Prompts and alerts
Systems prompt, nudge, alert or warn users when information is inconsistent with parameters, which either requires acceptance or denies further actions.
Some examples of this type of countermeasure include:
- The system alerts the user when the cheapest available fare is not selected.
- The online form prompts the applicant to provide the correct information.
- The system warns staff if inconsistent or erroneous information is recorded.
- Pop-ups remind users of their obligations.
Purpose of this countermeasure
Someone can provide false information or evidence to support a request or claim, or fail to disclose information that would affect their entitlement.
Acting dishonestly or providing false or misleading statements or information to commit fraud are offences under the Criminal Code Act 1995.
Allowing staff, customers and third parties to perform actions without prompts, alerts or warnings can increase the opportunity for omissions and errors.
Fraudsters can deliberately use confusion and deception to exploit these weaknesses to:
- receive payments or services they are not entitled to, or
- access information or systems without a business need.
This type of control is supported by:
- A specific form, process or system must be used
- User permissions
- Requests or claims must meet specific eligibility requirements
- Mandatory information is required to complete the request or claim
- Internal escalation procedures
- Requests, claims or processes are limited by parameters
- Data matching
- Blacklisting, greylisting or whitelisting
- Segregation of duties are applied
- Privileged access restrictions and monitoring
- Data protected from manipulation or misuse
- Change management processes
- System testing
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm the existence of prompts/alerts.
- Review the type of prompts and alerts that exist.
- Confirm prompts/alerts are consistently applied.
- Undertake vulnerability testing or a process walk-through to confirm that prompts/alerts exist.
- Quantitative analysis of the number of incorrect actions completed despite alerts or warnings.
- Analyse behavioural changes caused by prompts and alerts, e.g. are claims or requests abandoned following the prompt or alert?
- Review historical data to measure if the introduction of prompts or alerts improved compliance.
- Consult system users about the prompts or alerts. Do they take any notice of them?
- Consult behavioural insights experts on the prompt, nudges, alerts or warnings. Would they influence behaviour and deter fraud?