One thing a few countries do (at least Denmark, not sure where else) to cut out most instances of direct-debit fraud is requiring that the first debit from a new merchant is approved by the account owner. This might not technically be a direct debit, though, but is the electronic adaptation of the old "giro" system to function mostly through the direct-debit machinery. When a merchant wants to set up a new client's payments, they send a "giro" request, which is basically a bill with some codes. The client could pay this in the old-fashioned way by taking it to a post office and paying it there in cash; the post office then transfers the payment to the merchant. But what most people do nowadays is log into their online banking, enter the giro #, and say they want to pay it with direct debit. That authorizes all subsequent bills in the same series (i.e. for the same product or recurring subscription) to get direct-debited automatically. But merchants can't normally just pull directly without this initial authorization.