​​​​​​​
You are here: Skip breadcrumbAttorney-General's Department >> Integrity >> Counter fraud >> Fraud countermeasures >> Blacklisting, greylisting or whitelisting

 Blacklisting, greylisting or whitelisting

Prevention shield icon Previous page Next page

Summary

Blacklisting is an access control that blocks anything included on the list.

Greylisting is a temporary block for anything included on the list until an additional step is performed.

Whitelisting is the opposite of a blacklist. A whitelist blocks anything not included on the list, e.g. only a list of registered providers can selected.

Examples

Some examples of this type of countermeasure include:

  • Blacklisted bank accounts cannot be recorded on a recipient's record.
  • Providers listed on the greylist require additional suitability checks before being registered.
  • Applicants can only choose from an approved list of providers.

Purpose of this countermeasure

Someone can use distrustful information, such as compromised identities and dubious bank accounts to commit fraud.

Providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.

Allowing someone to use distrustful or compromised information can lead to:

  • fraudulent requests or claims
  • fraudsters using the information to hijack payments.

Dependencies

This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Conduct vulnerability testing to confirm that the list work as intended.
  • Consult subject matter experts about the lists.
  • Review policies or other documentation related to the lists.
  • Process walk through - sit with a staff member while they show you how the controls work.
  • Undertake analysis of data related to the lists; e.g. how many blocks are reported? How often?
  • Confirm the lists are 'always on' and automatically applied.
  • Confirm that the systems/processes underlying the lists are adequate and reliable.
  • Confirm that attempts to use blacklisted information is flagged and reviewed.
  • Confirm that blacklisted information is not widely known or accessible.
  • Confirm that someone cannot manipulate the lists even when pressure or coercion is applied. Test this if required.
  • Confirm that access to the lists is monitored and reviewed.

Back to top

Previous page Next page​​

​​​​Commonwealth Fraud Prevention Centre logo​​​​​​