factor authentication and gain access to bank accounts.
These techniques have resulted in a surge in high-value account takeovers, leading to significant financial losses for individuals and businesses.
The rapid digitalisation of payment systems continues to create new vulnerabilities, and criminal groups are adapting their methods quickly.
Europol warned financial institutions that they need to constantly upgrade fraud prevention technologies to stay ahead.
The use of cryptocurrencies in fraud
Europol also highlighted the need for tighter regulation in the banking space, given that criminal networks increasingly use cryptocurrencies and decentralised finance (DeFi) to launder illicit funds.
Crypto-swapping services, which enable the exchange of digital assets between different cryptocurrencies, have become a major tool for obscuring financial trails.
By converting mainstream cryptocurrencies, such as Bitcoin, into privacy-focused coins such as Monero, criminals make transactions significantly harder to track.
Mixing services further complicates detection, by blending illicit funds with legitimate assets.
One of the largest cases involved ChipMixer, a platform taken down in 2023 for allegedly laundering more than €2.7bn worth of crypto-assets linked to dark web markets, ransomware operations, and organised crime groups.
Another common tactic is "chain hopping," where criminals move illicit funds between different blockchain networks in rapid succession to avoid detection.
With AI-driven automation, these laundering techniques are becoming increasingly efficient, enabling criminals to execute large-scale operations with minimal risk of exposure.
The new era of resiliency first
For payment service providers (PSPs), Europol’s findings should be chilling.
Organised crime networks are not only adapting to technological advances, but actively leveraging them to infiltrate payment systems, launder funds and defraud consumers on an unprecedented scale.
The growing sophistication of payment fraud is perhaps vindication for the EU’s regulators, considering the introduction of frameworks such as the Digital Operational Resilience Act (DORA).
Financial entities — including crypto and payments players –- need to have implemented comprehensive risk management protocols, be conducting regular testing, and establish robust incident reporting mechanisms to comply with the DORA rules.
Incumbent banks, meanwhile, should reduce the threat to their payment systems that could come from a rise in instant payments by preparing for the Instant Payments Regulation (IPR).
In parts of the EU where instant payments are yet to flourish, including large economies such as Germany and France, this will significantly accelerate transaction processing.
Although instant payments enhance efficiency and financial inclusion, they also introduce new vulnerabilities that organised crime groups will seek to exploit.
Faster transactions mean less time for fraud detection, increasing the risk of financial crime, and banks that are grappling with legacy systems may find themselves especially vulnerable to this.
It will be interesting to see in next year’s assessment from Europol whether the anticipated uptick in instant payments has unlocked a new space for criminals to thrive, due to weak detection systems.
