Automatically notify clients or staff about high-risk events or transactions, such as:
- access to online accounts
- submission of claims or requests
- changes to contact details
- changes to bank accounts
- outcomes of claims or requests.
This can alert them to potential fraud and avoid delays in investigating and responding to fraud.
Why this countermeasure matters
Allowing high-risk events or transactions to occur without automatically notifying clients or staff may cause:
- fraudulent activity to go unnoticed
- delays in investigations and responses
- additional opportunities for fraud.
How you might apply this countermeasure
Some ways to implement this countermeasure include setting up system generated notifications of high-risk events or transactions, such as when:
- online accounts are accessed
- claims or requests are submitted
- contact details are changed
- bank accounts are changed
- system accesses are updated
- payments are made
- claims or requests are processed.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- analyse data related to automatic notifications and compare it to events or transactions
- evaluate the method and destination of notifications to determine if they are sent to the best person using the best method
- confirm that notifications cannot be modified, stopped, redirected or prevented from arriving and test controls if required
- consider the timeliness of notifications, such as when they are sent or when they would be received and if this would provide sufficient time to respond to potential fraud
- review the notification to determine if messages are clear and relevant to the receiver
- test high-risk activities and transactions to confirm that notifications are sent.
Match data with the authoritative source and verify relevant details or supporting evidence. Services such as the Identity Matching Service can be used to verify identity credentials back to the authoritative source when the information is an Australian or state and territory government issued identity credential. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Make sure requests or claims use a specific form, process or system for consistency.
Allow clients, staff and third parties to lodge complaints about actions or decisions they disagree with. This may identify fraud or corruption as a cause for complaints, such as a failure to receive an expected payment.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.