Skip to main content

Coronavirus (COVID-19) and the Attorney-General’s Department: Find out how our services are being delivered and how you can access them. For the latest COVID-19 news, updates and advice from the Australian Government, visit

Blacklisting, greylisting or whitelisting


Previous page


Next page


Blacklisting is an access control that blocks anything included on the list.

Greylisting is a temporary block for anything included on the list until an additional step is performed.

Whitelisting is the opposite of a blacklist. A whitelist blocks anything not included on the list, e.g. only a list of registered providers can selected.


Some examples of this type of countermeasure include:

  • Blacklisted bank accounts cannot be recorded on a recipient's record.
  • Providers listed on the greylist require additional suitability checks before being registered.
  • Applicants can only choose from an approved list of providers.

Purpose of this countermeasure

Someone can use distrustful information, such as compromised identities and dubious bank accounts to commit fraud.

Providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.

Allowing someone to use distrustful or compromised information can lead to:

  • fraudulent requests or claims
  • fraudsters using the information to hijack payments.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Conduct vulnerability testing to confirm that the list work as intended.
  • Consult subject matter experts about the lists.
  • Review policies or other documentation related to the lists.
  • Process walk through - sit with a staff member while they show you how the controls work.
  • Undertake analysis of data related to the lists; e.g. how many blocks are reported? How often?
  • Confirm the lists are 'always on' and automatically applied.
  • Confirm that the systems/processes underlying the lists are adequate and reliable.
  • Confirm that attempts to use blacklisted information is flagged and reviewed.
  • Confirm that blacklisted information is not widely known or accessible.
  • Confirm that someone cannot manipulate the lists even when pressure or coercion is applied. Test this if required.
  • Confirm that access to the lists is monitored and reviewed.


Previous page


Next page



Commonwealth Fraud Prevention Centre logo