Automatic notification of high-risk activities and transactions
System generated notifications of high-risk transactions, such as:
- access to online accounts,
- submission of claims or requests,
- changes to contact details
- changes to bank accounts, and
- outcomes of claims or requests.
Notifications may alert customers or staff of fraudulent activity.
Some examples of this type of countermeasure include:
- Customers receive an SMS notification to confirm receipt of a new claim.
- Providers are automatically notified via email that their bank account details have been updated.
- Customers are automatically notified when their online account is accessed.
- Regular payment statements are automatically sent to recipients.
Purpose of this countermeasure
Someone can provide false or misleading information or stolen evidence of identity to support a request or claim. A staff member can also abuse their position of trust to process fraudulent requests or claims for themselves or another person.
Acting dishonestly and providing false or misleading information to commit fraud are offences under the Criminal Code Act 1995.
Not notifying customers or staff of high-risk transactions, such as changes to their bank account, may allow fraudulent activity to go undetected, or delay any investigation and response.
This type of control is supported by:
- Identity is authenticated for each interaction
- A specific form, process or system must be used
- Sensitive information controls
- Segregation of duties are applied
- Requests, claims or activities are approved by the appropriate decision-maker
- Data protected from manipulation or misuse
- Staff are trained and supported to identify and report fraud and corruption
- Complaints about poor or anomalous outcomes
- Tip-offs and Public Interest Disclosures
- Quality assurance checks
- Exception reporting
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Analyse data related to automatic notifications. Measure results against data related to activities/transactions.
- Evaluate the method and destination of notifications. Are they sent to the best person via the best method?
- Confirm that notifications can't be modified, suppressed, redirected or intercepted. Test controls if required.
- Consider the timeliness of notifications, i.e. when they are sent or when they would be received. Would this provide sufficient time to respond to fraud?
- Review the notification to determine if messages are clear and relevant to the receiver.
- Test high-risk activities and transactions to confirm that notifications are sent.