Protecting your service against fraud

When you’re designing and managing your digital service, you must:

  • consider how it could be targeted by fraudsters (start at the alpha stage) and the impact this could have
  • protect your users and your service as much as possible from fraud

This guide covers the basics of fraud. If you need to know more, talk to:

  • a counter fraud expert in your organisation, if there is one
  • the Counter Fraud Function in the Cabinet Office, if there’s no expert in your organisation

Types of fraud

Fraudsters that target online services usually try to:

  • take money from a service
  • pretend they’re eligible for a service
  • extract information to target other services
  • use a service for money laundering

Some types of fraud are more severe than others. For example, high-level fraud would be organised criminals targeting multiple services to get money. Lower-level fraud could be one member of your staff taking advantage of a vulnerability in a system.

Some small-scale fraud may lead to more serious consequences beyond your service or organisation. For example, if someone faked a claim for one service, they could use that fake eligibility to defraud another service.

Consider the weaknesses of online services

If you’re moving an offline service online, you should consider any new weaknesses that may be introduced in the process.

Online services are more open to fraud and fraudsters can try multiple attempts in a short space of time.

Do not assume any security processes you’re following offline will fully protect your service from fraud when the service moves online.

Consider non-financial fraud

Even if your service does not pay out money to users, fraudsters may still try to attack it to get information which they could use to commit fraud.

For example, they could use your users’ personal details to access money or other benefits from other government services, the private sector or individuals.

Protecting your service against fraud

Follow these steps to protect your service against fraud.

  1. Analyse the risk.

  2. Reduce the risk.

  3. Respond to changing threats.

  4. Check information against independent sources.

  5. Make your team aware of fraud risks.

Assess the risk

You must start considering fraud risks during your service’s alpha phase.

Check if an Initial Fraud Impact Assessment (IFIA) or a Full Fraud Risk Assessment (FRA) has been completed.

An IFIA gives an overview of some of the main ways fraud could affect a policy, project or programme.

A Full FRA is a thorough assessment of the risks within specific processes and programmes. It explains how the controls in place reduce them and what the remaining vulnerabilities are.

If you do not have an IFIA or Full FRA, contact a counter fraud expert.

As you build your first prototypes, you should review the potential areas of your service that could be left vulnerable to fraud.

For example, focus on parts of your service where users have to share personal information. Widgets or forms may ask users for information that’s attractive to fraudsters, particularly if a user is prompted to change their address or bank details.

Once you’ve found how your service gathers sensitive information, check how individuals or systems store, transport or access this data.

Reduce the risk

You must attempt to reduce the fraud risks that you’ve identified. Use your IFIA or Full FRA to support your approach to risk mitigation.

The way to reduce these risks depends on your service and the type of fraud that it could be affected by.

For example, if your service is only open to UK users, you could set up a system to check any non-UK requests and review them in detail.

If you know that certain payment mechanisms have higher fraud rates, you might treat them as higher risk.

You could also check that a user’s browser and IP address matches their usual browser and IP address. Sudden changes might be a sign of fraudulent activity and you may wish to treat them as higher risk.

You do not need to automatically prevent a transaction because of a change in browser or IP address. Depending on your service and what it does, you could delay or record it, or require other forms of verification to process the request.

Preventing identity fraud

Identity theft and fraud are growing problems with fraudsters sharing stolen personal details online. To protect your users, follow guidance on how to prove and verify someone’s identity. This sets out how to check the identity of a customer, an employee or someone acting on behalf of a business.

Respond to changing threats

Fraudsters regularly change the nature and frequency of their fraud attempts, so make sure your service is flexible enough to respond to changing threats.

For example, if you’ve set rules to limit fraudulent activity, make sure you can change them easily and that they aren’t ‘hard-baked’ into your system.

Your organisation may use security classifications to label security risks. If you apply these classifications to fraud attempts, make sure you can change them according to the severity of new threats that appear.

Check user information against independent sources

You should check the information users give you against authoritative lists. For example, you can reference lists of authorised bank accounts, addresses and other personal details to identify any false information.

Be aware that not every incorrect entry means fraudulent activity. Users can make genuine errors and you should take these into account when checking against reliable and independent sources.

Make your team aware of fraud risks

You must make sure every member of your team understands the risk of fraud to your service so that they don’t add vulnerabilities by mistake.

While designing and maintaining your service, talk to counter fraud experts regularly to help reduce the risk and impact of fraud.

Monitoring your service for fraud

Monitor your service for suspicious behaviour to help you identify fraudulent activity.

You can use ‘transaction monitoring systems’ to track user behaviour and spot suspicious activity.

Use the information you find to:

  • detect fraud stop fraudsters from accessing your service
  • identify fraudulent activity after it’s been completed
  • trace fraudsters and take appropriate action such as recovering money that has been fraudulently claimed or legal action

Keep a record of fraudulent activity

Keep track of all fraud attempts alongside your security and risk log. Note the time, date and type of attempt as well as whether it was successful.

Fraudsters will often try to commit fraud, change tactics and try again. Wherever possible, you should share information about fraud attempts with other government agencies and departments to raise awareness.

The Cyber-security Information Sharing Partnership can help you exchange this information with others. Check with your counter fraud expert if you are unsure if it’s safe to share information about fraud attempts.

Further reading

You might find this guidance useful:

You may also find these guides useful:

Last update:

Added information about Initial Fraud Impact Assessments and Full Fraud Risk Assessments.

  1. Removed reference to Data Protection Act (1998).

  2. Added guidance to explain that National Insurance numbers shouldn't be used to verify a user's identity.

  3. Guidance first published