Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Fraud awareness from the DfE
A dark image with the word "FRAUD" in white lettering on a black background, with a magnifying glass over the F. Below "FRAUD" are the words "Awareness" in orange text. In the bottom-left corner, a person in a black hoodie and a white mask holds a phone and has a finger to their lips in a shushing gesture. In the bottom-right corner is a circular logo for "Data Protection Officer" with the website "dataprotection.law/education".
Best Practice Updates

Fraud awareness from the DfE

Given the Public Sector Fraud Authority estimates that every year between £39.9 billion and £58.5 billion of taxpayer's money is subject to fraud and error, it's no wonder the UK Government has published some guidance about fraud awareness.

As with all cyber threats, threats from fraud continue to change and become more sophisticated, it's therefore important that all education providers have systems and processes to prevent damage from those threats and to manage and assess fraud risks.

From September 2025 the Economic Crime and Corporate Transparency Act 2023 comes into force. Organisations in scope of the act can be prosecuted for failing to prevent fraud. Part 5. Investigating provider fraud has more information.

What is fraud?

Fraud is a criminal offence defined by the Fraud Act 2006.  Other related concepts are bribery, corruption, theft, error and irregularity.  And just like a cyber incident, the impact of fraud is not just financial, it can be reputational and even cause harm.

How can you prevent fraud?

  • As with data protection and cyber security, the best way an organisation can protect itself is through staff training and awareness. You may want to include students in this training, depending on their age.  This should be included as part of the annual cyber security training for staff.
  • Have clear policy - or response plan to assess and manage risks.
  • Have clear responsibilities for certain staff members in relation to managing fraud.

DPE Customers should review our Cyber Security Best Practice Area and Data Breach Best Practice.

Types of fraud

Most types of fraud will be digital, particularly as most systems relating to school business and teaching and learning are online.

  • Cyber fraud - for example, phishing and the use of AI to create deepfakes.
  • Invoice fraud - 'suppliers' asking for a bill to be paid or payment details to be changed.
  • Qualification fraud - falsifying academic results to get a job or promotion, leading to potential safeguarding risks.
  • Banking fraud - similar to invoice fraud of asking for banking payment details to be changed.
  • Money laundering - less known about, when students are enticed into becoming 'money mules' to move illicit funds for cyber criminals.

Fraud can be internal and external - the insider threat exists like cyber threats.

How should an organisation report fraud?

If an actual or attempted fraud is suspected, it should be investigated and reported to the relevant authorities.  The DfE provides a list:

Fraud awareness good practice

Remember it may depend on how the fraud was committed as to who you may need to inform.

DPE Customers should report via the data breach log and ask the core DPO team advice as to whether it should be reported to the ICO (we can do that on your behalf).

Stop! Think Fraud is a website with advice and guidance and a reminder that noone is immune from fraud.

©2025 Data Protection Education Ltd.

Search