Attack fraud through training.

My receipt of a fraudulent email last week reinforced a topic I will be covering during the June 15 P-Card Program Risk Analysis virtual workshop. I’m referring to information security and the need to train employees, so they can be more vigilant. Following are topics to address within Commercial Card training, as well as broader training aimed at all employees. A third category not addressed here further, but equally important, is training designed for accounts payable staff on the growing problem of business email compromise (BEC). Refer to the 2015 public service announcement by the Federal Bureau of Investigation for BEC information and guidance.  

Commercial Cards

Do you include the elements below within your card program training and the procedures manual? Because cardholders are gatekeepers for protecting your organization against external fraud, they need to know how to:

  • identify a secure website before entering payment details
  • differentiate between legitimate communications from the card issuer versus fraudulent ones
  • properly dispose of documentation containing card account information

For managers, providing training on common red flag behaviors might help them more quickly spot any internal card misuse and abuse by cardholders. 

Broader Information Security

Does your organization require annual training on the following? This list is just the tip of the iceberg. 

  • How to create strong passwords
  • What employees can divulge about the organization to non-employees
  • Where/how to store, and dispose of, sensitive documentation
  • Asset protection standards to combat physical theft and loss
  • How to identify fraudulent emails and phone calls, what to do (and not do), and who to contact in these situations

The fast-paced nature of our jobs can work against us. In my haste, I almost fell for the fraud referenced in the introduction above. It claimed to be from FedEx (see image below) and, since I recently placed various online orders, this message caught my attention. I saw it on my mobile device, so I did not see the sender name behind it until opening the email. Fortunately, I paused long enough to recognize the fraud and delete it. 

 Sample of a fraudulent email

Sample of a fraudulent email

As Verizon’s 2016 Data Breach Investigations Report (DBIR) describes, the basic structure of phishing attacks remains the same—user clicks, malware drops, foothold is gained. Their report notes:

  • In this year’s dataset, 30% of phishing messages were opened by the target across all campaigns.
  • About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed.

Overall, the Verizon research reveals we have much work to do to combat breaches.

About the P-Card Risk Analysis Virtual Workshop

When was the last time you conducted a risk analysis (also called risk assessment) of your Purchasing Card program? I will be delivering the three-hour workshop on June 15, hosted by AP Now, to guide participants through a risk analysis process from start to finish. For more information and registration, please visit the AP Now website.

Recommended Resources

If you want to dive deeper into the vast world of fraud, I find value in these two reports, which are published annually:

  1. 2016 ACFE Report to the Nations on Occupational Fraud and Abuse – The report “provides an analysis of 2,410 cases of occupational fraud that occurred in 114 countries throughout the world.” Red flag behaviors are among the many topics.
  2. Verizon’s 2016 Data Breach Investigations Report (DBIR) – According to their website, this report “lifts the lid on what’s really happening in cybersecurity.”

Finally, see also additional content on this website pertaining to training and controls.


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.