Fraud Prevention & Detection Policy

Reviewed: 29 January 2026

At a glance

  • We use a risk‑based, multi‑layer programme to prevent and detect fraud across onboarding, payments, and mail handling/forwarding.
  • Controls include KYC/EDD, sanctions/PEP screening, device and behaviour analytics, velocity limits, payment risk signals, and mail pattern monitoring.
  • We apply step‑up verification, temporary holds, and account suspension where risk is elevated. Confirmed suspicions are escalated to the MLRO and, where appropriate, to law enforcement and carriers.
  • Fraud processing aligns with UK GDPR; we do not rely on solely automated decisions with legal or similarly significant effects—human review is available.

Purpose

To set out how UK Postbox prevents, detects, investigates and responds to fraud affecting our platform, customers, partners and carriers, while complying with applicable law and protecting individuals’ rights.

Scope

  • Fraud types: identity theft/impersonation, synthetic identities, account takeover, payment fraud (stolen cards, chargeback abuse, refund fraud), address misuse, reshipping/mule activity, phishing/social engineering, abuse of promotions, falsified documents, and misrepresentation to carriers.
  • Processes covered: sign‑up/KYC, account access, payment and refunds, mail receiving/opening/scanning, storage, forwarding/returns, and customer support interactions.
  • Roles: we act as controller for fraud‑prevention data; our processors (KYC, PSPs, analytics, carriers) act under contract and DPA.

Legal & policy framework

  • Fraud Act 2006, Proceeds of Crime Act 2002 (POCA), Computer Misuse Act 1990, Sanctions and Anti‑Money Laundering Act 2018, Money Laundering Regulations (MLR), Consumer Rights Act 2015.
  • UK GDPR/DPA 2018 (Art. 6(1)(f) legitimate interests; Art. 6(1)(c) legal obligation; limited use of Art. 9 conditions where special category data is incidentally present during mail scans—handled per our Data Protection Policy).
  • Related Trust Centre policies: AML & KYC, Identity Verification, Biometric Checks, Data Protection, Incident Response, PCI DSS, Restricted Goods, Mail Inspection, Access Control.

Principles

  • Risk‑based: controls proportional to customer, product and geography risk.
  • Prevention first: deter and block attempts early (e.g., KYC, device checks, velocity limits).
  • Accuracy & fairness: minimise false positives; provide appeal/human review.
  • Privacy by design: minimise data, restrict access, and use vendors under DPA with clear purposes.
  • Collaboration: work with PSPs, carriers and authorities to disrupt fraud.

5. Controls & signals

Onboarding & identity

  • KYC with document, address and biometric/liveness checks; sanctions/PEP screening (continuous).
  • Device & network risk: IP reputation, VPN/Tor detection, device fingerprint mismatch across identities, disposable/temporary emails (flagged for additional verification or may be blocked at registration).
  • Velocity & linkage: repeated failed verifications, multiple accounts per device or payment method, linkages to known bad indicators.
  • Adverse media or law‑enforcement notices.

Payments & billing

  • PSP risk responses (3‑D Secure, AVS/CVV, risk scores); BIN–country–IP mismatch; high chargeback history; card testing patterns; repeated declines.
  • Refund controls: verified destination, cooling‑off checks, and anomaly detection on refund frequency/value.
  • Tokenisation only—no PAN/CVV handled by UK Postbox (see PCI DSS Compliance Policy).

Account access & session behaviour

  • MFA prompts on anomalies; impossible‑travel, sudden device change, mass download/export; step‑up verification for sensitive actions.
  • Brute‑force/credential‑stuffing detections; rate limiting and bot management.

Mail handling & logistics

  • We may investigate and take action where we have reasonable grounds to suspect misuse of a UK Postbox address, including (examples, not exhaustive):
    • Registered office or service address used without authority from the legal entity, including failure to obtain valid consent for registered office use as required by Companies House.
    • Deceptive or infringing use of a brand, trading name, or logo that is likely to mislead recipients.
    • False, unlawful, or misleading representations (e.g., implying government affiliation, regulated status, or a physical branch where none exists)
    • Pattern anomalies: large volumes to high‑risk destinations, repeated returns to sender, inconsistent recipient names, rapid change of forwarding addresses.
    • Restricted goods indicators; declared contents mismatches; carrier red flags.

Process — detect, decide, act

  1. Detect & triage: alerts from systems, PSPs, KYC vendors, carriers or staff reports create a case in the Fraud Queue. We aim to complete initial triage within 24 hours and full assessment within 5 working days, depending on complexity.
  2. Initial containment: may include temporary hold on forwarding, blocking risky transactions, disabling login sessions, or pausing new item processing.
  3. Assess: review KYC, device, payment and mail signals; consult the MLRO for AML links; determine risk rating.
  4. Decide:
    • Allow (benign/false positive).
    • Allow with conditions (e.g., require MFA, verified payment, limited forwarding destinations).
    • Step‑up verification (additional ID, address, SoF/SoW for EDD, video call).
    • Suspend/terminate account (per Terms & Conditions).
    • Report to PSP, carriers, law enforcement; consider SAR/DAML to NCA via MLRO.
  5. Notify: communicate with the customer where appropriate; avoid tipping‑off if an AML suspicion exists.
  6. Record & learn: document evidence, decisions and outcomes; feed findings into detection rules and training.

Customer holds, suspensions & exits

  • We may place temporary holds on payments, mail forwarding or account features while we complete checks. Where we suspend an account pending investigation, we aim to complete our review within 10 working days. If we require more time, we will notify you.
  • Where fraud or unacceptable risk is confirmed, we may suspend or terminate services and retain data for legal purposes.
  • We endeavour to explain outcomes unless doing so risks security, breaches confidentiality, or would be unlawful (e.g., AML tipping‑off).

Data protection, profiling & fairness

  • Lawful bases: fraud prevention under legitimate interests; AML obligations under legal obligation.
  • Profiling: we use automated scoring and pattern analysis, but do not make solely automated decisions that produce legal or similarly significant effects; a human review path and appeals are available. You may request information about the logic involved in any automated profiling by contacting compliance@ukpostbox.com.
  • Minimisation: collect only what is necessary; restrict access to need‑to‑know.
  • Vendors: KYC, biometric, device risk, analytics and PSPs operate as processors under DPA; cross‑border transfers use IDTA/UK Addendum with TRA/TIA as required.
  • Transparency: core practices are described in our Privacy Notice and Trust Centre; significant changes are communicated.

Training & awareness

  • Mandatory training at induction and annually for Support, Operations, Finance and Compliance; role‑based refreshers for Security/Engineering.
  • Playbooks and checklists for common fraud scenarios (account takeover, reseller/mule rings, refund abuse, carrier‑related fraud).
  • Social engineering awareness for staff (phishing, fake support calls, document forgery cues).

Records & retention

  • Fraud case files, alerts, decisions and communications (including false positives) are retained for up to 6 years from case closure to align with limitation periods and evidentiary needs, unless a longer legal requirement applies.
  • KYC/AML records are retained for 5 years after relationship end (per MLR).
  • Payment records are retained as per finance/tax law and our Data Retention & Deletion Policy.
  • Destruction is secure; backups purge via rotation.

Governance & review

  • Owner: Compliance Lead / MLRO, with Security input.
  • Escalation: MLRO for AML/SAR decisions; Security Lead for platform threats; Legal for contractual actions.
  • Review: annually or after material incidents/regulatory changes.
  • Metrics: false‑positive rate, time‑to‑decision, case volumes by type, repeat offender rate, loss avoided, training completion.

Reporting & contact

  • Report suspected fraud to fraud@ukpostbox.com.
  • Security incidents: security@ukpostbox.com.
  • Privacy/data rights: dpo@ukpostbox.com.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907