Cyber Proactive Protection Lead

Join HMRC’s Fraud Prevention Centre and lead the fight against online fraud. We’re looking for a Proactive Protection Lead (Grade 7) to spearhead fraud detection and response across HMRC’s digital services. This is a high-impact leadership role where you’ll manage teams of analysts and drive proactive strategies to identify, disrupt, and prevent fraudulent activity at scale.

You’ll oversee digital profiling of user interactions, manage complex risk rules to automate interventions, and lead investigations into anomalies and suspicious behaviours. Working at the heart of HMRC’s transformation, you’ll be ensuring the effective exploitation of our growing range of technical capabilities, including advanced analytics, fraud detection and behavioural analytics, and threat intelligence with big data and SIEM platforms like Splunk, enabling real-time interventions and data-driven decisions.

You’ll also collaborate with FPC Customer Operations, compliance teams in Risk, Intelligence and Fraud Investigation, and cyber security specialists to deliver joined-up fraud prevention and incident response. Your work will directly protect millions of taxpayers, safeguard public funds, and strengthen HMRC’s digital resilience against evolving threats to identity and access services.

This post will require DV clearance, or be willing and able to achieve that level of clearance. This is considered a ‘Reserved Post’ under the Civil Service Nationality Rules and is open to UK nationals only.

• Lead and develop teams of security and fraud analysts by example, driving excellence in proactive fraud prevention, detection and response across all customer communications channels.
• Design and manage risk rules to identify suspicious patterns and behaviours across HMRC’s digital services, partnering with HMRC Compliance & Customer teams.
• Conduct digital profiling of suspect interactions, leveraging intelligence and behavioural analytics to drive response activity and develop automated interventions.
• Investigate anomalies and suspicious activity, applying intelligence-led approaches to disrupt fraudulent behaviour or influence customer compliance.
• Work closely with FPC Threat Intelligence to understand threats and their scope and scale, FPC Engineering to inform controls, and FPC Performance on reporting.
• Partner with wider HMRC compliance teams, including Risk, Intelligence, and Fraud Investigation, to share insights and coordinate fraud disruption strategies.
• Analyse large-scale datasets using tools like Splunk, applying advanced techniques and developing tools and dashboards to support efficient action by junior analysts.
• Integrate threat intelligence and data enrichment services (e.g., email, phone reputation) into detection workflows.
• Work closely with FPC Customer Operations teams to investigate suspicious activity linked to customer reporting and ensure timely resolution.
• Support incident management investigations, providing technical expertise and analysis to inform response actions and track them to conclusion.
• Drive continuous improvement through automation, intelligence sharing, and feedback loops across FPC and partner teams.
• Build strong partnerships across FPC and HMRC (including our Customer Compliance teams, tax and customs service leads) and with external bodies to ensure a coordinated approach to fraud prevention.
• Support innovation and continuous improvement in fraud prevention techniques, leveraging automation, anomaly detection, and advanced analytics to stay ahead of evolving threats, and ensure a prompt and effective response.
• Adjust fraud prevention controls to protect customers effectively while maintaining trust and minimising friction in HMRC services.

Proven experience in fraud detection, cyber security, or threat intelligence within a large organisation. Experience using data analysis and Security Information and Event Management (SIEM) platforms, such as Splunk or ELK, preferably in a security operations setting. Good technical understanding of web and API services and interaction with client applications, including identity proofing authentication processes. Knowledge of applying kill chain methodology and MITRE ATT&CK, including the use of threat intelligence feeds to classify and detect threat actor activity. Knowledge of fraud detection techniques, including behavioural analysis and anomaly detection and investigation and OSINT (Open Source Intelligence) methods. Strong understanding of cyber security principles, including threat intelligence and incident response. Skilled in reporting, presenting, and visualising complex data in creative, digestible formats for different audiences, from senior leaders to development teams. Software development and scripting skills in a security or counter-fraud context. Experience of applying machine learning and advanced analytics techniques in fraud detection. Certifications such as CISM or relevant GIAC qualifications in network defence, threat intelligence and incident handling. Academic qualifications in science, technology, engineering or maths subjects.