Digital payment fraud in Denmark

Digital payment solutions are used for over 92 per cent of the total value of all citizens payments in Denmark. This is largely due to the preference for digital payment solutions and the ongoing digitalisation of Danish society.¹ The digital payments infrastructure is secure and efficient, and digitalisation has made it faster and easier for most people to make payments.

However, the increased use of digital payment solutions also means that the public and businesses are more exposed to digital fraud. In 2023, digital payment fraud in Denmark totalled approximately kr. 627 million. Almost half of this figure related to payment card fraud, where cards were used without the cardholders’ authorisation primarily on foreign websites, through payment to a fake online store for example. Bank account transfer fraud, also known as credit transfer scam, has increased in recent years and was on a par with payment card fraud in 2023. In contrast, the number of in-person robberies has more than halved over the last 10 years and no bank robberies were recorded in Denmark in 2022 or 2023.² These figures emphasise that criminals have largely gone digital and are following the evolution of society.

New technologies, security measures and European rules for two-factor authentication of digital payments have made it difficult for criminals to make digital payments and credit transfers from online banks without requiring authorisation from the account holder. Digital payment fraud is therefore increasing as criminals succeed in tricking account holders to pay or transfer money to them.

Trends in fraud patterns show that criminals have continuously adapted their methods to new technologies and regulations. It is therefore important that the public and companies in a digital society are aware that they are increasingly at risk of being tricked into authorising fraudulent payments.

In addition to scams that trick cardholders into making payments, digital payments also carry the risk of unauthorised use of payment details to make payments without the cardholder's authorisation. This happens, for example, in the case of payment card fraud, where criminals manage to obtain a payment card and the associated PIN.

In this analysis, scams are defined as cases where scammers succeed in deceiving and tricking the account holder into making payments or credit transfers to the criminals themselves. Payment solution fraud is defined as the fraudster's use of payment solutions without the direct involvement of the victim.

This is the first time that Danmarks Nationalbank has been able to analyse trends in fraud and scams with both payment cards and credit transfers. This is due to new data on credit transfers.³ In addition quarterly data from Danmarks Nationalbank on payment card fraud were used.

When Danish cardholders buy goods and services in a store or online, they increasingly use digital payment solutions such as payment cards and mobile phones. Paying with a payment card is safe and easy, but sometimes fraudsters manage to make payments without the cardholder's authorisation. This could be because the cardholder's payment card has been stolen after the fraudster has copied the PIN, for example, or because the fraudster has obtained the card details by stealing them from the cardholder via a payment link in a text message or through payment to a fake online store, for example.

The total recorded fraud of payment cards issued by Danish banks in 2023 was approximately kr. 294 million, see chart 1.⁴ Payment card fraud was spread over approximately 232,000 fraud-related card payments. This gives an average fraud value per payment of just under kr. 1,300. Total fraud value should be seen in the context of the fact that total card turnover in 2023 was approximately kr. 800 billion. This means that payment card fraud averaged kr. 369 per million kroner spent.

Payment card fraud has been declining for a number of years. This is largely due to new security measures and new European payment authorisation rules, see box 1. In addition, 2020 and 2021 saw widespread lockdowns due to the coronavirus pandemic, making it difficult for fraudsters to copy PINs and steal physical payment cards. But payment card fraud has increased since 2021, which may be due to increased shopping on foreign websites and fraudsters finding new ways to gain access to payment cards.

In an international context, relative payment card fraud is lower in Denmark than in the rest of Europe. In 2021, when payment card fraud was last calculated across Europe, the Danish fraud rate was 0.20 per cent, while the European average was 0.26 per cent, see chart 2. However, relative card fraud has increased in Denmark since 2021. A similar trend has been observed in Sweden.⁵

Most fraud with Danish payment cards occurs in foreign e-commerce 

Danish payment card fraud occurs mainly on foreign websites, see chart 3. In 2023, total fraud with Danish-issued payment cards in foreign e-commerce was kr. 219 million, corresponding to approx. 75 per cent of total card fraud.

There may be several reasons why payment card fraud on foreign websites is increasing. One of the reasons is that the requirements for two-factor authentication of payments do not apply outside the EEA.⁶ This enables fraud with Danish payment cards if the fraudsters have gained knowledge of the payment card details and the foreign website has not implemented similar security measures for authorising the payment.

In the first half of 2023, almost half of total payment card fraud took place abroad outside the EEA, even though less than a fifth of total foreign turnover on Danish payment cards was made in the region. Relative Danish payment card fraud is thus significantly higher outside Europe than in Europe and especially in relation to Denmark, see chart 4.

Methods used by fraudsters and scammers to steal payment card details

Among other things, fraudsters use fake online stores to gain access to cardholder details. This happens, for example, when paying on a fake online store in expectation of receiving a product or when making card payments in connection with fake investment opportunities. See more examples in box 2.

Scammers also make extensive use of phishing and smishing, using email or text messages to steal payment card details and personal data. This is done, for example, by the scammers pretending to be from a bank or Danish authorities.⁷

The methods used by scammers make it difficult to combat fraud and scams, as the cardholders themselves provide the card details and in some cases also authorise the payment. This allows the scammers to receive the original payment and use the card details to make other fraudulent purchases or transactions. However, the two-factor authentication rules do seem to be limiting the ability of scammers to make additional payment demands within the EEA, which may help explain why the relative value of fraud is higher outside the EEA, see chart 4. 

Geographical blocking can limit payment card fraud abroad

Some payment cards allow so-called geo-blocking. This means that cardholders can choose not to use a card for payments in specific geographical areas or for certain payment situations, such as online shopping or cash withdrawals. This prevents the possibility of payment card fraud in certain geographical areas or payment situations when cardholders would not typically use the card. This applies, for example, to online shopping outside of Europe. If a cardholder needs to pay in a blocked area or in a blocked payment situation at a later date, the block can usually be lifted temporarily or permanently via online or mobile banking.

However, not all card types support geo-blocking. This is partly due to the fact that several card issuers do not offer the blocking option and that awareness of geo-blocking among the population is limited. Increased use of geo-blocking is believed to reduce payment card fraud but requires a wider roll-out of the solution across card types and card issuers.

Payment card fraud in Denmark is low in physical trade and online

The extent of payment card fraud in Denmark is relatively low. In 2023, the total value of payment card fraud in Denmark was kr. 56 million. Of this figure, approx. 40 per cent took place online, while the remainder was in physical trade and at ATMs, see chart 3. This means that payment card fraud in Denmark differs from payment card fraud abroad in that the value of fraud in Danish e-commerce is just as low as in physical trade. In 2023, the relative proportion of payment card fraud in both online and physical trade was approximately 0.1 per mille. The low proportion emphasises that payments in Denmark are very secure. 

The high level of security is due to the fact that payment cards are secure and difficult to counterfeit, and that card schemes and financial institutions have consistently developed and implemented effective real-time mechanisms to identify suspicious transactions. As a result, virtually all fraudulent transactions in physical trade in Denmark are down to lost or stolen payment cards.⁸

Card payments using mobile phones have given fraudsters and scammers new opportunities

Denmark is one of the most digitalised countries in the world when it comes to payments, with around 9 out of 10 payments in physical trade being made digitally.⁹ But the high degree of digitalisation also provides fraudsters and scammers with new payment options that are not necessarily as common in other countries. For example, card payments via mobile phones, wallet payments such as Apple Pay or Google Pay, which are widely used in Denmark.

Wallet payments have made it possible for criminals to digitise stolen payment card details on their own mobile phones. In addition, a particular challenge with wallet payments is that if fraudsters manage to digitise a stolen payment card, they can withdraw money from the associated payment account without knowing the PIN. This is because they can authorise payments with their own mobile phone pass code or face recognition rather than the card's PIN.¹⁰

However, digitising a stolen payment card is difficult because it also requires authorisation from the card owner using MitID. Financial institutions and card schemes also prevent a large number of the attempts made by fraudsters and scammers. Wallet payment fraud is therefore usually due to the cardholder having been the victim of identity theft¹¹ or that the scammer has tricked the cardholder into authorising the digitalisation of the payment card on the scammer's mobile phone.

Since 2021, the value of payment card fraud in Danish physical trade has doubled to just over kr. 14 million, largely due to the fact that the average transaction value has increased and that fraudsters and scammers are increasingly managing to pay without using PINs, e.g. by using wallet payments, see charts 5 and 6.

The increase in the value of fraud where a PIN is not used should particularly be seen in light of the fact that before the introduction of mobile wallet payments, it was impossible to make card payments in physical trade of over kr. 350 without using a PIN, see box 1. Viewed in isolation, wallet payments have made it possible for fraudsters and scammers to illegally use stolen payment card details for large transaction values without knowing the PIN if they manage to digitise the payment card.

Wallet payment fraud can be difficult to detect for the public and financial institutions, as the payments typically look like ordinary everyday transactions when they appear in online banking. Neither is a card actually lost, which means that in some cases it can take a long time before the fraud is detected.

Ways in which fraudsters can commit fraud and misuse bank account details have changed in recent years. This is partly because account holders are increasingly making transfers themselves without the direct involvement of their bank, e.g. using mobile or online banking, and because the population is increasingly using digital payment solutions that use credit transfers to make payments, e.g. MobilePay.

Unlike card payment fraud, financial crime associated with credit transfers is typically related to financial scams where account holders are tricked into making the transfer. It also means that credit transfer fraud is not necessarily linked to a payment situation.

Credit transfer fraud via mobile or online banking also differ from payment card fraud in that payment cards are only linked to one specific account, with cash withdrawals and ongoing spending with payment cards usually limited in amount. However, if the scammer manages to gain access to online banking, perhaps by tricking the victim into providing authorisation, it is possible to make credit transfers from several accounts and simultaneously empty them or create overdrafts if the account allows.

In most cases, banks are successful in preventing scams. Nevertheless, the total value of credit transfer fraud has been increasing and in 2023 was approximately kr. 333 million, see chart 7. This is roughly on a par with the value of payment card fraud, which in the same period was approximately kr. 294 million. However, unlike payment card, significantly fewer, but on average larger fraudulent transactions were recorded. In 2023, approximately 9,400 fraudulent credit transfers were recorded with an average value of approximately kr. 35,300. In comparison, the average value of payment card fraud was just under kr. 1,300 in 2023, see section 2.

According to figures from the organisation representing the interests of banks, Finance Denmark, members of the public are the main victims of credit transfer fraud: In the first half of 2023, fraud related to the public accounted for approximately 80 per cent of the total fraud value, while business fraud accounted for just under 20 per cent.¹² This has led to several authorities and organisations communicating with cardholders to try and prevent digital scams, see box 2.

Credit transfer fraud stem particularly from scams where account holders make the payment to the scammer

The rules for two-factor authentication mean that accessing online banking and making payments requires authorisation with MitID, for example. This has increasingly made it necessary for scammers to involve cardholders to complete and authorise fraudulent payments.

Credit transfer fraud therefore increasingly involve account holders being tricked into transferring money to the scammers, for example, under the guise of claiming that their online banking has been hacked and therefore they should transfer their savings to a ‘secure account’.

Approximately 81 per cent of the total value of credit transfer fraud in 2023 were scams of private or corporate account holders transferring money themselves, see chart 8. This happens, for example, when criminals contact account holders by phone and pretend to be from a bank or Danish authorities or when an account holder sees a fake advert on social media or trading platforms and makes a payment using a mobile phone, for example.¹³

Since the introduction of two-factor authentication, the vast majority of fraudulent credit transfers have been authorised using two-factor authentication, see chart 9. This emphasises that fraudsters and scammers are constantly changing and adapting the methods they use to commit fraud as new security measures are introduced.

The remaining cases of fraud that do not directly involve account holders are primarily cases where the fraudster has gained access to an account holder's online bank and made the transfer themselves. These may be due to phishing, where the fraudster manages to get login details, or the fraudster manages to steal information in some other way, for example by installing malicious software, also known as malware. In order for the fraudsters to complete the transfer themselves, they also need to be able to authorise the transfer using MitID.

Only in a few cases do fraudsters manage to modify an existing payment order, which emphasises that the payments infrastructure itself is very secure.

Most attempts at credit transfer scams are stopped by banks

In most cases, banks manage to stop credit transfer scams before it happens. According to figures from Finance Denmark, banks prevented approximately 60 per cent of the total value of attempted scams in 2022.¹⁴

Banks also manage to recover some of the value of scams that initially flow through the payment systems. Of the total value of credit transfer fraud in 2023 of approx. kr. 333 million, the banks succeeded in reversing approx. kr. 67 million. The total loss in the period was therefore approx. kr. 266 million.

Credit transfer scams, where account holders are tricked into transferring money, can be difficult for banks to prevent as the transactions can look like regular credit transfers made by the account holder. Furthermore, two-factor authentication does not prevent payment, as the payer authorises the transaction themselves.

If account holders have been victims of credit transfer scams and have made and authorised the payments themselves, they will be liable for the financial loss in most cases, see box 3. Of the total losses in 2023, payers who were victims were liable for approx. kr. 223 million, corresponding to approx. 84 per cent of the total losses, see chart 10.

To curb digital scams, the Danish Ministry of Industry, Business and Financial Affairs in collaboration with Finance Denmark, Forbrugerrådet Tænk (Danish Consumer Council), the telecoms industry and Ældre Sagen (DaneAge Association) launched four initiatives in the autumn of 2023. They include a reduced daily limit for instant payments of kr. 50,000 without first contacting the bank and awareness campaigns on digital scams. A solution has also been implemented enabling senders of text messages to have their sender name protected so that scammers cannot impersonate a bank or government agency.¹⁵ More recently, Finance Denmark launched the campaign Sikker bank - sammen (Safe banking - together) and set up a fraud task force to identify new initiatives and recommendations to reduce digital scams in December 2023.¹⁶

A large proportion of credit transfer fraud is to Danish accounts

In contrast to payment card fraud, a large proportion of the total credit transfer scams occurs through Danish accounts, see chart 7.

As part of uncovering digital payment fraud in Denmark, Danmarks Nationalbank has been in dialogue with some of the largest payment and financial institutions in Denmark to gain insight into the fraud patterns that typically affect their customers and why fraudulent credit transfers are made to Danish accounts in particular.

Those institutions cite several possible explanations. One reason is that the payments infrastructure for domestic credit transfers is better connected than for foreign accounts. This is because most credit transfers abroad require more information in order for the transfer to be completed. In addition, credit transfers abroad typically take longer, giving institutions and account holders more time to prevent fraudulent transfers.

Another reason, according to the institutions, is that credit transfer fraud often occurs when scammers trick account holders into transferring money to the scammers: In this case, payers will probably perceive a transfer to a foreign account as more suspicious than to a Danish bank account.

Finally, according to the financial institutions, the fraud pattern should be seen in the context of the fact that scammers often use a combination of payment card fraud and credit transfer scams. This means that scammers use a stolen recipient account for which they also have access to payment card details. This enables credit transfers from other victims, after which the scammers can pay, withdraw, obscure, or transfer the money abroad.

In the spring of 2023, Danmarks Nationalbank used a questionnaire to survey public payment habits. Among other things, the survey provided insight into the types of fraud the public is exposed to and whether digital fraud is more prevalent in certain cohorts of the population. Respondents were asked if they had made a payment in the past year in connection with a purchase or investment opportunity that turned out to be a scam.¹⁷

According to the survey, 16 per cent of respondents had paid for a product or service that they never received. Similarly, just under 5 per cent of respondents indicated that they had paid money for an investment that turned out to be a scam.¹⁸ The results therefore indicate that a larger proportion of the population has experienced payment situations that involved a potential scam, but this does not necessarily mean that financial loss was experienced.¹⁹

Across the population, it was especially those under the age of 50 who experienced paying for a product or service that they never received. However, the results should be seen in light of the fact that the same population cohort often shops more online. Similarly, the study showed that it was typically citizens under the age of 60 who transferred or paid money for an investment that turned out to be a scam. The results therefore indicate that digital scams affect all cohorts of the population, see chart 11.²⁰

In Danmarks Nationalbank's survey, respondents were also asked whether they had been contacted by telephone within the past year by a person who pretended to be from a bank or authority, for example, but turned out to be a scammer. According to the survey, approximately 18 per cent of the population had received a phone call or text message from a scammer at least once in the past year. However, the vast majority of respondents contacted recognised the scam and therefore did not transfer any money. But scammers still managed to trick around 1 per cent of the population into transferring money, see chart 12.²¹

The analysis consists of a Danish and an English version. In case of doubt as to the correctness of the translation, the Danish version will prevail.

Editing completed on 22 April 2024.