Learn

Altered invoices: how to catch them

The most expensive invoice fraud doesn't use fake invoices. It uses real ones, intercepted and altered in one field: the bank account where payment goes. The vendor is real, the amounts are right, the formatting is perfect, because everything except the account number is the vendor's genuine document. Businesses lose billions to this pattern annually, and the altered file is frequently catchable in the thirty seconds nobody spends looking.

The one-field edit and what it leaves behind

Editing a payment detail in a PDF invoice leaves the same traces as any PDF edit. The original invoice came out of an accounting system, QuickBooks, Xero, SAP, an invoicing platform, with that system's fingerprint as producer and a creation date matching the invoice date. The altered copy often arrives with an editor or converter fingerprint, a modification after the original creation, or an incremental update stacked on the file. Sometimes the edited field uses a font that almost matches the rest of the document, almost.

A second pattern: the swapped attachment. The attacker doesn't edit the vendor's PDF; they regenerate it entirely from a template, with their account number, and send it from a compromised or lookalike email account. Those files carry no trace of the vendor's accounting system at all, a complete fingerprint mismatch with every previous invoice from the same vendor.

The routine for accounts payable

Compare any invoice's file fingerprint against previous invoices from the same vendor; same system, same fingerprint, every month. Treat any change in payment details as unverified regardless of how the invoice looks, and confirm new bank details by phone with a known contact at a known number before the first payment. Flag invoices whose files show editing or conversion. And remember the asymmetry: the check costs seconds, and the loss is usually unrecoverable, because by the time the real vendor asks where their money is, it has left the destination account.

FAQ

The invoice looks identical to last month's. Is it safe?

Visual similarity is the attack's whole design. The comparison that matters is internal: the producing system, the dates, and the edit history. An invoice that looks the same but was built by different software is the red flag.

What about invoices that arrive as scans or photos?

Treat them as carrying no file evidence and verify payment details at the source. Legitimate vendors can almost always re-send the original system-generated file if asked.

Our vendor really did change banks. How do we confirm it?

By phone, with a contact and number you already had before the change request arrived. Email confirmation is not confirmation: if the vendor's email is compromised, the attacker answers it.