Business Credit Card Fraud: Part 1 (Emergency Response Guide)

Part One: This Just Happened

If you’ve just discovered unauthorized charges on a company card, start here. This guide focuses on the immediate response: how to freeze the card, document suspicious activity, contact the issuer, and begin the fraud dispute process correctly in the first few hours after discovery. It also explains how business credit card fraud differs from personal card fraud, including liability rules and recovery timelines for corporate card programs.

Part Two covers the prevention side: the controls, workflows, virtual cards, approval systems, and monitoring practices finance teams use to reduce fraud risk before unauthorized transactions happen.

Do This Right Now: The First 60 Minutes Matter More Than Anything Else

Discovering unauthorized charges on a company card is disorienting. The instinct is to investigate before acting, or to call a meeting before doing anything else, and both instincts cost you time and money. The right sequence is freeze, document, call, follow up in writing. Below is the exact order, with the words to say at each step.

Minute 1 to 5: Freeze the Card Before You Do Anything Else

Freeze first. Don't investigate yet, don't gather your team, don't wait to confirm whether the charges are really fraud. Every minute the card stays active is a minute the attacker can run more charges.

• How to freeze in under 60 seconds: Most major issuers (Chase, Capital One, Amex, Citi, Bank of America, and the modern fintech cards like Brex and Ramp) put a freeze toggle in the mobile app under card controls. Tap once and the card stops authorizing transactions.
• Freeze vs. cancel: A freeze pauses authorizations but keeps the account number intact, which makes dispute tracking and documentation easier in the next hour. A cancel issues a new card number immediately and closes the old one. Freeze first, cancel after you've documented everything in the next two steps. Reversing the order makes it harder to pull transaction histories cleanly.
• If you can't access the app: Call the number on the back of the card and say only this: "I need to immediately freeze this card. I believe there are unauthorized charges." That sentence gets the freeze done in seconds. The fraud dispute conversation comes later.

Minute 5 to 15: Document Everything Before It Disappears

The freeze is in. Now capture the evidence before anything changes. Once the card is cancelled or the issuer's portal updates, your view of the original transactions can shift, and missing documentation is the single most common reason fraud disputes fail or get partially denied.

Export or screenshot the full transaction history right now. For every suspicious transaction, record: the exact date and time, the merchant name as displayed, the amount, the authorization code (if visible), and which cardholder's card was used. Save the screenshots and any CSV export to a folder you control, not just the issuer's portal.

If your card platform shows additional metadata (IP address of the transaction, geographic location, merchant category code, terminal ID), capture those too. They are the strongest evidence in disputes that hinge on whether the cardholder could have physically been at the merchant location.

Minute 15 to 45: Call Your Card Issuer and Say Exactly This

Call the fraud line, not general customer service. Most cards have a separate fraud number printed on the back of the card or listed on the issuer's website under "report fraud." General customer service can freeze the card but doesn't open a formal dispute case.

When someone picks up, lead with this sentence: "I am a business account holder reporting unauthorized charges. I need to open a formal fraud dispute and I need a case number before we hang up."

1. What they will ask you. Be ready:

• Account number and business name
• Which specific transactions are unauthorized and when you first noticed
• Whether the physical card is still in your possession
• Whether any authorized users could have made the charges

2. What to ask them. Don't end the call without these answers:

• What is my case or reference number? (Write it down.)
• Will I receive a provisional credit while the investigation runs, and when should I expect it?
• What is the timeline for resolution under Regulation Z?
• What documentation do you need from me, and how do I submit it?
• Will the disputed charges accrue interest during the investigation?

3. What to push back on if they say the wrong thing:

If the agent says "business accounts don't have fraud protection," that is incorrect. Under TILA § 1643, liability for unauthorized use of a credit card is capped at $50 regardless of whether the card is business or personal. Say: "I understand TILA § 1643 applies to business credit cards for unauthorized use. I'd like to escalate to a fraud specialist."

If the agent immediately denies the dispute on the phone, do not accept the denial verbally. Ask for the denial in writing and request escalation to the fraud department rather than general customer service.

Minute 45 to 60: Follow Up in Writing

After the call, send a written dispute via email or certified letter to the billing inquiries address on your statement (this is usually different from the payment-remittance address). The phone call triggers the freeze and opens the case. The written follow-up creates a legally traceable record that protects you if the issuer later disputes the timeline.

Include in the letter: your account number, the list of disputed transactions with dates and amounts, a clear statement that the charges were unauthorized, the date you first noticed, and the case number from your call. The FTC publishes a sample dispute letter that works as a template (https://consumer.ftc.gov/articles/sample-letter-disputing-credit-billing-error). Send certified mail with return receipt.

Keep a copy of everything you send. If the dispute goes well, you'll never need it. If it goes badly, the written timeline is what wins the escalation.

Will You Get Your Money Back? The Honest Liability Breakdown

For external fraud (someone outside your company used the card without authorization), the answer is almost always yes, with caveats. The federal floor and the issuer policies above it shape what "almost always" means in practice.

1. The Legal Floor: TILA § 1643

Under federal law (15 U.S.C. § 1643), your liability for unauthorized credit card use is capped at $50, full stop. The burden of proof is on the card issuer to show the use was authorized; it's not on you to prove it wasn't. This protection applies to business credit cards as well as personal cards, contrary to what some front-line agents will tell you.

One important exception: If your company issues cards to 10 or more employees, the card issuer can contractually modify this protection under 12 CFR 1026.12(b)(5). In practice this means the issuer can increase your liability beyond $50 in your card agreement. Most major issuers don't, but some do, and the language is buried in the cardholder agreement. Check your agreement today, before you ever need this information. If it does increase your liability, know that number before you negotiate.

2. What Most Major Issuers Actually Offer

Beyond the federal floor, most major issuers offer voluntary zero-liability policies for unauthorized external fraud reported promptly. Visa, Mastercard, American Express, Discover, and their issuing banks all advertise zero-liability protection that supersedes the $50 federal cap in practice.

"Promptly" matters. Most zero-liability policies require reporting within 30 to 60 days of the statement date where the fraudulent charge appeared. If you miss that window, the issuer can fall back to the $50 federal cap, and even that protection weakens if the issuer can argue you didn't notify "through reasonable means." Translation: review statements weekly during fraud investigations, monthly otherwise.

3. The Provisional Credit Question

Most issuers issue a provisional credit while the investigation runs. The disputed amount is temporarily removed from your balance so you're not paying interest or working capital costs on charges that may never resolve in their favor. Provisional credit typically lands within 1 to 5 business days of opening the dispute.

Two things to know. Provisional credit is reversible. If the issuer's investigation concludes the charges were authorized, the credit comes back off your balance. Don't spend the provisional credit as if it's permanent until the case closes in your favor. Second, provisional credit is not automatic at every issuer. If you don't see it within 5 business days, call back and specifically ask. Some issuers issue it only on request.

4. How Long Until This Is Resolved

The issuer must acknowledge your dispute within 30 days, required under Regulation Z. The issuer must resolve the dispute within two billing cycles, which is roughly 60 to 90 days, also required under Regulation Z.

If the issuer violates either timeline, you have legal recourse. Under TILA, you can pursue actual damages, statutory damages between $500 and $5,000 per violation, court costs, and reasonable attorney's fees. Most disputes resolve well inside the 90-day ceiling, but complex cases involving organized fraud or multiple transactions can take longer. The two-billing-cycle rule still applies; you may have to push to enforce it.

5. What If the Issuer Denies the Dispute

Get the denial in writing immediately. Don't accept a verbal denial on the phone.

Review the denial carefully. Did the issuer claim the charges were authorized, or that you missed the reporting window? Those are two different grounds, and they require different responses.

If the issuer claims the charges were authorized: Request the specific evidence they used to reach that conclusion. You have the right to see it. Common evidence includes signed receipts, delivery confirmation, IP logs, and prior authorization records on the same merchant.

Escalation path:

Issuer's internal review → the card network's dispute resolution (Visa or Mastercard each have a chargeback adjudication process) → file a complaint with the CFPB → pursue TILA legal action if the denial is unjustified. Most disputes resolve before the CFPB step, but the path exists and the issuer knows it.

6. If You Think It's an Employee: Do These Things Differently

This is a completely different situation, and following the external-fraud playbook above will likely destroy your case. The four rules below apply when the suspect is internal.

• Do not confront the employee before securing evidence: This is the single most common mistake in internal-fraud cases. The moment the employee knows they're under suspicion, they can delete receipts, alter expense reports, return items, or fabricate documentation that complicates any later investigation.
• Do not cancel the card immediately if you need to build the evidence trail: Consult legal counsel first on whether continued monitoring is appropriate. In some cases, allowing the card to stay active under heightened observation produces the evidence you need; in others, the right call is to deactivate and start internal review. The decision is fact-specific and a lawyer should be in the loop before you decide.
• Secure the evidence first: Pull all transaction records, every expense report the employee submitted, all receipts on file, approval records for those transactions, and any access logs (card portal, expense system, email, building access). Save everything to a controlled location with restricted access.
• Involve HR and legal counsel before any conversation with the employee: Wrongful termination liability is real if you act without documentation. HR provides procedural protection; legal counsel provides evidentiary structure.

Two more notes:

Internal fraud is not covered by most issuer zero-liability policies. Your card issuer's protection is for external unauthorized use, not employee misuse of a card they were authorized to hold. Recovery for internal fraud goes through the employee directly, through commercial crime insurance if you carry it, and potentially through law enforcement.

A travel program manager on Reddit's r/CreditCards described a $200,000 employee fraud case where the company waited too long to involve law enforcement and lost most of the recoverable amount.

The pattern in that thread matched what fraud examiners report: when the amount exceeds about $5,000, the cost-benefit of formal investigation, legal action, and insurance recovery tips in favor of pursuing through official channels. Below $5,000, many companies absorb the loss and tighten controls instead. The number isn't a hard rule; it's a useful threshold.

If you do involve law enforcement, do it through your local police department's financial crimes unit first. A police report supports any subsequent civil recovery and any insurance claim. If you carry commercial crime insurance, notify your insurer at the same time you secure evidence. Late notification can void the policy claim.

Fraud Prevention Works Best When Controls Are Built Into the Workflow

Most business credit card fraud is preventable long before a dispute ever gets filed. The pattern across fraud investigations is surprisingly consistent: shared cards, delayed expense reviews, weak approval flows, missing merchant restrictions, and poor visibility into real-time transactions create the conditions where fraud succeeds.

That is why modern finance teams are moving away from reactive fraud management toward proactive spend control systems. Platforms like ITILITE reduce fraud exposure by tightening control at the transaction level instead of relying only on after-the-fact audits.

With the right controls in place, finance teams can:

• Issue virtual cards for one-time or vendor-specific purchases
• Set merchant category restrictions before a card is used
• Apply spend limits by employee, team, project, or trip
• Detect unusual transactions in real time instead of during month-end reconciliation
• Centralize travel, expense, and card visibility in a single dashboard
• Reduce unauthorized spend caused by shared cards or manual reimbursement workflows

The goal is not just recovering money after fraud happens. The goal is making fraudulent transactions difficult to execute in the first place.

If your organization manages multiple employee cards, contractor spend, or travel expenses across teams, now is the right time to audit your card controls, reporting workflows, approval policies, and issuer agreements before a fraud incident forces the review later.