Disrupting Fraud in the Balkans: A Holistic Approach for a Fragmented Region

Online fraud in the Balkans is evolving.

As digital banking accelerates and scams grow more targeted, banks in the region are facing increasingly sophisticated threats that cut through borders, languages, and institutions. 

To stay ahead, financial institutions need to go beyond transaction monitoring. By disrupting fraud earlier and across more stages—from infrastructure to laundering—banks can protect customers more effectively and strengthen long-term fraud resilience. 

A Region Shaped by Complexity 

The Balkans offer a uniquely challenging landscape for fighting digital fraud. Countries like Slovenia, Croatia, and Romania operate within the EU regulatory framework, while neighbors such as Serbia follow separate national standards. This creates a patchwork of financial systems, oversight mechanisms, and enforcement capabilities. 

While EU member states in the region follow harmonized rules like PSD2, anti-money laundering directives, and the upcoming Instant Payments Regulation (often referred to as PSD3), non-EU countries remain outside this alignment. The resulting variation in enforcement, oversight, and coordination can create blind spots—especially when fraud crosses borders. Cybercriminals are quick to exploit these gaps, using regulatory differences to establish infrastructure, move funds, or launch scams that extend beyond national boundaries. 

Shared Language as a Lever for Scalable Fraud 

For criminal networks, shared language offers operational efficiency. Closely related or mutually intelligible languages across Balkan borders make it easy for fraudsters to launch cross-border scams with minimal adaptation. 

Consider Romania and Moldova. With Romanian spoken natively in both countries, phishing messages, fraudulent websites, and social engineering scripts created in Moldova can seamlessly target Romanian citizens—making the scams more convincing and harder to recognize. 

A similar pattern exists between Serbian, Bosnian, and Croatian. While officially distinct, these languages remain largely mutually intelligible, allowing fraud operations to scale regionally without the need for localization. 

For fraudsters, this linguistic overlap reduces cost and expands reach. 

A Growing Attack Surface 

Across the Balkans, digital adoption is accelerating, with consumers increasingly using online banking, contactless payments, biometrics, and e‑government services. But while infrastructure is advancing, public awareness hasn’t always kept up—particularly in more rural or underserved areas. 

Some countries are making real progress. Slovenia has seen strong engagement with its national awareness campaign Varni na internetu, while Romania has aligned closely with EU cybersecurity norms and launched several public education initiatives. In contrast, neighbors like Kosovo and Montenegro are still developing their cybersecurity frameworks, often with fewer resources and institutional support. 

This uneven maturity creates space for fraudsters to operate where defenses are weakest. While cross-border cooperation is improving, gaps remain—and fraud networks are quick to take advantage of them. 

Main Fraud Trends in the Balkans 

Fraud trends in the Balkans generally mirror those seen across Europe, with phishing remaining the most prevalent threat. 

Recent investigations, including those by the Balkan Investigative Reporting Network (BIRN), have highlighted coordinated, region-wide phishing campaigns. These scams often impersonate public authorities or financial institutions, leveraging official-sounding messages to gain victims’ trust. 

Banks have been frequent targets of these campaigns. Fraudulent emails typically inform customers of supposed account changes—such as new bank statements, incoming payments, or alerts regarding account status. The aim is to trick recipients into clicking malicious links or sharing sensitive information. 

The consequences are familiar: stolen personal data, compromised credentials, malware infections, and direct financial losses remain the most common outcomes. 

Postal Scams Surging Across the Region 

One of the most persistent and widespread fraud tactics in the Balkans today is the “failed delivery” scam. Cybercriminals initiate contact through email or SMS, directing victims to phishing websites that closely mimic official postal service portals. Victims are then prompted to enter personal and financial details to allegedly resolve a delivery issue. 

This scheme has affected nearly all major postal services and post banks across the region, including in Croatia, Serbia, Romania, and Slovenia. The breadth of the campaign suggests a well-coordinated effort to exploit trust in national postal systems—undermining both institutional credibility and public confidence. 

Once victims submit their information, it is harvested for account takeover, identity theft, or direct financial fraud. In many cases, financial losses follow quickly—either through unauthorized transactions or the resale of stolen data within broader cybercrime networks. 

Country-by-Country Fraud Insights 

🇭🇷 Croatia 

In the first four months of 2024, Croatia recorded 723 cases of computer fraud—a rise of approximately 10.6% compared to the same period last year, according to BIRN. 

Data from the Interior Ministry shows that these scams caused €10.5 million in financial losses during the first third of the year—an increase of €2.5 million year-on-year. 

The most common types of online fraud include business email compromise (BEC), where criminals impersonate suppliers or partners to deceive companies into transferring funds; SIM swapping and smishing, where attackers use fake credentials to steal personal and financial information; and investment scams, which lure victims into putting money into fake ventures, stocks, or crypto opportunities. 

🇸🇮 Slovenia 

Slovenia has seen a sharp rise in investment fraud, with cybercriminals using increasingly deceptive tactics to lure victims online. 

In 2024 alone, the most frequent incidents involved purchase scams, with total losses nearing €4.7 million. However, the largest overall losses—more than €19 million—came from investment scams, with the average individual loss exceeding €27,000, according to the national cybersecurity response center, SI-CERT.   

These scams often begin as sponsored ads on social media, posing as investment opportunities. To boost credibility, fraudsters misuse the names and images of well-known celebrities, brands, and even state institutions. SI-CERT reports that fraudulent ads have impersonated organizations such as the Slovenian Police, the National Security Agency, and various government ministries, creating a false sense of legitimacy that makes users more likely to engage. 

🇷🇴 Romania 

Online fraud is a widespread experience in Romania, with 61% of Romanians reporting they have been targeted by scam attempts, according to a study by Reveal Marketing Research. Of those targeted, around 37% reported financial losses, based on findings from the Journal of Online Trust and Safety. 

The most common scams include online shopping fraud, investment schemes, and impersonation scams—often involving fake sellers, fraudulent platforms, or spoofed identities posing as institutions or acquaintances. 

Public awareness appears relatively high. More than two-thirds of respondents in urban areas, according to Reveal Marketing Research, say they are informed about the risks of online scams—suggesting that while exposure is widespread, so is recognition of the threat. 

🇷🇸 Serbia 

As a non-EU country, Serbia navigates a different regulatory environment from some of its neighbors—but faces many of the same fraud challenges. Phishing ranks among the top five cyber threats, with reported cases increasing sharply from around 17,000 in 2021 to more than 63,000 in 2023, according to Serbia’s national CERT authority. Malware and ransomware also remain widespread across the threat landscape. 

There have also been instances of scam call centers operated by cybercriminals in Serbia, according to Eurojust. In 2020, BIRN reported that “call centres are a growing business in Belgrade, where many young, educated Serbs speak English and are IT literate, but wages are far lower than in much of the rest of Europe.” The model was simple: cold-call elderly citizens in Germany, Austria, the UK, and other Western European countries, and persuade them to ‘invest’ in online currency trades. In reality, the trades were entirely fictitious—and the fraudsters were simply pocketing the money.  

Serbia is not unique in this regard—similar operations have been unucovered in Moldova, Bulgaria, and other parts of the region. But the recurring nature of such cases highlights the importance of continued investment in oversight, enforcement, and cross-border collaboration to disrupt organized fraud at its roots. 

A Fragmented Regulatory Landscape Demands a Comprehensive Approach 

Legal, operational, and institutional fragmentation across the Balkans often tips the balance in favor of fraud networks. It complicates cross-border investigations, slows information exchange, and hinders the creation of region-wide defenses. For fraudsters, these regulatory seams are opportunities; for banks and regulators, they highlight the urgent need for deeper cooperation and better-aligned standards across jurisdictions. 

Consequently, Balkan banks—often the last line of defense—must confront the challenge in all its regional complexity. They need to address the entire fraud lifecycle: identifying scam infrastructure, intercepting active attacks, tracing mule networks, and stopping stolen funds before they vanish through layered transactions. Protecting customers and safeguarding reputations demands more than point-in-time detection; it calls for lowering overall exposure, combating brand impersonation, securing the full digital journey, and staying ahead of ever-evolving threats. 

An Ecosystem for Disrupting Fraud 

Addressing this complexity in fraud detection and prevention can be challenging—especially when most vendors focus on a single point in time: the moment the fraudulent transaction occurs. While this layer is essential, it’s no longer sufficient in a landscape where cybercriminals increasingly rely on sophisticated social engineering to manipulate victims directly. In today’s Balkan environment—where fraud crosses borders, languages, and institutions—isolated detection falls short. Financial institutions need a proactive, multi-layered, end-to-end strategy that doesn’t just react to fraud, but disrupts it at every stage of the lifecycle. 

That’s why ThreatMark developed a family of fraud disruption solutions—purpose-built to help banks tackle fraud at every stage. From identifying impersonation sites and raising customer awareness, to deploying advanced behavioral intelligence that uncovers sophisticated social engineering, and detecting money mule activity through shared intelligence, ThreatMark’s approach is designed to disrupt fraud across the entire lifecycle. 

ThreatMark enables banks to: 

• Disrupt fraud infrastructure: The Cyber Fraud Fusion Center detects and mitigates phishing and brand impersonation campaigns before customers are exposed. 

• Support targeted users: ScamFlag, built directly into the banking app, helps customers recognize scams in real time—at the exact moment they’re most vulnerable. 

• Detect fraud in real time: The Behavioral Intelligence Platform—the cornerstone of the system—monitors digital behavior across channels to spot signs of manipulation and fraud-in-progress, allowing banks to intervene before losses occur. 

• Uncover money mules: ThreatMark is pioneering a new approach to collaboration and intelligence that enables banks to securely, compliantly, and efficiently share data to detect money mules, generating value through reciprocity and shared insights. 

Building Fraud Resilience Across the Balkan Banking Sector 

In a region as interconnected—and as fragmented—as the Balkans, fighting fraud requires more than isolated tools or reactive strategies. It demands intelligence-driven decision making, cross-border collaboration, and the ability to act across languages, jurisdictions, and digital touchpoints. By addressing the full fraud lifecycle—from infrastructure disruption to customer protection and mule detection—ThreatMark helps banks shift from simply detecting fraud to actively disrupting it. 

The result is not just fewer incidents, but a more resilient and trusted digital banking environment. 

Talk to a fraud fighter