Currently, there are headlines like “Fake digital invoices in circulation,” “Invoice amounts end up in fraudsters’ accounts,”…
Such headlines are common these days. The background: e-invoicing is intended to become standard in business transactions. Since the beginning of 2025, companies must be able to receive and process e-invoices for domestically taxable sales in B2B transactions. The requirement to invoice their own outgoing invoices only digitally will be introduced in stages by the end of 2027.
How do many fraudsters operate?!
Fraud cases in which digital invoices sent by email are intercepted and the account details manipulated.
In this case, the fraudsters intercept invoices for services actually rendered or goods that were sent digitally by email and replace the actual account details of the invoice issuer with the fraudsters’ account details. The fake invoice then lands in the recipient’s email inbox with the original email from the actual invoice issuer.
Recipients don’t recognize these emails as fake because the email address and the email itself remain unchanged. Only the PDF document (the invoice) or the XML file is manipulated. The invoice recipients transfer the money. However, this money doesn’t end up with the sender, but rather in the fraudsters’ accounts. The fraud is only discovered days later, when the sender requests payment from the invoice recipient again.
In the worst case, the emails also contain links or file attachments that carry malware into the company. This makes it all the more important to take technical and organizational precautions to limit the risk.
With Efalia ECM and our cooperation partner cargogear.io, we offer security mechanisms for sending and receiving e-invoices to prevent cybercriminals from standing a chance.
To ensure security when sending e-invoices, in the case of ZUGFeRD invoices, a digital signature on the PDF invoice can be automatically created using Efalia ECM and Efalia Sign. This protects the PDF file from subsequent manipulation and allows it to be sent safely via email. This is not so easy with XML invoices, such as CII or UBL. Here, the invoice can be packaged in a password-protected archive before being sent. This is possible using the BPM in Efalia ECM and a customized workflow.
Of course, an alternative to email sending can also be used. Companies can, for example, use special online applications where contractors and suppliers upload their invoices. Another option is standardized online applications such as Electronic Data Interchange (EDI), AS2, or the Peppol network. These offer a high level of IT security through strong encryption, authentication, and monitoring measures. However, the implementation costs, technical effort, complexity, acceptance, and potential dependence on third-party providers often pose challenges, especially for small and medium-sized enterprises. Our solution is more cost-effective and universally applicable.
What else should be considered when processing e-invoices?!
If the sender of e-invoices does not use one of the methods described above, the invoice recipient must validate the e-invoice.
Once an e-invoice has reached the recipient, it must be further processed there and then archived in an audit-proof manner. As with transport, a check of the confidentiality, integrity, and availability of the data is always required. Efalia ECM can use the interface to cargogear.io for this purpose via a receipt workflow. cargogear.io, operated by Munich Data Quality GmbH, can perform content checks for ZUGFeRD and XML files. This primarily checks the validity of XML invoices in CII or UBL format. Additionally, the bank account details of existing suppliers can be checked, for example, or whether the supplier even exists and whether a business relationship with the client exists.
Only after validation by cargogear.io has been successfully completed is the e-invoice archived in an audit-proof manner. In the case of XML invoices, it is also enhanced with a generated PDF file so that the invoice is readable and comparable for employees. Efalia ECM’s BPM offers options for generating workflows that reflect the company’s internal guidelines. For example, a check can be initiated within ECM via a workflow once a certain invoice amount is reached or upon initial business contact. Such a workflow can provide for automatic forwarding to superiors using the dual control principle, or can assign a person to verify the bank details.
Do the details match previously known and confirmed bank details? Does the IBAN match the information on the company’s website? If in doubt, contact the sender via another communication channel. The invoice can only be processed for payment after approval in ECM.
Finally, a tip for receiving e-invoices via email. Companies should set up a separate email address and a dedicated mailbox for processing. There should always be a responsible person and a deputy for this mailbox, and access rights should be defined. The company should use up-to-date anti-spam and anti-malware software when receiving emails. Good technical settings are always the first line of defense for eliminating additional attachments containing malware. Nevertheless, emails that get past this barrier will still end up in your inbox. Therefore, you should always be vigilant. Additional mechanisms include the Sender Policy Framework (SPF) or Domain Keys Identified Mails (DKIM). Both methods ensure that sent emails are less susceptible to tampering along the way. These methods should be established by the invoice sender. Companies should therefore exchange information and try to define the methods as mutual standards.
If you discover fraud, report it immediately to the police. Both parties – the invoice sender and the invoice recipient – should do this. Afterward, the systems of both parties must be audited. Establish the methods we suggest so that carelessness in the case of false e-invoices doesn’t become costly.
We would be happy to advise you on this topic. Send an inquiry to info@megatron-ps.de and we will arrange a meeting with you.