Challenges faced by cybercriminals in executing instant credit transfers fraudulently
In the rapidly evolving digital landscape of the European Union, real-time transfers have become a popular payment method, offering convenience and speed to users. However, this immediacy and irreversibility have raised concerns about consumer protection, as errors and fraudulent activities can lead to significant losses with little room for recourse or cancellation.
These concerns are addressed by recent and upcoming regulations such as the Instant Payments Regulation and the third Payment Services Directive (PSD3). These regulations establish enhanced verification and fraud-prevention measures tailored to instant payment systems.
One of the key issues is that instant settlement leaves no time to reverse erroneous or fraudulent payments, increasing exposure to loss if payments are sent in error or under deception. To counter this, PSD3 mandates name and IBAN verification for instant payments, requiring payment service providers (PSPs) to notify the payer when mismatches occur and allow them to authorize or reject the payment.
Stricter Strong Customer Authentication (SCA) requirements under PSD3 aim to ensure that payments are properly authorized by the legitimate user, safeguarding those at a technological disadvantage. The removal of surcharges and standardization of fraud prevention rules in instant payments under the Instant Payments Regulation seek to protect consumers from hidden costs and ensure a consistent security baseline across providers and countries.
However, the shift to real-time payments introduces complex compliance challenges for PSPs, especially regarding anti-money laundering (AML) and counter-terrorism financing (CFT) measures, as funds are transferred instantly with less time for traditional checks.
Low consumer awareness and skepticism about instant payment safety are recognized behavioral issues, requiring not only regulatory safeguards but also education and transparent communication to build trust in real-time payment products.
In a recent case, scammers used real-time transfers to steal a substantial amount of money from a German neobank. The money was transferred to another neobank in Europe, and it is believed that it was withdrawn at an ATM after the transfer. Despite the efforts of the authorities, they were unable to track the money across multiple banks.
The renowned German hacker and IT security expert, Lilith Wittmann, has been at the forefront of uncovering vulnerabilities in various systems and apps. In 2023, she discovered flaws in the IT infrastructure of the company Bonify, allowing her to download Jens Spahn's tenant information. She has also found vulnerabilities in the Luca app, Visavid video conferencing system, and ID-Wallet of the Federal Ministry of the Interior.
Interestingly, Lilith Wittmann finds it intriguing to observe which payment methods scammers use. She has stated that scammers often use urgent reasons for the use of real-time transfers, such as the need to quickly fly home or retrieve a lost item. However, she emphasizes that she does not transfer money in response to scam emails due to a lack of personal funds.
Since 2025, Lilith Wittmann has been writing an exclusive column about IT security in the financial industry for Payment & Banking, providing valuable insights and advice to readers. Her work continues to highlight the importance of consumer protection in the digital age, especially in the context of real-time transfers.
[1] European Central Bank. (2021). Instant Payments Regulation. Retrieved from https://www.ecb.europa.eu/paym/ecp/html/index.en.html
[2] European Parliament and Council. (2015). Third Payment Services Directive (PSD2). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L2366
[3] European Central Bank. (2020). Consumer Protection in Instant Payments. Retrieved from https://www.ecb.europa.eu/paym/ecp/html/index.en.html
- In the ever-evolving realm of European Union finance, concerns about the safety and security of real-time transfers persist, emphasizing the need for robust cybersecurity measures and continued educational efforts.
- Both PSD3 and the Instant Payments Regulation are instrumental in fortifying the banking sector against fraudulent activities and erroneous payments, particularly by mandating stricter authentication processes and ensuring a consistent security baseline for instant payments.
