Phishing for security weaknesses.

I recently had a déjà vu experience. About a year ago, I wrote about a fraudulent email I received while preparing to deliver a virtual workshop on P-Card risk analyses. This prompted me to share tips and statistics related to information security, and recommend Verizon’s Data Breach Investigations Report as a resource. The same things are occurring again. Another fraudulent email landed in my inbox (different topic this time), another virtual workshop on risk analyses is coming up, Verizon released a new report, and this post offers additional security tips. Keep reading to learn more and see images of the fraudulent emails.

Phishing

There is no shortage of social engineering tactics. Among the most common are phishing expeditions designed to entice people to click links or email attachments that open the door to fraudsters and their malicious software. Last year, I received a fake FedEx email. This month, it was a fake Dropbox email with a link to view an invoice. Ensure your AP department is aware of this scam. While it is not new, they might not have encountered it previously. See related images in the adjacent column.

Per Verizon’s 2017 Data Breach Investigations Report:

  • 7.3% of users across multiple data contributors were successfully phished—whether via a link or an opened attachment.

  • In a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 

While 7.3% is not huge, just one successful phishing incident can have far-reaching consequences. 

Who will fraudsters catch? Help your cardholders avoid the phishing bait. 

Who will fraudsters catch? Help your cardholders avoid the phishing bait. 

Training Tips

In my related blog post last year (“Attack fraud through training”), I noted that cardholders should be able to differentiate between legitimate communications from the card issuer and fraudulent ones.

To enhance your training efforts, can your issuer share examples of fraudulent emails that target cardholders, as well as real ones that they send? Also train cardholders to pause and evaluate any emails appearing to be from the issuer. For example:

  • Were they expecting an email (e.g., you told them something would be sent pertaining to “X” topic) or is the communication a surprise, which might indicate potential fraud? 
  • Is the sender’s email address consistent with your issuer’s email addresses? Per the images in the next column, fake emails typically reflect odd addresses.
  • Does the email stress urgency (e.g., “You must click here ASAP!”) or include a threat (e.g., “Failure to complete this action could result in card deactivation.”)?

If your training includes a quiz element, then add something related to phishing, such as: If you receive an email that appears to be from the bank and it directs you to click a link to update your contact information, what is the BEST action to take?

Besides NOT clicking on anything, cardholders should notify the appropriate internal party. You/your organization needs to stay informed and take any necessary action (e.g., alerting other cardholders, contacting your issuer, etc.).

Finally, if possible, as part of a process audit, simulate a phishing email to test cardholders’ reactions Do they click on anything? Do they report the suspicious email?

Fraudulent Email Images

Below are the emails mentioned earlier. In each, the sender’s email address has nothing to do with FedEx or Dropbox.

Virtual Workshop

P-Card Risk Analysis

Information security is just one of many topics that I will cover in the three-hour June 21 workshop hosted by AP Now. If you have not completed a robust P-Card program risk analysis recently, this workshop is for you. Registrants will also receive two bonus items:

  1. P-Card risk analysis template with more than 100 questions to help you assess your controls
  2. Guide on revitalizing your P-Card policies and procedures. 

Please visit the AP Now website to learn more and register.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

12 program support responsibilities.

The trifecta of Commercial Card program management is the program manager/administrator (PM/PA), procurement, and accounts payable (AP). However, the latter two might get overlooked when program roles are developed. Does your organization assign specific card-related responsibilities to procurement and AP? They can fulfill an important support function, regardless of which department the PM/PA resides in. Even though department roles vary from one organization to the next, you still can ensure the following 12 tasks are assigned to an appropriate party. Your card program will benefit from everyone working together.

Procurement

Program success is dependent on supplier acceptance of Commercial Cards. Procurement (or a related department) should:

  • Address card acceptance in competitive bids/RFPs 
  • Specify card-related terms in supplier contracts; for example, prohibit surcharges for card acceptance and mandate compliance with the Payment Card Industry Data Security Standard (PCI DSS)
  • Notify AP about card-accepting suppliers

AP

AP is in a gatekeeper position to uphold policies and/or contracts concerning payment method. They should:

  • Remove card-accepting suppliers from the master vendor file (unless there is a good reason, along with accompanying controls, to pay a particular supplier more than one way)
  • Not set up new suppliers in the master vendor file until they verify the intended payment method
  • Refuse to process check requests for suppliers that accept cards
  • Reduce the frequency of check runs to encourage supplier acceptance of electronic payments

Both Departments

Tasks for both procurement and AP include the following.

  • Contribute to the establishment of, or updates to, an internal “payments policy”
  • Train their staff on their card-related roles and responsibilities
  • Monitor suppliers/payments to ensure card payments occur as expected
  • Look for additional opportunities to use cards—plastic or virtual—based on payment history
  • Track the impact of card payments (e.g., process savings, PO reduction, etc.), which helps fuel program metrics

How many of the 12 things noted herein does your organization consistently do? How can you strengthen program support roles? See also a related blog post on how management needs to address two aspects of the staff members (like procurement and AP) responsible for executing the organization’s payment plan.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

A winning program goal strategy.

Has your organization reviewed its Commercial Card goals lately? Goals are a fundamental part of a card program, yet many organizations fall short in terms of goal setting and/or monitoring. Using my past experience as an example, the P-Card program that I managed was successful in many ways. For instance, it had executive buy-in and policies that allowed card usage for just about everything. We cruised along. Yet, for years we failed to: 1) research what our program could have captured and 2) subsequently develop specific goals derived from our overall B2B payments. As a result, we did not know what we were missing. Is this true of your organization? Where does your program stand in relation to goals? Following are five questions to help you assess your program goals, plus three additional action items critical for success. 

Assess Your Program Goals

Optimally, you will be able to answer “yes” to each question below.

  1. Are the goals measurable? Common program goals pertain to annual card spend and the number of transactions, process savings, invoice reduction within AP, changes to the number of full-time equivalents (FTEs) within AP and/or procurement, the number of suppliers converted to card payments, revenue sharing incentives, etc.
  2. Are the goals still relevant? While it is common to document goals when first implementing a card program, some organizations do not create new ones as the initial goals are surpassed.  
  3. Has your organization evaluated its B2B payments in recent years, especially its check payments, to identify the current potential for Commercial Cards? Engage with your card issuer to determine which suppliers accept cards and then prioritize the suppliers to target. 
  4. Are goals reasonable/achievable, based on research of your B2B payments? You cannot randomly aspire to spend $25M via cards if your annual B2B payments are only $20M. It is also not realistic to expect a 100% conversion rate from checks to cards.  
  5. Do your card limits support program goals? For example, if Commercial Cards are the preferred payment method, then spend limits should be generous enough to accommodate such a goal. 
In sports, a game plan guides the play of the team or individual. In card programs, quantifiable goals serve as a guide for program management, helping to drive optimal performance.

In sports, a game plan guides the play of the team or individual. In card programs, quantifiable goals serve as a guide for program management, helping to drive optimal performance.

Beyond Goal Setting

Goals remain incomplete until you do the following.

  • Create and follow an action plan for achieving the goals. Reviewing card limits is just one element. Ideally, the program manager, AP, and procurement will work together to build a structure for card program success. On a related note, see actions to increase card payments
  • Track and communicate the progress. This could also include highlighting the cost of any missed opportunities.
  • Adjust as needed. If your progress toward goals is slow or has stalled, identify the hurdles and what will move your program forward more quickly.

If your organization does all three of these things, you are at the top of your game. However, if you would like assistance with anything in the realm of card program goals, contact Recharged Education

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.