Do Your Audits Test Employees’ Knowledge?

Would your cardholders be able to spot and prevent a scam? A national company became a victim of business email compromise (BEC) fraud involving gift cards, even though the employee who fell for it was trained on information security. This highlights a critical component that all training programs should include: auditing. Besides covering key topics within training presentations, testing employees’ knowledge through process audits can reveal how well the training has sunk in. Keep reading to learn what happened and see if your organization is already following the presented action items.

What Happened

Proving that no organization is immune to external fraud, the company in question is in the financial services industry, which, of course, is very focused on information security. One of the manager-level employees received an email that looked like it was from a senior management member. It directed the employee to buy $2,000 worth of gift cards to be used for employee recognition purposes. The big red flag was that it instructed the employee to take immediate action following the purchase rather than go back to the office first. It stressed that the employee should uncover the cards’ security codes and then reply to the email by sending photos of the fronts and backs of the cards. The employee complied. It was discovered by the Info-Security team when they were researching the same type of fraud reported by a different employee, who recognized the scam and did not fall for it.

Action Items

  • Ensure all employees—not just cardholders—are trained annually on information security. They should scrutinize any email requests that are seemingly out of the blue—something they were not expecting—and/or are different than “normal” business operations. When in doubt, they should independently verify a request and report any fraudulent attempts to the Info-Security team.

  • Keep your training current by refreshing as needed to include new fraud types and variations of common scams.

    See also additional training-related content...

  • Routinely share examples of fraud (from the news and blogs like this) to keep security at the forefront of people’s minds.

  • Within your process audits, try to simulate a scam to see if employees take the appropriate action.

  • Ask your IT group about automatically marking emails from external sources, which can help make employees more vigilant.

About BEC Fraud

As reported by the FBI, business email compromise (BEC) is a $12B scam. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. While it is most often associated with requests for wire payments, fraudulent requests may pertain to personal information (e.g., W-2 forms). As this blog post demonstrates, the scam has widened to include gift cards.

 Would your cardholders be able to see a scam targeted at them?

Would your cardholders be able to see a scam targeted at them?



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Why Employee Use of Personal Cards is a Gamble

If your organization still allows employees to use their personal cards for business expenses and then get reimbursed, it is worth another look. Have you considered the risks lately? Early last year, I wrote about a couple ways in which fraud might occur with this approach. Namely, the employee could benefit financially by submitting the same expense more than once or by cancelling a business trip, but still pocketing the reimbursement for a reservation (e.g., airfare, conference registration). Now I am adding another type of fraud to the list. Keep reading to see if your organization is aware of the following risk.

The Receipt Risk

When an employee seeks reimbursement by submitting a receipt that the supplier provided electronically, the employee can change the dollar amount. It doesn’t matter if the receipt is an email (no attachment), such as what Uber provides, or if the receipt is an emailed PDF attachment, such as what a hotel sends. Both can be edited; I verified this firsthand.

When I edited a PDF from a hotel, a pop-up message alerted me that the file was read-only and had to be saved as a new file. Just one easy, extra step…

The Answer

While receipt tampering can happen regardless of the card used—personal card or company card—use of company cards (Commercial Cards) with corporate liability/corporate pay offer controls. Since there are no reimbursements to employees, there is no motivation for an employee to change a dollar amount on a receipt. Accounts payable uses the card issuer’s central bill to initiate payment for all cardholders’ transactions.

If the program has an individual liability/pay arrangement (as some Corporate Travel Card programs do), your organization still has the ability to independently view and verify actual transaction amounts through the card issuer’s technology. It would be possible to catch receipt tampering prior to reimbursing the employee. However, this is a mostly manual exercise that could quickly consume significant time.

The bottom line is, to prevent employee fraud, it is critical to have transaction visibility and to eliminate employee expense reimbursements to the extent possible.

Related Resource

The other fraud risks that I mentioned in the introduction above are described within the 2017 blog post, Why Mandate Card Use for T&E. It also includes another drawback of not having a Commercial Card program for business travel.

 Is your organization willing to gamble (and lose) by allowing employees to use their own cards and get reimbursed?

Is your organization willing to gamble (and lose) by allowing employees to use their own cards and get reimbursed?



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Fallback Card Fraud Hits Home

Despite the inherent protections of chip cards (also known as EMV cards), card-present fraud still occurs and, unfortunately, I have first-hand experience. I live in Minnesota, but someone used a counterfeit version of my card account—with a fake/unreadable chip—to make purchases at big box retailers in the Miami, Florida area. My card issuer alerted me within an hour of the fraudster completing six successful transactions one morning last week. These are considered “fallback transactions” because a card was inserted into each store’s POS chip reader, but, when it didn’t work, the fraudster made the purchases by falling back to the old method—swiping the magnetic stripe. I assume the fraudster went into stores instead of shopping online because they likely lacked information required for most online purchases like the security code on the back of the card and/or part or all of the billing address.

Fallback fraud has become increasingly more common as fraudsters continue to reinvent their methods of operation in response to advancements in card security. I’ve read articles suggesting that card issuers should decline fallback transactions at the POS due to the risk of fraud, but, of course, such transactions could be legitimate. There could be a problem with the POS device, the chip on a real card, or the way a cardholder inserts the card into a chip reader.

We know card fraud can happen to anyone. Fortunately, card issuers typically protect cardholders from financial losses. Nevertheless, for Commercial Card programs, it still pays to take precautions. Following are three action items for card program managers.

Action Items for Card Program Managers

1. Train cardholders on card security practices, such as:

  • how to properly dispose of documentation reflecting their account number

  • the approved devices for making business purchases electronically (e.g., work computer versus home computer)

  • how to safely make purchases electronically (e.g., do not use public/unsecured WiFi, look for “https” in a web address, etc.)

2. Verify whether your card issuer sends text messages to cardholders about potential fraud, as this is typically the quickest way to reach a cardholder. If yes, encourage your cardholders to provide their mobile number to the card issuer. (In my case, my card issuer communicated three ways: text, email, and phone).

3. Ensure cardholders know how the issuer would alert them in cases of potential fraud and what the communications would look like. Cardholders should be equipped to discern between legitimate and fraudulent communications. Internal auditors should test their awareness as part of their annual “process audits.”

Final Thought

Above all, cardholders need to be diligent. They should quickly return messages from the card issuer, but ensure they have the right information for determining whether a purchase is fraudulent. In my case, the first text from the issuer only specified the vendor and dollar amount of the first fraudulent charge. Coincidentally, the day prior, I used the same vendor in Minnesota and the dollar total was nearly the same. I almost replied that the transaction was fine, but decided to wait until I could view my receipt. Subsequently, I saw the related email, which provided the key piece of information—that the transaction occurred in Florida.

Related Resources

Visit the card/payment security page for content about EMV, phishing, cybersecurity and more.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more