Breakdown of recorded fraud attempts against the Scottish Government: FOI release

Information requested

"How many fraud attempts (whether successful or not) have been made on Scottish Government (a) banking and (b) I.T systems in each of the last five years (17/18, 18/19, 19/20, 20/21) and 21/22 to date. Please disclose whether there has been any financial loss and if so the value again broken down by year."

Response

Scottish Government - Fraud/Error Incident Reporting

The Scottish Government (SG) draws a distinction between Cyber-Attacks and Fraud and Error incidents and therefore Scottish Government monitors Fraud/Error incidents and Cyber Attack incidents separately. We do not distinguish between those Fraud/Error incidents which were a result of IT failures or via other means so the numbers we have provided include all incidents of fraud and error reported to us during the period and include the numbers of incidents which occurred within our consolidation boundary i.e. within the Scottish Government and its Executive Agencies.

At this stage Scottish Government can provide formal monitoring data between 2017-2020, however the complete collation of the 2020-21 and 2021-22 incidents to date are not yet held centrally at this time. The Fraud and Error incidents recorded across SG, that we are able to share for the period requested, are outlined in Table 1, this also includes estimated financial losses associated with these incidents.

Table 1: Fraud/Error Incidents Reported to SG

Year	No. of Incidents	Financial Impact*1
2017-18	55	£154,432
2018-19	32	£92,000
2019-20	46	£185,049
2020-21	Currently not available
2021-22	Currently not available

*1 Recovery action was taken on all the amounts outlined above

Banking Fraud/Error
Bodies to which the Scottish Public Finance Manual (SPFM) is directly applicable, including bodies sponsored by the Scottish Government, hold their core bank accounts with Government Banking. Government Banking is a shared government function which provides critical banking services across central government and wider public sector customers. This is administered either through the Government Banking contract, a UK-wide framework managed by H M Revenue and Customs, or the Scottish Government Banking Services Framework which is designed to supplement the Government Banking contract. Banking related fraud is recorded separately to the above Fraud outlined in Table 1. Banking fraud covering core Scottish Government for the period requested, is outlined below in Table 2. Again we are not able to share information for 2020-21 and 2021-22 as the complete collation of the 2020-21 and 2021-22 incidents to date are not yet held centrally at this time.

Table 2: Banking Related Fraud/Error Incidents

Year	No. of Incidents	Financial Impact (all losses recovered)
2017-18	2	£8.68
2018-19	4	£75.87
2019-20	9	£159.91
2020-21	Currently not available
2021-22	Currently not available

Cyber Security

There have been no known successful Cyber Security Incidents in the period requested within core Scottish Government. While our aim is to provide information whenever possible, in this instance an exemption under section 30 of the FOISA applies to the request for total incidents and the extent of attempted Cyber Security attacks occurring in the period requested, across the Scottish Government and its Executive Agencies. Disclosing this information in the public domain could subsequently result in Scottish Government being attacked. Considering both the external and insider threat, to evade any protective monitoring we might have/have not in place, this could therefore enable attackers to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs outlined under section 30 of the Act. Furthermore, the collation of this information would also exceed the thresholds in place for providing this information under section 12 of FOISA.

National Fraud Initiative

The Scottish Government also participates in the biennial National Fraud Initiative (NFI) exercise, this is a counter-fraud exercise led by Audit Scotland, and overseen by the Cabinet Office for the UK as a whole. It uses computerised techniques to compare information about individuals held by different public bodies, and on different financial systems that might suggest the existence of fraud or error. It means that public bodies can take action if any fraud or error has taken place, and it allows auditors to assess fraud prevention arrangements which those bodies have.

The last exercise took place in 2018-19 and identified a total of 3,462 matches for the core Scottish Government, ranging over 21 reports. As in prior years, the investigations were split between payables (creditors), payroll and procurement. The total number of matches processed was 1,339. Of the 1,339, 44 were closed due to already being known, 1006 were closed after finding no frauds or errors and 289 were closed as they were not selected for investigation due to their being assessed as low risk. The 2020-21 exercise is currently underway with the final report to be published by Audit Scotland within the next couple of months. The 2018-19 Report can be located at the following website https://www.audit-scotland.gov.uk/report/the-national-fraud-initiative-in-scotland-201819.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.