When Robert Woodford booked a hotel in Verona through Booking.com in May 2025, everything seemed routine. Days later, a message appeared in the platform’s chat asking him to “confirm missing details” and make a pre-payment. It carried Booking.com’s branding and even a link with “bookingcom” in the URL. Thinking it was genuine, he paid – only to learn later that the money had fallen into the hands of an online scammer.
The same pattern is playing out across other big platforms like Google Play, where Cyble Research and Intelligence Labs recently found over 20 fake crypto-wallet apps posing as legitimate services. In a LinkedIn post last month, EU tech chief Henna Virkkunen said online scams strip more than €4bn from European pockets every year. She warned that platforms such as Google Play, Apple’s App Store, Bing, Google Search and Booking.com have become soft entry points for fraud.
It’s this widening exposure to online scams, more than any single breach, that has pushed Brussels to demand answers from Apple, Google, Microsoft and Booking.com on how they vet business users, detect online scams, and stop fraudulent content from spreading through their services.
While the Commission’s latest demands have unsettled parts of the industry, they could test how far those obligations to root out online scams work out in practice, and whether these platforms are prepared to meet them.
The shift in accountability for online scams
For much of the internet’s history, companies like Apple, Google, and Microsoft have been seen as service providers that enabled digital access rather than as active overseers of what happens on their platforms. That position, according to Brussels’ latest demands, will no longer suffice. The Commission now wants these firms to show they have safeguards in place before users come to harm.
Nick Reese, a former US Department of Homeland Security official and now an adjunct professor at New York University, describes the shift as a decisive break from the older “notice-and-takedown” model. “The law moves us toward a duty-of-care framework,” he explains, “where platforms must prove that they’ve anticipated risks in advance rather than reacting after the damage is done.”
Amanda Brock, chief executive of OpenUK, observes that the change reflects how financial activity has moved deeper into digital channels. “Our daily lives are based on apps and digital delivery, so fraud online has become the principal focus,” she notes. In her view, the shift is less about punishing platforms than recognising where risk now resides.
Apple, for its part, has warned that parts of the EU’s digital framework — including the Digital Markets Act and the overlapping Digital Services Act — could weaken user security and slow innovation. The company argues that requirements such as opening iOS to rival app stores may introduce new opportunities for fraud.
But the EU Commission maintains that this latest move is just about pursuing the mandate of the Digital Services Act (DSA). “Under the Digital Services Act, very large online platforms and search engines are required to assess and mitigate systemic risks associated with the dissemination of illegal content and with consumer protection,” the Commission explained.
Weak links in the system
Even with the DSA in force, structural weaknesses persist in how large platforms verify users, screen apps, and monitor adverts. Reese points out that authentication is a chronic vulnerability under the rules. Passwords and inconsistent multifactor checks, he points out, fail to confirm identity reliably.
“We can confirm a device or an IP address, but not that the person behind it is who they say they are,” he explains. “That’s the weakest point in the chain, and in finance it translates directly into real losses.”
The shortcomings extend to how app marketplaces set baseline security standards. Many still lack a consistent minimum for developer verification or code review, and as such, create space for cloned banking tools and credential-harvesting software to slip through. Reese believes that store-level requirements could close this gap by forcing developers to meet common security thresholds before listing their products.
The real-world cost of these weaknesses is well documented by European regulators. In France, the Autorité des Marchés Financiers (AMF) recently warned the public about a new wave of unauthorised crypto-asset websites, adding 22 names to its blacklist since the start of 2025, while Irish authorities have issued public alerts on clone investment firms and unlicensed crypto platforms.
Brock compares today’s fragmented oversight to the internet’s early attempts to contain spam — a problem that only eased when large providers accepted more responsibility. “Bad actors often sit beyond easy jurisdiction,” she says, “so this will push businesses to better understand their responsibility in managing our digital presence.”
The cost of shared accountability for online scams
Brock argues that shifting liability toward Apple, Google, Microsoft, and other big platforms may change where responsibility sits but not who ultimately bears the risk. “Liability being pushed upstream won’t necessarily absolve the banks and fintechs,” she says, noting that costs are likely to return through contractual clauses and service charges.
The adjustment, in her view, reflects a long pattern in financial regulation. Responsibility often moves, but the expense of meeting it rarely disappears. As compliance standards tighten, the resources required to maintain them increase. Legal, technical, and audit costs accumulate at different points in the chain, from platform operators investing in oversight to banks absorbing higher due diligence requirements. Brock sees it less as a shift in blame and more as an expansion of the compliance burden across the system.
Reese interprets the situation through a security lens. The prospect of liability, he believes, will force companies to embed preventive checks into their systems instead of responding after incidents occur.
However, Reese cautions that these adjustments will not end the problem. “It will close some attack vectors, but attackers will adjust because cybersecurity is always a push and pull.”
A longer-term fix, he adds, lies in digital identity. In his view, a verifiable digital identity for citizens could eliminate entire classes of online scams. “If we can link identity to access in a trusted way, we stop a large percentage of the fraud that thrives on impersonation.”
Regulation and trade-offs
As the Commission steps up its oversight, Brock warns that the new compliance regime could thin out the diversity of Europe’s digital market. The burden, she says, will fall unevenly, with smaller providers struggling to match the administrative and legal capacity of global platforms. “Unless customers form a large enough market to justify the overhead and risk,” says Brock, “we’ll likely see some providers withdrawing from Europe.”
That risk, she believes, is structural rather than short-term. Over time, regulatory complexity could reinforce the dominance of large incumbents who can afford to comply, leaving the innovation ecosystem narrower but safer.
Reese sees that trade-off differently. In his eyes, consistency is a form of confidence, and regulation can offer exactly that. “What industry requires to build is consistency. If companies understand the rules five or ten years ahead, they can plan to innovate within them,” he explains. He adds that the presence of clear standards creates a form of predictability that allows firms to plan rather than react to fragmented local policies.
Reese’s argument also points to a cultural divide between Europe’s rule-first approach and the United States’ loose, state-driven patchwork of tech oversight. That divergence is becoming visible. Europe’s DSA and AI Act form an integrated legal framework, whereas in the US, states such as California and Colorado are experimenting separately with data and AI regulations. Reese doubts Washington will deliver a comprehensive equivalent soon. “It’s extremely unlikely we see a monolithic data or AI law at the federal level,” he notes, adding that a gradual build-up of state laws will probably define the next decade of US policy.
For Brock, that difference will shape global markets. “Unless it’s applied on a universal basis, it is likely disadvantageous to Europe,” she argues.
The months ahead will test whether Europe’s biggest platforms are ready to shoulder the cost of compliance without passing it down the chain. As for the Commission, the task is to keep the digital economy growing while proving that regulation and innovation can coexist.
Read more: What a new mega-worm says about open source risk
