The Italian Financial Computer Emergency Response Team (CERTFin)—a public-private cooperative initiative aimed at enhancing both the cyber risk management capabilities of financial operators and the overall resilience of the Italian financial system—publishes an annual report on cybersecurity and banking fraud. The 2025 edition, released in May, is based on data provided by 29 banking institutions, covering approximately 95% of the sector in terms of employee headcount.
This article examines three main aspects of the report: (i) the scope and magnitude of banking fraud, (ii) the most prevalent attack vectors, and (iii) the detection mechanisms most frequently employed to counteract fraudulent activity.
Fraud Dimensions and Classification
The scale of digital banking activity underscores the attractiveness of the sector to fraudsters: in 2024, nearly 7.5 billion of accesses were recorded for retail clients (individuals), alongside more than 500 million for corporate clients. Within this context, the report defines three categories of fraudulent transactions:
- Blocked fraudulent transactions: detected and intercepted before any financial loss to the account holder;
- Recovered fraudulent transactions: resulting in the temporary transfer of funds, subsequently retrieved;
- Effective fraudulent transactions: successful frauds that generated an economic loss for the customer, regardless of any subsequent reimbursement.
CERTFin, Bank Security and Cyber Fraud 2025, Diagram showing the sequences of carrying out a fraudulent transaction
Key Quantitative Findings
In the retail segment, the proportion of active clients experiencing credential theft rose from 0.14% in 2023 to 0.315% in 2024. Despite this, the percentage of clients sustaining actual economic losses from credential theft dropped significantly, from 20% to 3%. Conversely, in the corporate segment, the incidence of credential theft fell (from 0.08% to 0.02% of active clients), while the proportion incurring losses remained stable at approximately one-third.
Regarding payment instruments (excluding card fraud), instant credit transfers emerged as the primary vehicle for effective frauds (67% of cases), while the share of ordinary transfers declined significantly (from over 40% to below 20%). This prompted a detailed assessment of countermeasures, with transaction amount limits ranking highest, followed by customer alerts issued before execution. The most widely reported detection indicators were the addition of a new beneficiary and the foreign destination of a transfer.
For corporate clients, however, ordinary credit transfers remained the predominant method, accounting for 55% of anomalous transactions.
Aggregate Dynamics
Across both client segments, the breakdown of anomalous fraudulent transactions shows that in 2024, in terms of financial amounts, 84% are blocked, 5% are recovered and 11% are effective. The value associated with effective frauds remained however stable, while recovered funds amounted to €23 million. Since the introduction of the Interbank Cooperation Protocol on Fraud in 2020, a total of over € 100 million in recovered funds has been achieved through domestic PSP cooperation.
Demographic analysis revealed a decline in fraud targeting younger clients (under 30), with a slight rise among senior clientele.
Geographic Distribution of Fraudulent Transfers
Geographically, Lithuania retained its position as the primary intra-EEA destination of illicit funds for the fourth consecutive year, while the United Kingdom continued to dominate extra-EEA flows. Cross-border fraud attempts grew further in 2024, with nearly €53 million involved—building on a trend of sharp year-on-year increases.
CERTFin, Bank Security and Cyber Fraud 2025, Countries receiving anomalous transactions within the EEA overall view by country – (24 respondents, 46 incidents) – R&C segment
CERTFin, Bank Security and Cyber Fraud 2025, Countries receiving anomalous transactions outside the EEA – overall view by country (13 respondents, 26 incidents) – R&C segments
Fraud Techniques and Attack Vectors
In 2024, social engineering remained the primary enabler of fraud Among retail clients, 76% of effective frauds involved payer manipulation schemes, whereby victims are deceived into initiating transfers to accounts controlled by fraudsters. In the corporate sector, this share was 59%. Notably, in 99% of successful fraud cases, Strong Customer Authentication (SCA) under the EU’s Payment Services Directive 2 (PSD2) was correctly applied—highlighting the limited effectiveness of SCA against manipulation-based attacks.
Telephone calls and SMS were the initial vectors in more than 60% of retail frauds and 58% of corporate frauds. At the execution stage, user manipulation accounted for 86% of retail fraud schemes, while Business Email Compromise (BEC) represented the predominant corporate attack vector (49%).
A noteworthy emerging threat concerns the illicit use of remote account opening via identity theft, which increased by 125% in 2024. In this context, deepfake audio and video technologies are increasingly exploited to impersonate legitimate clients. Alarmingly, only 7% of fraudulent digital onboarding attempts using artificial intelligence were detected in real time. To address this gap, since 2025 financial institutions have been introducing dedicated software to analyze uploaded documents and video recordings.
Detection Mechanisms
Fraudulent operations are primarily identified through internal transaction monitoring systems, which accounted for 58% of detections in the retail segment and 52% in the corporate segment. Customer disputes and denial of operations represented the second most relevant channel, stable at 21% for retail and rising to 27% for corporate clients.
Conclusion
The 2025 CERTFin Report illustrates how banking fraud in Italy persists as a multidimensional and adaptive phenomenon. The evidence confirms that the primary vulnerability of the financial system lies not in the failure of technical safeguards—such as Strong Customer Authentication, which was correctly applied in nearly all successful fraud cases—but instead in the persistent susceptibility of users to social engineering strategies. This observation emphasizes the inherent limitations of regulatory and technological instruments when confronted with manipulation-based attacks.
The persistence of Business Email Compromise in the corporate sector, coupled with the rise of AI-driven techniques such as deepfake-enabled identity theft during digital onboarding, suggests that the threat landscape is undergoing a structural transformation. These developments not only erode the effectiveness of existing monitoring and detection frameworks but also highlight the need for continuous innovation in fraud-prevention methodologies.
Moreover, the expansion of cross-border illicit flows, particularly towards specific European and extra-European jurisdictions, underscores the need for enhanced international coordination mechanisms and information-sharing protocols. Taken together, these findings call for a dual strategy: on the one hand, the reinforcement of technological infrastructures and analytic capabilities, and on the other, a sustained investment in client awareness, organizational training, and inter-institutional collaboration. Only through such an integrated approach can the Italian financial system preserve its resilience against a fraud environment characterized by increasing sophistication and systemic interdependence.
Authored by Maria Ferrucci, Research analyst at CERTFin Italy.