How phishing and weak security mechanisms are challenging the market
A personal case of fraud as a starting point
Last year around Black Friday, I myself became a victim of fraud. It all started when I was sitting on the sofa in the evening. Suddenly, around 100 emails poured into my inbox on my cell phone within a few seconds. When I looked at them, a little confused, I realized that almost all the emails were confirmations for newsletter subscriptions, which I had of course never made. However, three emails caught my eye in particular: an order confirmation from a spice retailer and two emails from PayPal – a confirmation of the transaction and a confirmation of a new direct debit mandate. I was particularly impressed that they seemed to have used my complete, real data, i.e. e-mail address, address and bank details. I immediately checked my PayPal app but couldn’t find anything suspicious. Of course, I immediately contacted the store and PayPal to inform them that the order was not mine and should be canceled. In the end, I also filed a complaint against unknown persons, which of course had very little chance of success.
What happened?
An order from an online store that I never placed was processed via PayPal guest access – and my bank details were used for a direct debit. The transaction did not appear in my PayPal account because the guest mode was used. This mode makes it possible to make payments without needing an active account.
From my point of view, there is a fundamental problem here: PayPal could have prevented my bank details from being used in guest mode with a simple data comparison, as they are already linked to my active account. This security loophole opens the door to scams that not only endanger consumers, but also reduce trust in this payment service provider.
A growing problem: phishing and fraud in payment transactions
My case is not an isolated one. A quick search shows that more and more people are being affected by similar scams. The combination of phishing emails and the use of guest accounts for payment services is being exploited particularly frequently. According to recent studies and reports from security authorities, phishing and fraud attempts have risen dramatically in recent years. Consumers are confronted with fake messages on all channels – email, SMS, social media – that are aimed at tapping into sensitive data.
There is a clear trend here: fraudsters are specifically exploiting the weak points of the digital transformation in payment transactions. Be it through forged SEPA direct debit mandates, compromised account data or manipulated payment pages – the range of methods is frighteningly wide. End customers are often clueless and do not know their rights or do not know them fully, making them “easy prey” for professional fraudsters.
How the market is reacting – and what challenges remain
The reaction of market participants to this development varies. Regulatory requirements for banks, resulting from the regulation for real-time transfers, include the Verification of Payee (VoP). This check provides for an IBAN name comparison to take place, which will include traditional SEPA credit transfers as well as instant credit transfers from October 9, 2025. These measures are intended to verify the identity of the payee in order to avoid misdirected or manipulated transfers. This is a welcome step, but the implementation of this measure poses significant challenges. Particularly in the context of instant payments, which are mandatory under current regulation, the risk could even increase. Why? Because real-time payments give fraudsters the opportunity to move funds more quickly before the victims or the banks recognize anything suspicious. In practice, it will have to be proven that the Verification of Payee Checks warnings actually prevent bank customers from falling for fraudsters.
The obligation to strengthen two-factor authentication (2FA) and the use of modern technologies such as artificial intelligence for fraud detection are also positive approaches. But they do not solve all the problems: The systems must not only become more secure, but also more user-friendly. A simple data comparison in the case of PayPal would have prevented my fraud case and shows how important it is to apply existing security measures more consistently. Presumably not every customer is as familiar with their rights, PayPal’s buyer protection, chargeback rights and other security mechanisms as I am and may even be overwhelmed when confronted with 100 emails and overlook something like this more easily.
What companies and consumers can do
This situation gives rise to several areas of action for companies in the payment industry and regulators:
– There needs to be an even greater focus on raising consumer awareness. Many users do not recognize phishing emails as such or do not pay attention to all security-relevant details. At the same time, the quality of phishing attacks is constantly increasing and is thus becoming more and more of a problem.
– Providers should critically scrutinize their security standards and check whether additional protective measures are required, especially for technologies such as guest access or instant payments.
– Regular security updates and clear communication about risks and how to minimize them can help to regain trust.
– Regulations must be constantly adapted and respond to changing attack patterns and attack vectors. In particular, the growing threat of hybrid warfare by state actors with particularly sophisticated cyber capabilities must also be taken into account.
On the consumer side, it remains crucial to remain vigilant. Sensitive data such as banking information should only be entered in trusted environments and suspicious transactions should be reported immediately.
Conclusion: vigilance and innovation are required
The case of fraud that I experienced shows impressively how vulnerable even established payment systems can be.
Digitalization brings enormous benefits for payment transactions, but also new risks. It is up to all market participants – consumers, merchants and supervisory authorities – to show vigilance and work together towards a more secure future.
Payment service providers such as PayPal must live up to their responsibilities and close existing vulnerabilities as quickly as possible. The upcoming regulatory changes such as Verification of Payee and the further spread of instant payments should be seen as an opportunity to strengthen trust in payment transactions in the long term.