As governments worldwide grapple with escalating payment fraud, the challenge has shifted from isolated incidents to highly organised, technology-enabled crime operating at scale.

Legacy systems, fragmented data and recovery-led models are increasingly misaligned with the speed and sophistication of modern threats.

In this interview, Sarah Sloan, Head of Cybersecurity Policy APAC at Cisco, explains where fraud most often enters government payment systems, why it scales so quickly, and what must change for prevention—not recovery—to become the default operating model.

Drawing on recent research and real-world cases, she outlines how organised crime is exploiting systemic gaps, and where AI-driven, real-time decision-making is already delivering measurable impact.

1. Where in the current government payment system is fraud most likely to enter or scale, and what makes those points so vulnerable?

A central finding from Splunk’s latest research is that fraud is most likely to enter and scale where government systems are operating in data silos within and across organisations, relying on outdated systems and processes, and under pressure to move quickly. Fraud can occur at multiple points in the payment lifecycle, but the highest-risk moments are typically identity creation, account onboarding, claim submission, eligibility assessment, account changes and payment execution.

These are vulnerable stages because many payment programs still rely heavily on self-reported information, disconnected identity tools and legacy platforms that were built to process forms, not to detect organised criminal behaviour in real time. We are seeing threat actors exploit these weaknesses through a combination of fraud and cyber-enabled techniques — using false or misleading information, stolen or fabricated identities, compromised credentials, account takeover, phishing, breached data and gaps in payment and eligibility controls to gain access to public funds. The size, complexity and reliance on self-reporting across government programs make them particularly attractive targets for fraudulent activity.

In a fragmented environment, once a fraudulent identity or account is established, it can be reused across multiple agencies and programs, allowing losses to scale rapidly. Without a connected view of claims, identities and money flows, coordinated activity can remain undetected for longer and become much harder to disrupt.

In practice, these are no longer isolated instances of individual wrongdoing; they are increasingly the entry points for organised crime groups using sophisticated, technology-enabled methods to steal public money at scale. That is why government payment fraud needs to be seen not just as a compliance challenge, but as a broader organised crime and national security issue.

2. Why are legacy systems and post-payment recovery models struggling to keep up with today’s fraud patterns in practical terms?

There are several reasons legacy systems and post-payment recovery models cannot keep pace with today’s fraud patterns. The threat landscape has changed significantly in recent years – in terms of its speed, scale and sophistication.

We are seeing a new level of sophistication from organised criminal actors and a growing ability to leverage technology, including automation, machine learning and AI, to scale attacks, adapt quickly and avoid detection. This is no longer a problem of isolated bad actors exploiting simple loopholes; it is increasingly organised, technology-enabled fraud operating at industrial scale.

Read also: Invisible signals could transform secure communications for defence and finance

The scale of the challenge is illustrated when looking at our counterparts: research shows the UK loses an estimated £55–£81 billion annually to fraud and error, and the United States loses between US$233 and US$521 billion each year. Comparative analysis suggests that between three and six per cent of Australian government expenditure may be lost to fraud and improper payments, hinting a problem far larger than what is formally detected and recovered.

At the same time, many of our systems were simply not built for this challenge. Some major payment systems still sit on legacy infrastructure designed to process transactions, not to detect complex organised fraud in real time. In some cases, agencies may not be tracking the right metrics — with timeliness still treated as the dominant indicator of performance rather than integrity, accuracy and fraud prevention.

Data also remains siloed across fraud, cyber, identity and payments teams, meaning agencies often only see a fragment of the risk picture rather than the full pattern of criminal activity. Post-payment recovery models are also inherently limited because by the time fraud is detected, funds have often already been paid and rapidly moved through crypto, mule accounts or offshore structures, making recovery increasingly difficult. That is why governments need to shift from retrospective recovery to real-time, pre-payment prevention, leveraging best-in-breed technologies to support human decision-making and enable agencies to operate with the same speed, scale and sophistication as their adversaries.

3. How are organised criminal groups exploiting gaps between agencies, programs, or jurisdictions in real cases or patterns you’ve observed?

Organised criminal groups operate across government systems rather than within individual programs. They deliberately exploit gaps between agencies, funding schemes and jurisdictions where data sharing can be limited or slow. Recent Australian case studies highlighted in our research shows alleged syndicate activity targeting NDIS, Medicare, Centrelink and Child Care Subsidies simultaneously, often across multiple states.

In a co-ordinated operation in 2025, investigators disrupted more than $50 million in alleged fraud across New South Wales, South Australia, Queensland and Western Australia. This is likely only part of the picture — it reflects what has been detected, investigated and reported, not the full scale of what may be occurring beneath the surface, which is why these kinds of cases should be seen as an indicator of a much broader and more deeply embedded organised fraud problem across the system.

What appears as minor or ambiguous activity within one program can often be part of a broader, co-ordinated strategy. These organised crime groups are becoming increasingly sophisticated, operating both at speed and scale but also in “low and slow” ways designed to avoid triggering traditional controls.

They are leveraging technology — including automation, machine learning and even AI-enabled tools — to enhance attacks, test vulnerabilities, reuse identities and accounts, and adapt quickly across programs and jurisdictions. That is why fragmented visibility is such a significant weakness: government often sees isolated transactions, while criminal networks are operating with a joined-up strategy.

4. If government shifted from recovery to prevention, what would actually need to change first in systems, data, or processes?

To shift from recovery to prevention, the first change would need to occur at the system level. Payment platforms must move beyond form-based processing and function as real-time risk engines that continuously monitor claims, account changes and payment behaviour before funds are released. This requires earlier integration of risk analytics into payment workflows, not bolted on after the fact.

Data also needs to be broken out of silos so fraud, cyber, identity and payments teams can share a common view of risk. Governments are already collecting much of the required data but the silos prevent early detection. Just as importantly, agencies need to start measuring integrity and accuracy, not just speed, because if timeliness remains the dominant success metric, fraud prevention will always be treated as secondary.

Critically, prevention must be underpinned by clear governance and processes that incorporate human oversight and transparency to maintain public trust while intervening earlier and more effectively.

5. Where does AI or automated decision-making deliver the most measurable impact in reducing fraud risk across the payment lifecycle?

AI and automated decision-making deliver the most measurable impact when they are applied at points of intervention before money moves. Their value lies in real-time detection—identifying anomalous behaviour during onboarding, claim submission and payment changes, rather than retrospectively investigating losses. Automation excels at processing speed, scale and pattern recognition, surfacing weak signals such as unusual account changes, device behaviour or velocity anomalies that humans alone cannot see.

Crucially, this is not about removing human judgment. The most effective model uses AI to prioritise risk and trigger alerts, with trained investigators making final decisions.

We have already seen how powerful this can be in practice. As highlighted in the report, Splunk worked with the New York State Department of Labor during the Covid-19 period to help identify more than 1.5 million fraudulent claims and prevent more than US$32 billion in attempted theft, while reducing investigations from days to minutes. That kind of result shows what is possible when trained investigators are empowered by real-time analytics embedded into high-volume payment environments, combining human judgement with the speed, scale and pattern recognition needed to disrupt fraud before money moves. Used this way, automation enables earlier, more accurate intervention and prevents fraud before it becomes unrecoverable loss.

6. How does fragmentation across agencies translate into real opportunities for fraud to go undetected or unresolved?

Fragmentation across agencies creates real opportunities for fraud because it prevents government from seeing the full risk picture that criminal networks are exploiting. When data relating to identities, claims, providers and payments is held in separate systems, suspicious activity can appear legitimate when viewed in isolation. That fragmentation also slows investigations, creates accountability gaps and makes it harder to intervene before money is moved or laundered.

Organised criminal groups take advantage of this lack of connected visibility, deliberately spreading activity across multiple programs to avoid detection. In effect, government often sees fraud through institutional silos, while organised crime operates across them. Without timely and near real-time linkage of information, patterns only become clear after losses have accumulated, making fraud harder to detect early and more difficult to resolve once it has occurred.

The picture that emerges is clear: government payment fraud is no longer a back-office compliance issue, but a systemic risk shaped by fragmentation, legacy infrastructure and adversaries that operate across programs and jurisdictions.

As Sarah Sloan emphasises, the path forward requires a decisive shift—away from post-payment recovery and toward real-time prevention, shared visibility and integrity-led performance metrics.

When data is connected, risk is assessed before money moves, and AI augments human judgment at scale, governments can begin to match the speed and sophistication of organised criminal networks. The stakes are high, but so too is the opportunity to protect public funds, restore trust and modernise the foundations of government payment systems for the realities of today’s threat landscape.

Sarah Sloan

Head of Cybersecurity Policy APAC at Cisco |  + postsBio

Sarah Sloan is Head of Cybersecurity Policy APAC, Cisco where she leads public sector engagement across the region. With 15 years’ experience across government, industry, and consulting—including over a decade focused on cyber and technology —Sarah has held senior roles in the Australian Government and leading global technology firms, driving policy development, public-private sector partnerships, and national cybersecurity priorities. She holds a Bachelor of Laws (Hons) and Bachelor of Asia-Pacific Studies from the Australian National University (ANU), and postgraduate qualifications in legal practice, international law, and Japanese studies. Sarah is also Chair of the Australian Industry Information Association's (AIIA) National Security and Cyber Resilience Policy Advisory Network.