A panel session at Counter Fraud 2026, chaired by Nick Tomlinson of the Public Sector Fraud Authority, brought together four counter fraud leads from across the public sector to discuss insider fraud - how to spot it, how to prevent it, and how organisations need to change.
The panel comprised Mike Brown, Head of Internal Investigations at HMRC; Richard Hampton, Head of Intelligence and Fraud Prevention at the NHS Counter Fraud Authority; Nick Jennings, Head of the Hertfordshire Shared Anti-Fraud Service (SAFS); and Rachael Tiffen, Director of Public Sector and Learning at Cifas. Here is a summary of the key points from the discussion:
Spotting red flags: Financial pressure and patterns of behaviour
Mike Brown opened with a case study: an HMRC employee prosecuted in late 2025 for stealing approximately £200,000 from the public purse. The individual had a gambling addiction, drug dependency and personal debt - none of which were visible to the organisation at the time. His role did not require national security vetting, so there were no routine welfare conversations that might have surfaced the financial pressure he was under.
Brown's observation was direct: financial pressure appears as a factor in nine out of ten insider fraud cases HMRC investigates. The challenge is that remote and hybrid working makes it harder for managers to know their people well enough to notice when something has changed. Organisations need to think carefully about the balance between risk tolerance and service delivery. In HMRC's case, staff in customer-facing roles are given significant access and influence in order to do the job - access that can be turned to fraudulent advantage if the warning signs are missed.
Richard Hampton added an NHS example: a senior operations manager who created two ghost contractors on the procurement system and paid money to them over approximately ten months before auditors identified it. The systemic lesson, he said, is that most organisations have adequate policies on paper. The question is whether those policies are actually followed, whether fraud risk assessments have been done at scheme level, and whether controls are genuinely being implemented. Where they are not, that absence is itself a red flag.
Nick Jennings highlighted a pattern he has encountered repeatedly in polygamous working cases: managers who had seen performance issues or gaps in service delivery but had not acted, because the individual was otherwise well-liked or because the manager was too stretched to deal with it. Ignoring red flags, he said, is a problem. Not every red flag means fraud - it might simply mean someone is struggling or underperforming - but both require a management response, and waiting for the fraud to become undeniable before seeking support is too late.
Data and digital tools: using what you already have
Mike Brown made the case for business monitoring as a core detection tool. In HMRC, the majority of insider fraud cases are built on the organisation's own business data - who accessed which system, when, and what they did. The digital trail is often comprehensive. The challenge is not the availability of evidence after the fact, but spotting the patterns earlier. Indicators that are worth monitoring, he suggested are: system access outside normal hours, unusual breadth of activity, and behaviour that differs when staff are observed versus unobserved.
Rachael Tiffen described Cifas' role from a pre-employment perspective. An example she gave showed an individual who applied for roles with six different Cifas member organisations, changing their name, date of birth and national insurance number each time. Every application was flagged and declined because the member organisations checked the Cifas database. The point was not to advocate for any single product, but to make clear that tools exist - including the NFI Fraud Hub, which is matching on potential polygamous working - that can prevent insider fraudsters from entering an organisation in the first place.
Richard Hampton described innovative analytical work the NHS Counter Fraud Authority is undertaking, using data to identify anomalies that may indicate working while sick or polygamous working. The analysis does not prove fraud - it surfaces anomalies for human review. But looking beyond the raw data to ask which job roles show the highest prevalence of these anomalies, and what the patterns reveal about how the system is being abused, produces a much richer picture than simple data matching alone.
Collaboration and intelligence sharing
On the value of cross-agency collaboration, the panel was unanimous. Mike Brown described HMRC's investment in Operational Security Advisers (OPSIs) who act as a contact point for police forces and other law enforcement agencies. The practical benefit is significant: police investigations regularly surface HMRC staff details on seized devices, and having a trusted, legally sound channel to share that intelligence quickly and act on it is, he said, enormously powerful. HMRC also participates in the National Policing Counter-Corruption Advisory Group, which meets quarterly and allows law enforcement agencies to compare trends and emerging risks.
Rachael Tiffen described Cifas' model: 800-plus member organisations across 17 sectors sharing data on potentially fraudulent conduct in real time, with one filing added to the database every minute. Intelligence-sharing groups bring together members and non-members to discuss live fraud trends. One such meeting identified an individual holding 14 jobs simultaneously across local authorities and other sectors - a find that would not have been possible without cross-sector data exchange.
Nick Jennings made the point that shared services such as SAFS are themselves a form of collaboration - pooling expertise across multiple councils - but that the challenge is less about accessing data and more about processing the volume of output it generates. Having the analytical capacity to distinguish genuine fraud risk from noise in large datasets is, he said, the next problem to solve.
Embedding a culture of accountability
On culture, the panel's messages were consistent. Mike Brown emphasised the importance of creating an environment where staff feel able to raise concerns - not through formal whistleblowing alone, but through informal networks of trusted contacts who can receive concerns safely and without the person feeling they are reporting a colleague. HMRC uses Learning at Work Week, Speak Up Week and International Fraud Awareness Week as regular touchpoints for internal communications on fraud and bribery.
Richard Hampton was clear that cultural change has to be driven from the top. He gave the example of declarations of interest: most health bodies have a KPI for whether declarations are submitted, but no KPI for whether they are actually reviewed and challenged against procurement data. Ticking a box is not the same as managing the risk. Senior leaders need to demonstrate that they take fraud seriously in how they manage it, not just in what they say about it.
Rachael Tiffen ended the discussion on culture with data from Cifas' annual workplace fraud survey, which drew on 2,000 respondents. 24% said they had committed expenses fraud. 19% said they or someone they knew had used a fraudulent reference or falsified a CV. 13% knew someone who had sold company login details. When the same scenarios were put to business owners and C-suite respondents in the same organisations, 88% of business owners and 70% of C-suite leaders said they considered some of those behaviours justifiable. That finding, she said, illustrates precisely why tone from the top and mandatory fraud awareness training are not optional extras.
.png?width=600&height=250&name=Fraud%20Blog%20CTAs%20(4).png)
Jessica Kimbell, GovNet
