Online financial fraud targeted at consumers through phishing attacks and identity theft, for example, is a growing problem. Because it can be difficult to recover losses from the person who committed the fraud, the loss will often remain with either the financial institution or the consumer. This paper’s research question relates to how losses following online financial fraud are and should be allocated between these two parties according to relevant Scandinavian and European law. For payment-transaction fraud, questions of loss allocation are regulated by national rules implementing the liability regime for unauthorised payment transactions under the payment services directive. For other financial services, these questions are resolved according to general rules on contract and tort. The analysis shows that consumers are often left to deal with the losses caused by online financial fraud. It is argued that the digitalisation of the financial services industry has in practice led to a shift in who bears the risk for attacks against financial institutions. This conflicts with the EU’s stated policy goals to provide strong consumer protection in the field of cybercrime. The paper concludes that a larger portion of the losses incurred from online financial fraud should be allocated to financial institutions.