Banco de Portugal Logs 2,577 Fraud-Related Payment Complaints in 2025 — 45% Year-on-Year Jump Pushes Supervisor to Stand Up Internal Working Group and Demand Anti-Spoofing Legislation

The Banco de Portugal registered 2,577 reclamações tied to fraud-affected payment operations across 2025, a 45% year-on-year increase that the supervisor flagged on Sunday 17 May 2026 as one of the principal conduct-risk vectors facing Portuguese banking customers in a financial system that the supervisor itself describes as being in 'rapid digitalização'. The figure sits inside the BdP's annual conduct-supervision report and tracks both card-and-transfer disputes and the secondary fight over who carries the loss when an account-holder is socially engineered into authorising a transfer.

What the 2,577 Number Covers

The supervisor's complaint register is narrow by design: only payment-operation disputes where the customer alleges either an unauthorised transaction or a contested reimbursement after a fraud event flow through the BdP's central conduct desk. The 2025 stock — up from roughly 1,775 in 2024 — is dominated by two complaint families. The first covers card-not-present and contactless transactions the customer says they did not authorise, where the dispute turns on the bank's evidence of strong customer authentication under PSD2. The second covers transferências alegadamente fraudulentas, where the customer authorised a SEPA transfer under deception (typically spoofing, smishing or vishing) and the dispute turns on the institution's reimbursement obligation. The BdP flagged the second family as the faster-growing slice of the 45% jump.

The Spoofing Gap

The supervisor's report names the missing piece of Portuguese fraud-control architecture directly: there is no national framework that obliges telecoms operators and banks to share live signalling around caller-ID spoofing attacks, the technique that lets fraudsters appear on a victim's phone as a real bank number while running a social-engineering script. Spain's Ley General de Telecomunicaciones rolled an anti-spoofing duty onto operators in 2024, and the European Banking Authority issued spoofing-mitigation guidelines for SEPA participants in late 2024. Portugal's transposition is still moving inside the Council of Ministers' digital-services pipeline, and the BdP used the 2025 report to 'criticar atrasos na legislação nacional' — a public escalation that is rare for a supervisor that usually nudges behind the scenes.

The Internal Working Group

The BdP confirmed the creation of an internal cross-departmental 'grupo de trabalho' on fraud that pulls in conduct supervision, prudential supervision and the cyber-resilience oversight unit, with a remit that covers customer-redress methodology, institution-level data sharing and supervisory expectations on the reimbursement clock. The group sits alongside the working-group response the supervisor mounted around €8.91 million in cobranças indevidas refund orders the BdP issued to lenders during 2025.

What This Means for Expats

Reimbursement window: the practical right that matters when a fraudulent transaction lands on your account is the obligation on your Portuguese bank to credit the value back inside one business day of the dispute under Decreto-Lei 91/2018 unless the institution can prove the customer authorised the operation. Push the bank to log the complaint formally and ask for the BdP central reclamação reference if the reimbursement does not move inside that window.
Spoofing checklist: never act on a phone call that displays your bank's number and asks you to confirm a transfer or move money to a 'safe account'. End the call, dial the bank back through the number printed on the card.
SEPA escalation: if the contested transfer crossed into a non-Portuguese SEPA institution, the BdP and the EBA's centralised dispute portal carry the cross-border complaint without you having to engage the receiving bank's regulator directly.
What happens next: the anti-spoofing legislative package is the file to watch — Portuguese transposition would obligate operators to drop calls where the caller-ID does not match the originating network, the structural fix the BdP's 45% jump points to.