Phishing

There is no shortage of social engineering tactics. Among the most common are phishing expeditions designed to entice people to click links or email attachments that open the door to fraudsters and their malicious software. The threats might come via fake emails designed to look like shipping notices or invoices—things that procurement and accounts payable departments would be interested in. The best thing you can do is mandate annual training within your organization to help ensure employees are aware. This includes training cardholders within your Commercial Card program; see the related advice below.

Don't forget to subscribe to the blog (no charge) to receive educational content!

Related Resources


Training Cardholders

Cardholders should be able to differentiate between legitimate communications from the card issuer and fraudulent ones. To enhance your training efforts, can your issuer share examples of fraudulent emails that target cardholders, as well as real ones that they send? Also train cardholders to pause and evaluate any emails appearing to be from the issuer. For example:

  • Were they expecting an email (e.g., you told them something would be sent pertaining to “X” topic) or is the communication a surprise, which might indicate potential fraud? 

  • Is the sender’s email address consistent with your issuer’s email addresses? Per the images in the next column, fake emails typically reflect odd addresses.

  • Does the email stress urgency (e.g., “You must click here ASAP!”) or include a threat (e.g., “Failure to complete this action could result in card deactivation.”)?

If your training includes a quiz element, then add something related to phishing, such as: If you receive an email that appears to be from the bank and it directs you to click a link to update your contact information, what is the BEST action to take?

Besides NOT clicking on anything, cardholders should notify the appropriate internal party. You/your organization needs to stay informed and take any necessary action (e.g., alerting other cardholders, contacting your issuer, etc.).

Finally, if possible, as part of a process audit, simulate a phishing email to test cardholders’ reactions Do they click on anything? Do they report the suspicious email?