Portugal's central banking authority estimates that new anti-fraud tools for bank transfers have blocked €6.5 million in attempted scams over the two years since their rollout in May 2024, a sharp reversal in a country that now sees fraud rates declining while the rest of the European Union trends upward.
Why This Matters:
• Every transfer now shows the recipient's name when you enter an IBAN, preventing "wrong account" scams.
• You can send money using just a phone number or tax ID, eliminating the need to share full account details.
• Portugal still lacks anti-spoofing laws, leaving residents vulnerable to fake caller ID attacks despite other protections.
Three Layers of Protection Now Standard
The Banco de Portugal has progressively deployed three interconnected security mechanisms that now underpin every digital payment made within the country. The first, beneficiary confirmation, went live in May 2024. When a customer types an IBAN into their banking app or web portal, the system instantly displays the legal name of the account holder before the transaction can be authorized. This simple step has proven remarkably effective against impersonation fraud, where criminals pose as family members, utility companies, or suppliers and provide fraudulent account numbers.
Seven weeks later, in June 2024, the central bank activated SPIN (Serviço de Pagamentos Instantâneos Nacionais), a directory service that lets users initiate transfers using a mobile phone number or corporate tax ID (NIPC) instead of a 25-character IBAN. Crucially, SPIN links those identifiers to verified accounts, so the beneficiary confirmation layer still applies. By June 2025, SPIN had facilitated 45M transactions, both instant and traditional.
The third component, a pan-European verification layer mandated by EU Regulation 2024/886, became operational in October 2025. This cross-border extension allows Portuguese institutions to verify beneficiary details for SEPA transfers across the euro area, and vice versa. All three services run around the clock at no additional cost to consumers, and banks are required to integrate them into mobile apps, web banking, and branch terminals.
How Fraud Patterns Have Shifted
Álvaro Santos Pereira, governor of the Banco de Portugal, told a digital fraud conference at the Museu do Dinheiro that manipulation-of-payer fraud—the category that includes "Hi Mum" or "Hi Dad" WhatsApp scams—represented 60% of fraudulent transfers in 2023 but fell to 16% in 2025. The five-month period ending May 2025 recorded a 21% year-on-year drop in this category when measured against the same window in 2024, before beneficiary confirmation existed.
Aggregate fraud rates remain lower in Portugal than in many peer nations. In the first half of 2025, the central bank logged four fraudulent direct debits per million operations, 10 fraudulent transfers per million, and 66 card fraud incidents per million transactions. Those figures represent a continued decline since mid-2024, bucking the broader EU trend of rising digital fraud.
That success, however, is not absolute. Santos Pereira acknowledged that beneficiary confirmation and SPIN offer no defense against spoofing, the technique by which criminals falsify caller ID to make a phone call appear to originate from a bank's official number or a government agency. Once a victim is on the line with what they believe is a legitimate institution, they may disregard on-screen warnings and authorize payments under duress or deception.
The Spoofing Gap and Legislative Delay
Portugal remains the only EU member state without specific anti-spoofing legislation for telecommunications. The governor publicly called for urgent regulatory action to close this vulnerability. Other European countries have begun implementing various countermeasures to address caller ID manipulation and voice fraud, though the specific technical approaches and implementation timelines vary across jurisdictions. The challenge underscores the importance of developing harmonized standards for voice-call authentication across the EU.
What This Means for Residents
If you live in Portugal and use online banking, these tools are already embedded in your workflow. You do not need to enable beneficiary confirmation—it activates automatically whenever you enter an IBAN, displaying the first account holder's name within seconds. If the name does not match your expectation, the transaction can be aborted before any money moves.
To receive funds via SPIN, you must link your mobile number or tax ID to your IBAN through your bank's app or website. Sending via SPIN requires no prior setup; you simply select the contact or enter the recipient's number, and the system retrieves the correct account. Major institutions including Millennium bcp, ActivoBank, Caixa Geral de Depósitos, and Crédito Agrícola have all integrated SPIN and are actively encouraging uptake.
The practical impact extends beyond individual consumers. Small businesses and freelancers who invoice clients can now share a phone number or NIPC instead of a full IBAN, reducing friction and limiting exposure of sensitive account data. The cross-border verification layer also means that if you receive an invoice from a supplier in Germany or France and want to confirm the account details before paying, your Portuguese bank can query the beneficiary's name through the SEPA network in real time.
Despite these advances, spoofing remains a frontline risk. If you receive an unexpected call from someone claiming to represent your bank—even if your phone displays the bank's official number—hang up and call back using the number printed on your card or listed on the institution's website. Never authorize a transfer or share access codes during an inbound call, regardless of how urgent the caller claims the situation is.
A Multi-Agency Platform to Track Emerging Threats
At the same conference where the €6.5M figure was disclosed, Santos Pereira announced the launch of a national digital fraud monitoring platform that brings together payment operators, telecommunications carriers, criminal investigation units, and judicial authorities. The initiative is designed to share intelligence in near-real time, identify new attack vectors as they emerge, and coordinate enforcement actions across sectors.
Portugal's relative success in curbing fraud has not gone unnoticed in European regulatory bodies. Coordinated approaches to fraud prevention across member states are increasingly recognized as essential as digital threats continue to evolve. For now, Portuguese residents benefit from one of the most integrated anti-fraud infrastructures in Europe—provided the interaction happens within a banking app or web portal. The challenge lies in extending that same rigor to the voice channel, where social engineering still exploits the one layer of trust that technology alone cannot authenticate: the human voice on the other end of the line.
