Training Cardholders

Cardholders should be able to differentiate between legitimate communications from the card issuer and fraudulent ones. To enhance your training efforts, can your issuer share examples of fraudulent emails that target cardholders, as well as real ones that they send? Also train cardholders to pause and evaluate any emails appearing to be from the issuer. For example:

• Were they expecting an email (e.g., you told them something would be sent pertaining to “X” topic) or is the communication a surprise, which might indicate potential fraud? 

• Is the sender’s email address consistent with your issuer’s email addresses? Per the images in the next column, fake emails typically reflect odd addresses.

• Does the email stress urgency (e.g., “You must click here ASAP!”) or include a threat (e.g., “Failure to complete this action could result in card deactivation.”)?

If your training includes a quiz element, then add something related to phishing, such as: If you receive an email that appears to be from the bank and it directs you to click a link to update your contact information, what is the BEST action to take?

Besides NOT clicking on anything, cardholders should notify the appropriate internal party. You/your organization needs to stay informed and take any necessary action (e.g., alerting other cardholders, contacting your issuer, etc.).

Finally, if possible, as part of a process audit, simulate a phishing email to test cardholders’ reactions Do they click on anything? Do they report the suspicious email?