Insights from the latest EPC Fraud Trends Report (1): the surge of social engineering and APP fraud
Fraud in the payments world has always evolved quickly, but the latest EPC 2025 Payments Threats & Fraud Trends Report makes it clear that we are entering a new phase where manipulation, psychology, and social pressure have become as powerful as malware or technical exploits. In other words: Fraudsters aren’t just attacking systems. They’re attacking people.
This first article in our three‑part series looks at the human‑centric fraud trends the EPC highlights, why they are growing so fast, and how financial institutions can respond.
Social Engineering Remains the Most Common – and Most Effective – Attack Technique
One of the clearest messages in the EPC report is that social engineering continues to rise across Europe. Fraudsters use all possible communication channels – emails, SMS, mobile apps, messaging platforms, and phone calls – to convince individuals to take an action that benefits the attacker.
What has changed is the quality of these scams. Today’s attacks are no longer poorly written phishing emails. According to the EPC report, criminals now use:
- convincing, personalised messages
- spoofed caller IDs
- realistic websites and login interfaces
- urgent, authoritative language
- and increasingly, AI‑generated deepfake voices and videos, which make impersonation far more credible than in the past.
This makes social engineering not just common, but dangerously persuasive.
APP Fraud: When Victims Are Manipulated into Authorising the Payment Themselves
The report confirms that Authorised Push Payment (APP) fraud is now one of the fastest‑growing fraud categories in Europe, after already overtaking unauthorised fraud in markets like the UK.
In APP fraud, victims genuinely believe they are sending money to someone legitimate, e.g. a supplier, a bank, a government agency or a family member, when in reality, they are paying the fraudster.
The EPC highlights several common scenarios:
- Invoice and mandate scams (e.g., IBAN changes sent via email)
- Investment schemes promising unrealistic returns
- Romance and relationship scams
- Fake refunds, reimbursements, or “safe account” instructions
- CEO or colleague impersonation targeting corporate finance teams
What makes this category so challenging is that the payment is fully authorised, which limits what traditional fraud controls can detect in real time.
Why These Scams Work: Credibility, Urgency and Information
The EPC report shows that successful social‑engineering‑driven frauds share three ingredients:
- Credibility
Fraudsters use personal data, branding, and communication patterns that look legitimate. Fake bank emails, cloned websites, and caller‑ID spoofing blur the line between truth and deception.
- Urgency
Messages often push the victim to act immediately (“Your account is compromised”, “Your payment is overdue”, “You must confirm your identity”).
Under pressure, people skip their usual checks.
- Identity manipulation
AI‑generated voices, videos or written messages make impersonation nearly flawless.
The EPC report warns that this dramatically increases the success rate of high‑value fraud attempts.
Fraudsters Combine Psychological Manipulation with Technical Tools
Although social engineering relies on human behaviour, the EPC notes that it often intersects with technical enablers such as:
- mobile malware, capable of intercepting SMS codes or modifying transactions,
- remote‑access tools that allow criminals to operate directly on the victim’s device,
- botnets, used to send mass smishing campaigns or to perform credential‑testing attacks
- advanced persistent threats (APTs), especially when targeting financial institutions, processors, or critical vendors
This combination of human manipulation and technology creates multi‑layered attacks that are harder to detect with traditional rules‑based systems alone.
What This Means for PSPs: Fraud Detection Must Become Real‑Time and Intelligence‑Driven
The report underlines an important shift: traditional static fraud controls cannot keep up with human‑driven fraud tactics.
APP fraud typically bypasses:
- strong customer authentication
- device fingerprinting
- transaction scoring
Why? Because the customer is convinced to approve the transaction themselves — often believing they are preventing fraud, not causing it.
To respond effectively, financial institutions increasingly need:
- real‑time situational awareness
- shared fraud intelligence across the ecosystem
- new early‑warning indicators of emerging scams
- the ability to detect contextual anomalies, not just suspicious transactions
This is where modern intelligence layers add value.
How LUXHUB’s Fraud Intelligence Gateway Helps PSPs Reduce Exposure to Social‑Engineering‑Driven Fraud
The FNC‑RF (Fichier National des Comptes bancaires signalés pour Risque de Fraude) was designed with these evolving fraud patterns in mind.
Instead of relying solely on what a bank can see internally, FNC‑RF enriches decision‑making with external fraud intelligence shared by other PSPs.
This means PSPs can:
- identify emerging social‑engineering patterns before they escalate
- detect unusual behaviour or anomalies linked to APP fraud
- benefit from network‑wide insights, not just their own data
- strengthen their fraud detection stack without adding friction to the user experience
When fraudsters use persuasion – not hacking – the only effective defence is to equip PSPs with better situational context.
The EPC 2025 Fraud Trends Report paints a clear picture:
fraud is shifting from the technical layer to the human layer, and this shift will continue as AI‑powered impersonation becomes mainstream.
In this environment, education, awareness, and intelligence sharing become as important as strong authentication.
In the next article of this series, we will look at one of today’s most widespread enablers of APP fraud — IBAN manipulation and invoice fraud — and explain why Verification of Payee (VOP) is a critical part of Europe’s fraud‑prevention toolbox.