The European Union is expanding its regulatory arsenal against online fraud, tightening rules for payment providers through the new Payment Services Regulation (PSR) and Payment Services Directive (PSD3), and demanding greater accountability from online platforms under the Digital Services Act (DSA). Yet Europe is fighting this battle in the dark: it still lacks credible data on how much money its citizens actually lose to online fraud each year.
This is an ambitious policy response. But it rests on an uncomfortable reality:
The EU has no idea about the actual annual financial damage caused by online fraud across Europe.
Europe wants to build a larger, stricter anti-fraud system, yet it still lacks the one thing any serious risk-management program needs: a credible, shared measure of the problem it aims to reduce.
The best EU-wide number we have is not the number we need
If you ask, “How big is fraud in Europe?”, the most defensible answer today comes from the EBA/ECB Joint Report on Payment Fraud.
In its 15 December 2025 edition (covering data up to 2024), the ECB press release states that the total value of fraud increased to €4.2bn in 2024 (from €3.5bn in 2023). The EBA/ECB report covers fraudulent payment transactions as reported by PSPs across the EEA. It includes both unauthorised fraud and scam-type fraud where the payer is manipulated to do the transaction (APP fraud). The report explicitly frames the €4.2bn as “reported by the industry”.
PSD2 (Article 96(6)) requires payment service providers to report statistical fraud data to their competent authorities, which then share aggregated data with the EBA and the ECB.
The first joint EBA/ECB report was published in August 2024 and reported figures starting with 2022 (and the first half of 2023).
But this is where the “blind flight” problem begins.
Notably, the EBA/ECB report includes data-quality qualifications and limitations (e.g., incomplete submissions, potential misclassifications, and section-specific gaps where some countries’ data are not available for the whole period). This reinforces that the €4.2bn metric is a high-quality reported indicator, but it’s certainly not a total-loss estimate.
The EBA/ECB number is explicitly “payment fraud reported by the industry” across the EEA.
That is not the same thing as total online-fraud losses suffered by people and businesses.
Even within the payment chain, it only captures what is detected, classified, and reported as fraud under the framework. Many scam losses never become an official fraud datapoint (late discovery, non-reporting, classification differences, fragmented pathways, and cross-channel dynamics that begin before a payment is initiated).
The iceberg: what happens when a regulator tries to estimate “actual losses”
To see why the EU should be cautious about treating “reported payment fraud” as a proxy for real-world harm, we should look at a rare example in which a national authority tried to quantify what lies beneath the surface.
In December 2025, the Dutch financial regulator AFM published From pyramid to iceberg: the hidden scale of investment fraud in the Netherlands. In the “In short” section, the AFM states:
€75 million: losses reported by police in 2024
€750 million: estimated actual annual losses, after accounting for fragmented registration and low willingness to report.
The AFM’s point is not simply that fraud is large. The point is that measurement based on registered cases shows only “the top of the pyramid,” while a much larger “iceberg” remains hidden.
And crucially, the AFM identifies structural causes that are not unique to one member state: fragmented registration and low reporting rates, producing a fragmented picture that impedes effective response.
AFM’s estimate relates to investment fraud in one Member State; it is not an EU-wide total, but it illustrates the scale of under-registration that EU policy debates routinely ignore.
This should worry EU policymakers for a simple reason: Europe is designing liability, reimbursement, and platform obligations without first addressing the measurement gap. That is how you end up optimizing for the part you can measure, not the part that does the damage.
The exposure is massive — and reporting is low
Even without a single EU “true loss” figure, the prevalence signals are already alarming.
The European Commission’s consumer data indicates that 45% of consumers encountered online scams in the past year.
Yet the Commission’s own consumer survey factsheet on scams and fraud found that only 21% of those who experienced a scam or fraud reported it (reporting was higher when the loss exceeded €50). Reasons are manifold as we explained already.
That combination — high exposure, low reporting — is precisely the condition under which case-based and industry-reported datasets will systematically understate real harm.
A Commission factsheet dating back to January 2020 also suggests that, based on exposure and impact data, EU adults could have cumulatively lost €24bn over a two-year period (with many individual losses falling in the €0–€500 range).
Given increased digitalisation since 2020, it is plausible that today’s losses are higher — but the EU still lacks a harmonised, up-to-date ‘true loss’ estimate.
A simple illustration: if the AFM “iceberg” logic held EU-wide
This is not a definitive EU estimate — it is an illustration of why relying on the “visible” slice can be dangerously misleading.
AFM estimated €750m annual investment-fraud losses in the Netherlands.
Netherlands population (CBS, 1 January 2025): 18,044,027.
EU population (Eurostat, 1 January 2025): 450.4m
That implies roughly €41.6 per person per year in investment-fraud losses in NL. If that per-capita level applied across the EU, it would suggest about €18.7bn per year, for investment fraud alone, not all scam types.
Again, that is not “the” EU number, but for sure this number is more realistic than the €4.2bn number delivered by EBA/ECB. But it demonstrates why Europe should not treat industry-reported payment fraud as a proxy for total harm.
How other jurisdictions publish “headline” fraud-loss metrics (UK and US)
One reason Europe’s “blind flight” is so striking is that other major jurisdictions have been routinely publishing public, headline loss metrics for several years already.
United Kingdom: industry-reported banking/payment losses + APP-specific performance data
UK Finance reports that £1.17bn was stolen through fraud in 2024, broadly unchanged from 2023.
Within that, UK Finance reports unauthorised fraud losses of £722m in 2024 (+2% vs 2023).
For Authorised Push Payment (APP) scams (where the victim is manipulated into sending money), UK Finance states that overall APP losses fell by 2% to “just over £450m” in 2024, while the number of cases fell by 20%.
The number for payment fraud in the UK (£1.17bn for a population of 70m) already shows that the figure for all European countries (€4.2bn for a population of 450m) is unrealistically low.
United States: two parallel public “loss” numbers (FBI IC3 and FTC)
The US publishes multiple national-level metrics that are often cited as “the” fraud loss number, yet they measure different universes and shouldn’t be conflated.
1) FBI Internet Crime Complaint Centre (IC3) – “reported losses” from internet-enabled crime
The FBI’s 2024 IC3 Annual Report states: 859,532 complaints in 2024, with reported losses of $16.6bn (a 33% increase from 2023).
This dataset is robust because it captures a broad range of internet-enabled crime (including scams affecting individuals and businesses). But it is still complaint-driven: “reported losses,” not measured total social harm.
2) Federal Trade Commission (FTC) – Consumer Sentinel fraud losses (consumer-reported)
The FTC reports that consumers reported losing more than $12.5bn to fraud in 2024, per its Consumer Sentinel data and annual Data Book.
The FTC’s Data Book also explicitly notes that Sentinel is based on unverified consumer reports (it is not a survey), which is an essential legal/technical disclaimer when using the figure in policy arguments.
Why the “blind flight” matters: three real policy risks
1) Europe may optimize for the wrong KPI
The ECB itself flags that fraudsters are adapting, particularly toward manipulation-based scam methods.
When the threat adapts, measurement has to adapt too — otherwise “improvement” can be a statistical mirage.
2) Liability may be shifted without reducing harm
In the PSR/PSD3 package, one contested area is the proposed reimbursement regime for impersonation fraud (often discussed under Article 59 in the PSR drafts). The exact scope, conditions, and caps are politically sensitive and still depend on the final text, yet the EU lacks reliable EU-wide data on how large impersonation fraud is relative to total scam losses.
Without knowing the actual total losses and the effect of planned actions, it is hard to answer basic questions:
Are we actually reducing the number of victims?
Are we actually reducing the euro amount stolen?
3) Enforcement risks becoming procedural rather than outcome-driven
Under both payment rules (PSR/PSD3) and the DSA, enforcement can devolve into “did you have the right controls” rather than “did harm materially fall.
Outcome-based enforcement requires outcome-based data. Today, Europe is not there.
Conclusion: you can’t steer what you can’t see
Europe is right to act: online fraud is a systemic threat that will only deepen with AI and crypto. But without a harmonised picture of total losses, policymakers are flying blind. The AFM’s iceberg shows what happens when detection is mistaken for control. Unless the EU first fixes its measurement gap, it risks fighting a (probably more than) €20bn problem with €4bn worth of data.
