Risk of Identity Fraud with Mandatory E-Invoicing via Peppol

While the transition promises long‑term efficiency gains, recent cybersecurity research shows that the shift introduces new, underestimated security risks—especially around identity fraud within the Peppol ecosystem.

Identity Fraud Risk: How Fraudsters Can Exploit Peppol

Belgian cybersecurity companies SalesBridge and SafeByte recently demonstrated that it is technically possible to send fraudulent invoices through Peppol in a way that appears completely legitimate to recipients.

The core issue lies not in Peppol’s architecture but in the governance of Peppol IDs and the robustness of Access Point (AP) controls.

Key Vulnerabilities Identified

1. Automatic and Unclaimed Peppol IDs

In Belgium, many Peppol IDs were automatically created via the national platform Hermes.
Businesses may not even have been aware that an ID already exists for them—leaving a window for malicious actors to claim the ID first.

2. Weak Access Point Verification

If a Peppol Access Point (AP) does not enforce stringent onboarding checks, a fraudster could register using another company’s:

• name
• VAT number
• or Peppol ID

This creates an opportunity to send invoices that appear authentic.

3. Misleading Delivery Assurances

When an invoice is sent through Peppol, the supplier receives a “successful delivery” status—even if the recipient never actually gets the invoice.
This creates a false sense of security, reducing the likelihood that fraud is detected quickly.

Implications for Large Enterprises: Governance and Compliance Challenges

Multinational companies have already identified similar risks in internal e‑invoicing governance discussions.

Key themes emerging across corporate tax, finance, and procurement teams include:

Strengthening Contracts with E‑Invoicing Providers

Enterprises using AP providers must ensure that contracts specify:

• clear liability frameworks in case of fraud
• mandatory identity verification procedures
• strong access control guarantees
• defined remediation processes

Active Peppol ID Governance

Companies are encouraged to:

• claim their official Peppol ID(s)
• verify correct registration details
• monitor ID usage across divisions and legal entities

This must occur proactively—before fraudsters exploit dormant or unclaimed IDs.

Financial Controls Still Matter

Electronic invoicing does not remove the need for classic financial controls.
Companies must continue to verify:

• IBAN ownership
• consistent supplier master data
• VAT number validity

How Businesses Can Reduce Peppol Identity Fraud Risks

1. Claim and Control Your Peppol ID

Register or validate your ID via:
➡️ https://hermes.peppol.be/

This prevents unauthorized parties from claiming your identity within the network.

2. Use Only Certified Access Points

Peppol APs must meet strict technical and security requirements.
A current list is available at:
➡️ https://peppol.eu/who-is-who/peppol-certified-aps/

3. Strengthen Internal Verification

Even with Peppol, businesses should manually or automatically verify:

• IBANs (e.g., via bank‑account validation services)
• VAT numbers (via VIES or API tools)
• supplier master data changes

4. Consider Digital Signatures

Although Peppol provides authentication and integrity controls, adding a digital signature at the invoice level provides:

• non‑repudiation
• improved trust
• an additional layer of verification

Conclusion: Efficiency with Eyes Wide Open

Belgium’s move to mandatory Peppol e‑invoicing is a major step forward for:

• administrative simplification
• interoperability
• compliance with EU ViDA standards
• fraud prevention in the long term

However, the initial phase introduces identity fraud risks that businesses cannot ignore.

Companies that invest today in:

• strong governance
• proactive Peppol ID management
• secure Access Point partnerships
• robust financial verification processes

…will be better positioned to protect their financial integrity and maintain compliance in a rapidly digitalizing VAT environment.