Scams are the defining fraud challenge of the decade. What started with lotteries and clairvoyant letters shifted to email in the 1990s. Now, scams make up a trillion-dollar global industry exploiting technology platforms and human susceptibility to social engineering.

BioCatch’s 2025 Global Scams report offers readers a view from the frontline of fraud defense. Unfortunately, it also shows scams increasing exponentially in every region of the world. But nowhere are the stakes and the opportunities for reform clearer than in Europe.

Europe’s escalating threat

Across Europe, reported scams have nearly doubled in the past year, underscoring the consumer’s vulnerability to social engineering. Romance scams have doubled every year since 2023, while voice scams (vishing) have doubled as well, with fraudsters often impersonating authority figures such as the police or the customer’s bank.

By volume, purchase scams dominate, accounting for one in four cases. While job scams are less common, they have quadrupled in volume in the last year.

At first glance, the threat to Europe’s consumers and banks appears to mirror global trends. North America also saw a fourfold increase in scams since 2023, and Latin America experienced a sixfold rise. While these trends are likely linked to greater consumer awareness and improved bank record-keeping, they remain of genuine concern.

But Europe’s experience stands apart for two reasons: The pervasive nature of real-time payments via national/regional systems and the continent’s regulatory response.

The United Kingdom (UK) as a microcosm

The UK remains a global case study in the impact of ubiquitous real-time payments on fraud risk. I say ubiquitous, as UK consumers do not choose to make payments in real-time. It is the default.

Following the launch of real-time payments (known as faster payments) in 2008, authorised push payment (APP) Fraud surged. According to the most recent figures from UK Finance, while the volume of APP cases declined in 2025, losses rose by 12%, reversing the downward trend we’ve observed over the last few years.

In 2024, £450.7 million was lost to APP fraud — 70% of those losses resulted from crimes that were committed via online platforms. Purchase scams remain the single largest category, representing 57% of all APP cases by volume but only 21% of losses. Whilst payment scams may not result in eye-catching individual losses, the sheer volume causes misery for consumers and imposes a significant operational cost burden on payment service providers.

Conversely, investment and romance scams account for most of the losses, representing more than 40% of criminals' gains. Those losses also conceal a hidden human cost, with the well-being of many victims significantly impacted.

Why incentives matter

It is often said that what is measured gets done. While the European Banking Association’s taxonomy focuses on the components of fraud (initiation, method, modus), the UK industry has long distinguished between unauthorized and authorized fraud.

Whilst the language used within the industry has moved on, historically, unauthorized transactions were described as fraud and authorized transactions as scams. Reflecting the fact that institutions were liable for the former, with the losses associated with authorized fraud being borne by consumers.

Unsurprisingly, the issue of liability impacted investment decisions: Payment service providers invested heavily in real-time outbound detection, while inbound risk detection was largely oriented toward demonstrating compliance with financial crime obligations.

Revisions to the UK’s Financial Services and Markets Act, which took effect in 2024, changed that dynamic by introducing joint liability for APP-related consumer losses. Alongside data on the performance of individual PSPs, this change has strengthened the business case for investment in behavioral intelligence, device, and network analytics, enabling PSPs to identify risk before money leaves a customer account, or in the case of a mule, is received and dispersed.

BioCatch customer data shows that behavior is key to spotting social engineering and the financial crime risk posed by money mules. Banks in the UK, Australia, and other locations already use these insights to manage friction — enhancing user experience and limiting fraud risk.

Europe, the Middle East, and Africa: A region of contrasts

The eurozone is leading the charge toward ubiquitous instant payments, but the EU’s Instant Payment Regulation has implications for the entire Single European Payment Area (SEPA), regardless of currency.

The Nordic region is increasingly cashless, with most consumers using digital payments exclusively. Its rapid adoption of digital banking, high internet penetration, and low wealth inequality set it apart and have made the region a key target for scammers.

By contrast, Southern Europe (particularly Spain and Italy) face a different challenge. Here, there has been an explosion in investment and impersonation scams, often linked to cross-border mule networks, setting the region apart from the Nordics and central Europe.

Meanwhile, the Middle East and North Africa present yet another contrast, with growing scam activity fueled by rapid mobile adoption, cross-region payment platforms, diverse populations, and relatively immature consumer protection frameworks.

While the EU’s instant payment regulation is creating a significant attack surface, the Commission has sought to learn from the deployment of instant payments in individual states. Verification of Payee (VoP), first implemented in the UK as Confirmation of Payee (CoP), is a good example of a step in the right direction.

Our 2025 Global Scams report highlights how Europe’s share of scam payments to new beneficiaries is lower than in any other region, reflecting increased friction for fraudsters. But as the report notes, VoP/CoP isn’t foolproof, as the UK demonstrates, with criminal tactics evolving rapidly in the face of such controls.

EMEA and the rest of the world

BioCatch’s 2025 Global Scams report data for North America shows that the rise in scams is driven by increased digital banking and inconsistent reimbursement policies.

In Latin America, where scams have increased sixfold, the challenge is often classification, as many cases are not attributed to a modus operandi.

The Asia-Pacific region, meanwhile, faces an entirely different challenge: It is both host to and targeted by industrialized scamming operations. The establishment of scam cities in countries such as Cambodia also underscores how fraud can have consequences for victims and perpetrators alike.

Such is the scale of these operations that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sweeping sanctions on 146 targets within the Prince Group Transnational Criminal Organization (Prince Group TCO) — a Cambodia-based network led by Cambodian national Chen Zhi that operates a transnational criminal empire through online investment scams targeting Americans and others worldwide.

Against this backdrop, the contrast for Europe lies not so much in the volume of scams as in their sophistication. Scammers in Europe exploit both regulatory fragmentation and the certainty offered by time-bound instant payments, whereas in other regions, volume or infrastructure gaps are the primary issues.

PSD3 and the instant payments regulation: What comes next

The third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR2) are expected to tighten fraud-prevention obligations across the EU. Enhanced data sharing and improved authentication will likely prove crucial to addressing the growing risk of scams. As in the UK, it will also leverage reimbursement to incentivize PSPs.

The question for the region is whether these proposals will create the right balance between the convenience of instant payments and the increased risk of fraud.

The challenge for EMEA policymakers will be ensuring that liability rules and technical controls evolve together. If instant payments expand without shared accountability or intelligence exchange, the region risks repeating the mistakes made by the UK.

Collaboration is the only way forward

Behavioral and device intelligence will play a pivotal role. Scam detection isn’t about catching unauthorized logins. It’s about identifying legitimate users that are displaying the telltale signs of being socially engineered.

National and regional cooperation, driven by solutions such as BioCatch Trust, could enable the sort of collaboration envisaged by Europe’s policymakers.

Crucially, such collective intelligence, derived from behavior and devices, has the potential to strike the right balance between the convenience of instant payments and the associated fraud risk.

From liability to leadership

Scams are no longer isolated crimes. They are symptoms of criminal operations, industrial in scale, capable of attacking consumers globally.

The next test for Europe is whether it can leverage regulation to turn intent into meaningful prevention. The UK has shown that aligning financial incentives can have an impact, but, on their own, these may well prove insufficient to counter the sort of exponential surge new technologies such as agentic AI could precipitate.

As PSD3 and the IPR come into force, Europe can go further, embedding scam prevention into the very fabric of payments themselves.

For an in-depth look at scams in Latin America, read Josue Martinez's piece here.

For scams in the Asia Pacific region, read Subhashish Bose's piece here.

For an in-depth look at scams in the United States and Canada, read Rob Autrey's piece here.