APP scams, where victims are manipulated into sending money themselves, have become the most damaging form of payment fraud across Europe.
According to Flagright, recent supervisory data shows that these scams now exceed card fraud in terms of total losses, driven by their high average transaction values.
In 2024, the average fraudulent credit transfer exceeded €2,000, far higher than typical card fraud amounts. According to the European Banking Authority, so-called “manipulation of the payer” now represents more than half of all fraud losses linked to credit transfers, marking a decisive shift in how criminals extract money from consumers.
The growth of instant and online bank transfers has amplified the impact of APP scams. Real-time settlement allows fraudsters to move funds immediately, pushing total credit transfer fraud losses to €2.5bn in 2024, around 60% of all payment fraud losses across the EEA. This has allowed credit transfer fraud to overtake card fraud by value, fundamentally changing the region’s fraud risk profile.
Rather than unauthorised transactions stopped by legacy controls, the largest losses now arise from customers being socially engineered into approving payments themselves.
Regulators increasingly view APP scams not just as a consumer fraud issue but as an anti-money laundering concern. Once funds are sent, they are often rapidly layered through mule accounts and transferred cross-border before victims realise what has happened. A joint report by the European Central Bank and EBA highlighted that fraudulent credit transfer funds frequently move overseas or into opaque account structures, mirroring classic money laundering techniques.
As a result, APP scams now sit squarely at the intersection of fraud and AML obligations.
A key driver behind this regulatory shift is the distribution of losses. In 2024, payment service users absorbed around 85% of credit transfer fraud losses. Unlike card fraud, APP scams generally offer no automatic reimbursement because the payment was authorised. With billions lost and recovery rates falling, supervisors are questioning whether banks and fintechs are doing enough to identify and report scam-related fund flows as suspicious activity, rather than treating them solely as fraud incidents.
The latest figures underline the scale of the challenge. Total payment fraud losses in the EEA rose 17% year-on-year to €4.2bn in 2024, with credit transfers accounting for €2.5bn of that total. While card fraud still represented around €1.3bn, its relative importance continues to decline. Credit transfer scams remain costly because of their high value per incident, with victims often sending multiple large payments that are almost impossible to recover once laundered.
Fraud flows are disproportionately cross-border, even though most legitimate payments remain domestic. APP scams frequently involve funds moving through multiple countries, complicating recovery and investigation. Mule accounts play a central role in this ecosystem, collecting funds from multiple victims before dispersing them onwards or converting them into cryptoassets. These patterns mean that each APP scam is effectively the first stage of a laundering operation, requiring AML scrutiny alongside fraud controls.
European policymakers have responded with sweeping reforms. PSD3 and the accompanying Payment Services Regulation will significantly increase liability for payment service providers that fail to prevent scams, particularly impersonation fraud. At the same time, AMLD6 formally confirms fraud as a predicate offence for money laundering, obliging institutions to apply AML monitoring and reporting to scam-related transactions.
The creation of the Anti-Money Laundering Authority further raises the bar. From 2026 onwards, AMLA will shape supervisory expectations for banks, fintechs, payment firms and crypto providers operating cross-border. This includes scrutiny of how firms detect mule activity and integrate fraud intelligence into AML frameworks, reinforcing that payment fraud prevention and AML compliance are now inseparable.
Operationally, these changes demand a rethink. Separate fraud and AML teams, systems and workflows create gaps that modern scams exploit. Regulators now expect integrated financial crime functions where fraud intelligence feeds directly into AML monitoring and vice versa. Shared case management, real-time alerts and joint investigations allow institutions to respond faster and identify laundering activity while funds are still in motion.
Best practice is emerging around converged monitoring, shared risk scoring and real-time behavioural analytics. PSPs are increasingly combining fraud and AML signals in unified platforms to detect anomalies as they occur. Collaboration beyond individual institutions, enabled by new data-sharing provisions, also plays a growing role in disrupting mule networks and preventing repeat scams.
RegTech providers are responding to this convergence by offering platforms that unify fraud and AML workflows.
As Europe moves deeper into instant payments and tougher supervision, APP scams can no longer be treated as a niche fraud issue. Regulators are clear that preventing scams, detecting mule activity and reporting suspicious flows are core AML responsibilities. Institutions that fail to integrate fraud and AML controls risk higher losses and regulatory scrutiny. Those that succeed will be better placed to protect customers and meet the demands of the evolving financial crime landscape.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
