The Trillion-Dollar Fraud Problem Coming for Europe's Fintechs
The World Economic Forum does not typically traffic in alarmism. Its annual reports tend to favor the measured and the technocratic, the kind of prose that sounds sober even when the news is bad. So when its Global Cybersecurity Outlook 2026, published in collaboration with Accenture, describes an environment in which cyber-enabled fraud has become a defining economic force, the language is worth taking seriously.
The headline number is staggering. The report estimates that cyber-enabled fraud now costs the global economy roughly $1.1 trillion a year, a figure equivalent to approximately 3% of global GDP. That sum rivals the annual output of entire mid-sized nations. And unlike traditional cybercrime, which tends to land on the desks of chief information security officers, fraud has migrated upward: CEOs now rate it as their top cybersecurity concern, displacing ransomware for the first time. For European fintech and financial services executives, this shift has implications that reach well beyond the IT department.
As Michael Miebach, Mastercard's chief executive, wrote in the report:
"Cybersecurity is the foundation for our digital world. It is at the heart of trust and will allow society to fully benefit from the transformations enabled by new technologies like AI and quantum. But it's not something one can do on their own. We have to come together, share intelligence globally and develop the skills equal to emerging risks."
Michael Miebach, Chief Executive Officer, Mastercard
The AI problem on both sides
The scale of the AI challenge was captured succinctly by Josephine Teo, Singapore's Minister for Digital Development and Information, in her contribution to the report:
"Developments in AI are reshaping multiple domains, including cybersecurity. Implemented well, these technologies can assist and support human operators in detecting, defending and responding to cyber threats. However, they can also pose serious risks such as data leaks, cyberattacks and online harms if they malfunction, or are misused."
Josephine Teo, Minister for Digital Development and Information, Singapore
The report, which drew responses from 804 qualified participants across 92 countries including hundreds of CISOs, CEOs, and other senior executives, paints a picture of artificial intelligence as both an extraordinary defense tool and a rapidly accelerating threat vector. Some 94% of respondents identified AI as the most significant driver of cybersecurity change in 2026, and 87% flagged AI-related vulnerabilities as the fastest-growing risk category over the past year.
What makes this especially relevant for financial services is the granularity of those vulnerabilities. Among surveyed leaders, 34% cited generative AI data leaks as a primary concern, while 29% pointed to enhanced adversarial tactics enabled by AI tools. These are not abstract worries. Deepfake scams impersonating crypto executives have already surfaced as real-world fraud vectors, and the sophistication of AI-generated phishing is outpacing the training programs most organizations have in place.
There is a silver lining in the data, though it requires some squinting. Organizations that assess the security implications of their AI tools nearly doubled from 37% in 2025 to 64% in 2026, according to the report. This suggests that awareness is translating into governance, even if governance is still struggling to keep pace with the technology it aims to regulate.
The defensive potential of AI is not lost on industry leaders. As IBM's chief executive Arvind Krishna argued in the report:
"Criminals are always willing to use all possible ways to get access to value, much of which is contained in the cyber infrastructure. Consequently, to stay ahead, those of us who defend must use every tool at our disposal, which now includes agentic AI."
Arvind Krishna, Chief Executive Officer, IBM
Fraud gets personal
One of the more sobering statistics in the report concerns the prevalence of personal experience with fraud. Among respondents, 73% reported that they or someone in their network had been directly affected by cyber-enabled fraud over the course of 2025. For a survey of senior business and technology leaders, this is a remarkable figure. It suggests that fraud is no longer an abstraction confined to risk registers; it is a lived experience cutting across income levels, industries, and geographies.
In the cryptocurrency space, the picture is particularly grim. One in eight respondents to the WEF survey reported being personally affected by cryptocurrency fraud. The irreversibility of blockchain transactions, combined with the pseudonymity they afford, makes crypto an especially attractive target for organized fraud. Once stolen funds leave a wallet, recovery is virtually impossible.
Geopolitics and supply chains
Fraud and AI are not the only forces reshaping the threat landscape. The report identifies geopolitical fragmentation as the top factor influencing how organizations approach cyber risk, with 64% now accounting for geopolitically motivated cyberattacks such as infrastructure disruption or espionage. Among the largest organizations surveyed, 91% reported having changed their cybersecurity strategies in response to geopolitical volatility.
For European fintech firms, which frequently operate across borders and rely on interconnected digital infrastructure, this is a particularly acute concern. The report notes that hybrid attacks targeting European airports and critical infrastructure have escalated, and that the use of advanced offensive cyber capabilities by nation-state actors continues to evolve. Confidence in national cyber preparedness, meanwhile, is eroding: 31% of respondents expressed low confidence in their country's ability to respond to a major cyber incident, up from 26% the previous year.
Supply chain vulnerabilities compound the problem. Some 65% of large firms cited third-party dependencies as a top barrier to resilience. In the fintech ecosystem, where companies commonly rely on cloud providers, payment processors, and API integrators operated by third parties, a failure at one node can cascade rapidly across the entire network. Only a third of organizations surveyed had fully mapped their third-party ecosystem, a number that should trouble anyone whose business model depends on a web of digital partnerships.
The inequity gap
The report also highlights a growing divide in cyber resilience that maps uncomfortably well onto the European fintech landscape. Smaller entities are roughly twice as likely as large organizations to lack adequate resilience, a disparity driven by talent shortages and resource constraints. For a region whose fintech sector is characterized by a vibrant ecosystem of startups and scale-ups, this is not a peripheral issue. Many of the companies most central to European financial innovation are precisely the ones least equipped to absorb a sophisticated cyber attack.
This inequity is amplified by an acute global skills deficit. Cybersecurity talent remains scarce everywhere, but the shortage falls disproportionately on smaller firms that cannot compete with the compensation packages offered by banks and large technology companies. The result is a two-tier system in which well-resourced incumbents build ever-more-sophisticated defenses while smaller innovators are left increasingly exposed.
DORA and the regulatory reckoning
The timing of this report is notable because it lands in a regulatory environment that is already demanding significantly more from European financial services firms. The EU's Digital Operational Resilience Act, which became fully applicable in January 2025, represents the most comprehensive attempt yet to impose uniform cyber resilience standards across the financial sector. DORA applies to more than twenty categories of financial entities, from banks and insurers to crypto-asset service providers and crowdfunding platforms, and extends oversight to the critical technology providers that serve them.
For fintechs, the operational burden is considerable. DORA requires robust ICT risk management frameworks, incident reporting protocols, third-party risk management strategies, and regular digital resilience testing. Regulators are treating 2025 as a transition year, but the expectation is that enforcement will tighten steadily. Penalties can reach up to 2% of annual worldwide turnover for financial entities and 1% of average daily worldwide turnover for designated critical ICT providers.
The WEF report effectively serves as a stress test for these regulatory frameworks. If 65% of large firms still view supply chain dependencies as a major resilience barrier, and if smaller fintechs are twice as likely to lack basic cyber resilience, then the compliance timelines embedded in DORA may be optimistic. The regulation assumes a baseline of organizational maturity that many firms, particularly those with lean teams and heavy reliance on third-party infrastructure, have yet to achieve.
What comes next
The report's core message is that siloed responses to these converging threats are inadequate. Cybersecurity can no longer be treated as a departmental function or a compliance checkbox. It requires collaborative approaches that span governments, regulators, industry consortiums, and individual organizations. The WEF calls for intelligence-sharing frameworks, collective resilience standards, and a recognition that the interconnected nature of digital finance means that a vulnerability anywhere is a vulnerability everywhere.
For European fintech executives reading this report, the practical takeaways are clear: investment in AI security governance is now essential rather than aspirational; supply chain mapping and third-party risk management need to be treated as strategic priorities, not operational afterthoughts; and the talent gap in cybersecurity demands creative solutions, whether through partnerships, managed security services, or industry-wide training initiatives.
The trillion-dollar fraud problem described in this report is not a prediction. It is a present reality. The question for Europe's financial technology sector is whether its response will be proportionate to the scale of the threat.