Do Your Audits Test Employees’ Knowledge?

Would your cardholders be able to spot and prevent a scam? A national company became a victim of business email compromise (BEC) fraud involving gift cards, even though the employee who fell for it was trained on information security. This highlights a critical component that all training programs should include: auditing. Besides covering key topics within training presentations, testing employees’ knowledge through process audits can reveal how well the training has sunk in. Keep reading to learn what happened and see if your organization is already following the presented action items.

What Happened

Proving that no organization is immune to external fraud, the company in question is in the financial services industry, which, of course, is very focused on information security. One of the manager-level employees received an email that looked like it was from a senior management member. It directed the employee to buy $2,000 worth of gift cards to be used for employee recognition purposes. The big red flag was that it instructed the employee to take immediate action following the purchase rather than go back to the office first. It stressed that the employee should uncover the cards’ security codes and then reply to the email by sending photos of the fronts and backs of the cards. The employee complied. It was discovered by the Info-Security team when they were researching the same type of fraud reported by a different employee, who recognized the scam and did not fall for it.

Action Items

  • Ensure all employees—not just cardholders—are trained annually on information security. They should scrutinize any email requests that are seemingly out of the blue—something they were not expecting—and/or are different than “normal” business operations. When in doubt, they should independently verify a request and report any fraudulent attempts to the Info-Security team.

  • Keep your training current by refreshing as needed to include new fraud types and variations of common scams.

    See also additional training-related content...

  • Routinely share examples of fraud (from the news and blogs like this) to keep security at the forefront of people’s minds.

  • Within your process audits, try to simulate a scam to see if employees take the appropriate action.

  • Ask your IT group about automatically marking emails from external sources, which can help make employees more vigilant.

About BEC Fraud

As reported by the FBI, business email compromise (BEC) is a $12B scam. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. While it is most often associated with requests for wire payments, fraudulent requests may pertain to personal information (e.g., W-2 forms). As this blog post demonstrates, the scam has widened to include gift cards.

Would your cardholders be able to see a scam targeted at them?

Would your cardholders be able to see a scam targeted at them?



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Getting EAP in the door.

When you think of electronic accounts payable (EAP) solutions like Virtual Cards and buyer initiated payments, what is the first end-user benefit that comes to mind? Chances are, it is the potential to earn revenue share/rebate. We have all seen or heard phrases like “turn AP into a profit center.” There is no denying the monetary appeal, but in this fraud-gone-wild era, I think the fraud protection benefit deserves more press. Whether you are an EAP provider or end-user trying to convince management to implement an EAP solution, be sure to stress the following five points in your business case.

The Protective Side of EAP Solutions

  1. Suppliers cannot overcharge you, charge too soon, or process duplicate charges that require your time and energy to resolve. Because payments to suppliers are based on the amount your organization approves, transaction disputes are rare (or dare I say non-existent?). 
  2. Checks reflect your organization’s bank account number; sensitive information is “out there.” EAP payments do not have this risk.
  3. Fraudsters cannot create a usable counterfeit card from a Virtual Card nor can they steal Virtual Card information to make fraudulent purchases.
  4. No need to pursue external controls like Positive Pay, which often come with a cost. (See definition at the end of the post.) EAP solutions are already secure.
  5. Unlike ACH payments to suppliers, EAP solutions eliminate the need for suppliers to provide their bank account information. Your organization does not have to store and secure this type of supplier data, which is a win for both of you.

Conclusion

EAP payments are not the best fit for every situation (e.g., one-time purchases/suppliers for which traditional Purchasing Cards are ideal). However, they are a good option to add to the mix. Ultimately, every organization needs to develop a payment strategy that best serves its needs; namely, one that minimizes costs and fraud risk.

Access more information about EAP solutions.

To get ePayables/EAP into your organization, ensure your business case stresses the protective benefits.

To get ePayables/EAP into your organization, ensure your business case stresses the protective benefits.


Positive Pay Defined

Positive Pay is a service offered by most banks. As part of the service, companies transmit to their banks their check issuance file each time checks are written. The file contains a list of check numbers and dollar amounts. When a check is presented for payment, it is matched against the file. If there is a match, the check is honored and the check number removed from the file. If there is no match, the check is handled according to the preset instructions from the company.

Payee Name Positive Pay is an enhanced product that includes the payee’s name along with the check number and dollar amount in the file sent to the bank.

Source: 101 Best Practices for Accounts Payable

Keep an eye on your chip card.

Card/payment security is a key topic within organizations’ Commercial Card policies and procedures. You know the drill: lock them up when not in use, ensure a website is safe before entering payment information, be attentive to phishing tactics, etc. Have you overlooked anything? Maybe. According to sporadic media reports, a risk associated with chip cards is that the chip could fall out. The risk is very small, but possible. A displaced chip could be used to create a counterfeit card, but this requires a fraudster getting a hold of it. 

Generally speaking, chip cards are durable. I’m aware of card issuers trying all sorts of things to test the durability; for example, putting them through the washing machine. (Yes, the cards came out fine.) Now the question is, what should you do with this news?

What to Do

As part of your Commercial Card program management efforts, communication is important. The best overall advice is to be mindful, but not get hysterical.

  • Make cardholders aware.
  • Update your training presentations accordingly.
  • Ensure your policies and procedures direct cardholders to contact your card issuer if they realize their chip is missing or even loose.

To date, I have not heard of any chip problems with Commercial Cards. However, industry professional Theresa Blatner informed me about a case at her workplace involving an employee’s personal card. She explained, “It was being used in our cafeteria. I contacted the café manager who said that the chip was loose on the card. The reader indicated an error and defaulted to using the mag stripe. He also said that he has seen a few cards with faulty chips—two of them where the chip fell out.”

Final Thoughts

The small risk of chips becoming loose or falling out does not detract from the benefits of card usage. Chip cards still offer greater security than cards with only a magnetic stripe and, with any type of card, there is fraud protection. All this being said, it could be a driver for increased adoption of mobile payments if/when it makes sense. The beauty is, we have all sorts of options within the realm of Commercial Cards.


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.