A New Fraud Tactic and What You Can Do to Prevent It

New fraud tactics continue to emerge, as described below, and our defense strategies might fail unless we stay informed about what can happen. To discern between fraudulent and legitimate business communications, some people rely on verifying an email address. That is, they hover over the sender name and look for anything slightly off that would indicate a fraudster. Others feel comfortable with a request if it comes via phone versus email. These actions are not enough. AP Now issued a warning today about how criminals have stepped up their efforts, but there are things your organization can do to prevent becoming a victim.

The Fraud

As shared by AP Now, cyber criminals have used artificial intelligence (AI) and voice technology to impersonate a UK business owner, resulting in the fraudulent transfer of almost a quarter of a million dollars. Would your organization fall for something like this?

Prevention Tips

  1. As AP Now stresses, pick up the phone and verify the request using a phone number already on record. Alternatively, go to the organization’s website, get the main number and call. This should be done even if the caller ID associated with the transfer request seems to confirm the legitimacy of the call. Why? It is possible to spoof the number. While making a verification phone call is extra work, it could spare your organization a lot of pain.

  2. Update your internal controls as necessary. Besides telling employees to make a phone call to verify a request, ensure the written procedures specify this protective action.

  3. Anyone with the ability to spend or commit your organization’s money, such as accounts payable and cardholders, must stay educated about fraud tactics. Continuously share any examples you read about, discuss fraud within department meetings, and mandate annual training for employees.  

Educational Opportunities

The above is one of many issues that will be addressed during AP Now’s How to Recognize New Frauds during AP Fraud Prevention Week October 7–11, 2019. Visit AP Now to learn more.

In addition to what AP Now is doing, I will be delivering a virtual workshop on Purchasing Card audits, aimed at auditors, for The Institute of Internal Auditors/Public Sector™ Audit Center beginning October 16. For details, including registration, visit The IIA website.

Personal Experience

Speaking of fraudulent communications, I could have easily become a victim last week. I received an email reply from a company that I was doing business with. The sender’s email address was a correct match and the email content included my past communications with this company. The only odd part was that the sender included a zip file attachment, asking me to open to view details about our upcoming meeting. This did not seem right to me, so I called the phone number I had for this company. The employee confirmed her email had been hacked. Opening the zip file would have unleashed trouble for my computer. Always independently verify anything that seems odd.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Stop Blaming P-Cards

When internal card fraud arises, an unfortunate, but common, response is to blame the product itself and take cards away from employees or severely restrict card usage. However, the problem is not Purchasing Cards; rather, it is end-user organizations that lack effective controls. This point is clearly demonstrated in the fraud case that rocked a public school district in my home state of Minnesota. I first wrote about it in July of 2017, but it made the news again last week because the party in question—former school superintendent Rod Thompson—pleaded guilty to 19 felonies. The 16-month FBI investigation that started with a look into his P-Card usage led to the discovery of other crimes and policy infractions he had committed. See more below, as well as key questions every Commercial Card program manager should answer.  

The Fraud Case

Thompson’s felonies include theft by swindle, embezzling public funds, and possessing stolen property. He admitted to using his P-Card for numerous personal purchases totaling tens of thousands of dollars. I laughed out loud when his attorney said Thompson was remorseful for his actions. Was he sorry after he bought the flat-screen TV for his home? How about after he purchased an Xbox gaming system? Did he ever turn himself in because he was sorry? Was he sorry enough to stop committing internal fraud? No. He was only sorry after getting caught.

A group of taxpayers can be credited for cracking the case. In response to a district announcement about a substantial budget problem, they requested, received, and dug into spend reports, even though some people basically called them paranoid. This tells me the district was simply sitting on the valuable information. Either no one internally ever reviewed Thompson’s spend activity or they chose to ignore it. I’m not sure which is worse.

The eventual FBI investigation also revealed Thompson used his position to gain personal benefits from a construction company. They paid for tickets to various events (e.g., Minnesota Vikings games) and did work on Thompson’s home. In turn, he awarded them lucrative school contracts. The lesson here is, if you find an employee guilty of one thing, there is a good chance they are guilty of more.

Thompson will receive some prison time, as well as pay approximately $75,000 in restitution.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Eliminating Commercial Cards is the wrong way to respond to internal card fraud. Rather, conduct a thorough program risk analysis and close the control gaps that make fraud easy to commit.

Six Questions

If you can answer “yes” to the following questions, your organization is in good shape for preventing and detecting internal card fraud. Nevertheless, a full risk analysis will provide a more complete picture.

  1. Does every cardholder have an appropriate-level “manager-approver” who reviews transactions at least monthly?

  2. Are cardholders and manager-approvers required to sign an internal agreement, and complete training and/or a quiz each year?

  3. Are executive-level cardholders held to the same standards/rules as others?

  4. Do you have a separate, robust auditing process (e.g., auditing technology) to identify potential issues and fraud?

  5. Does your organization enforce detailed receipt requirements? Thompson often omitted receipts or only provided vague ones.

  6. Are tips about suspicious activity followed up on, even if they seem far fetched?

Related Resources



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Do Your Audits Test Employees’ Knowledge?

Would your cardholders be able to spot and prevent a scam? A national company became a victim of business email compromise (BEC) fraud involving gift cards, even though the employee who fell for it was trained on information security. This highlights a critical component that all training programs should include: auditing. Besides covering key topics within training presentations, testing employees’ knowledge through process audits can reveal how well the training has sunk in. Keep reading to learn what happened and see if your organization is already following the presented action items.

What Happened

Proving that no organization is immune to external fraud, the company in question is in the financial services industry, which, of course, is very focused on information security. One of the manager-level employees received an email that looked like it was from a senior management member. It directed the employee to buy $2,000 worth of gift cards to be used for employee recognition purposes. The big red flag was that it instructed the employee to take immediate action following the purchase rather than go back to the office first. It stressed that the employee should uncover the cards’ security codes and then reply to the email by sending photos of the fronts and backs of the cards. The employee complied. It was discovered by the Info-Security team when they were researching the same type of fraud reported by a different employee, who recognized the scam and did not fall for it.

Action Items

  • Ensure all employees—not just cardholders—are trained annually on information security. They should scrutinize any email requests that are seemingly out of the blue—something they were not expecting—and/or are different than “normal” business operations. When in doubt, they should independently verify a request and report any fraudulent attempts to the Info-Security team.

  • Keep your training current by refreshing as needed to include new fraud types and variations of common scams.

    See also additional training-related content...

  • Routinely share examples of fraud (from the news and blogs like this) to keep security at the forefront of people’s minds.

  • Within your process audits, try to simulate a scam to see if employees take the appropriate action.

  • Ask your IT group about automatically marking emails from external sources, which can help make employees more vigilant.

About BEC Fraud

As reported by the FBI, business email compromise (BEC) is a $12B scam. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. While it is most often associated with requests for wire payments, fraudulent requests may pertain to personal information (e.g., W-2 forms). As this blog post demonstrates, the scam has widened to include gift cards.

Would your cardholders be able to see a scam targeted at them?

Would your cardholders be able to see a scam targeted at them?



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more