What kind of detection server you used under this scenario?
If you use Network Prevent for Web, then this kind of action can be detected and blocked by the network prevent. Because, though the use only save the Credit Card statement to the draft folder, the Credit Card statement is uploaded to the web mail actually.