Skip to main content

Confirm identity

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost-effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative  prevention countermeasures


Confirm the identity or attribute of the individual. 

Evidence of identity should be collected and verified using policies, rules, processes and systems to make sure only known, authorised identities can gain access to information stored in networks and systems.

This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework.

Why this countermeasure matters

Whole-of-Government policies require a high level of confidence in the identity of a customer when providing government services and payments. Lack of identify confirmation for claims or requests can lead to fraudsters:

  • impersonating customers or third parties to receive fraudulent payments or gain access to information
  • providing false or misleading information or stolen evidence of identity to support a request or claim
  • using false identities to receive fraudulent payments or gain access to information.

How you might apply this countermeasure

Some ways to implement this countermeasure include:

  • policies, rules, processes and systems to make sure only known, authorised people gain access to networks, systems and information
  • all program applicants  providing certified copies of primary and secondary identification (passport, birth certificates, driver's licences) – verify these using Identity Matching Services (DVS and FVS)
  • using myGovID to confirm an individual’s identity online
  • using Relationship Authorisation Manager to confirm the identity of someone acting on behalf of a business online
  • entry level checks to confirm the identity of staff and contractors
  • service providers or vendors providing evidence of the identity of all company directors.

How to check if your countermeasures are effective

Here are some ways to measure the effectiveness of this type of countermeasure:

  • review identity confirmation controls and policies to see if they conform to legislation and the National Identity Proofing Guidelines.
  • confirm the existence of reference and guidance material.
  • confirm processes are consistently applied both within channels and across channels.
  • check how evidence of identity is verified.
  • review a sample of completed claims to confirm correct processes were undertaken.
  • ask staff about the identity processes and systems to make sure they have a consistent and correct understanding.
  • undertake pressure testing or a process walk-through to confirm that someone cannot get around processes.
  • identify how the requirements are communicated to staff, customers and third parties.
  • review identified cases of fraud involving the use of a false or stolen identity.

Related countermeasures

This type of countermeasure is supported by:

Adequately resourced prevention and compliance areas enable entities to perform effective countermeasures.

Match data with the authoritative source and verify relevant details or supporting evidence. Services such as the Identity Matching Service can be used to verify identity credentials back to the authoritative source when the information is an Australian or state and territory government issued identity credential. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Verify any requests or claim information you receive with an independent and credible source.

Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.

Related Fraudster Personas

Was this page helpful?