Emailing PDF Invoice securely

One of our customer received an invoice with modified Bank details.

Now, the money has gone into this other account instead of our bank account.

What are some of the methods to prevent this from happening?

I suspect someone has intercept the email of the account payable inbox and modified the invoice there.

Bypass the whole emailing of invoices and use BPAY. You hear too many of these horror stories.

I does depend though. If it is a situation where you are not a regular supplier to that customer. Then any other protocols with regards to creating the supplier relationship go out the door, and thus the ability to confirm the invoice bank details with the bank details stored in their online banking or AP system.

Some suggestions perhaps that may help to protect your customers from themselves are:
Don’t supply bank details on the invoice and provide a secure way of communication that is a repeatable process to ensure the bank details or PayAnyone details are provided in a more personal fashion (like confirming the details on the telephone.) Clunky I know, but if you are a regular supplier you should only need to do that once.

Some people would argue that managing a customers AP process is not their issue, but when it comes to cybercrime it’s everyone’s problem. I applaud you for raising the question. It is an interesting topic.

I could go on about the apathy with regards to cyber crime in some businesses, but this would become a really long post.



fyi - Caution: fake 'Telstra Media' BPAY billing message


No mater what method you use to exchange bank info, doesn’t matter if the thief alters your invoice. You could have

Call for remittance information

On your invoice. Because they’d just change it to

Remit to
Bank of Pirates Cove
Acct 123-567-8

1 Like

Not sure what you’re using for email. But one thing you can do that’s fairly easy to setup with Exchange or Office 365 is encrypted email. You can create a transport rule to auto encrypt based on subject or sender. That way the only person that can open the email is the customer with a security key or some type of OTP.

1 Like

I think that @hally is spot on here. Don’t email. Does your bank email your statements? No. Does your payroll service email your pay stub? No. While @chaddb makes a good point about using encrypted and signed e-email, a good hacker can encrypt and sign an email under a different domain and that could trick users as well.

Hiding bank details (security by obscurity) doesn’t really prevent the issue either. Europe (at least Germany) requires bank info on all documents. This makes it easier to catch fraud since it can be compared to other documents sent out.

I think the best solution is to do what banks do - have a portal for customers and suppliers to go to. It is a mutually agreed to location. No links to click on and no documents to intercept. The added benefit is that there’s a way to tell if someone actually opened the document, when they opened the document, and how many times. This is one of my goals here.

Mark W.


One thing we offer that may assist in sending and receiving payment is an e-mail invoice w/ option to pay right within the e-mail. We have several companies utilizing this tool, one of which is in this Epicor group and active contributor. It’s a great tool and might be a good fit. Let me know if you want to chat.


I think @Mark_Wonsil has the correct solution. Do you know were the money was sent? I would think someone internal to the company would be a prime suspect, and I think the approaches to solving that problem are of a different type.

Clicking on links is never a good idea. That’s how most malware is transmitted today.

Also, gentle reminder. No advertising on the list. Thank you.

On the portal topic, what are people using for this? I would assume this is often a custom solution for a customer facing site but one of the things I have trouble wrapping my head around is serving up the invoice info and processing payments online in a secure way. It is particularly muddy for my situation because our customer site accounts are linked to percon entities who create orders on behalf of linked customers rather than the customers themselves given the nature of our business.

1 Like

Certainly people use Epicor’s Commerce Connect and Supplier Connect. On the supplier side, people use SourceDay and Precise’s ARM + other modules. The pricing model is steep IMHO for these solutions if you’re not all in. I’m thinking about using O365 here but just in the proof of concept stage at the moment.

@Mark_Wonsil - Just send them an email with your companies portal address, but not as a clickable link? So the have to:

  1. Manually type the portals URL
  2. Setup user access (if they don’t have it)
  3. Find the “open” invoice(s). I put open in quotes, because the Invoice may be open to you (the invoicer), but they may have already downloaded it for entry in their system, but have not yet processed the paymnet.

There’s another option (at least in the USA) by company started back in 1792 in Philadelphia. They will pickup your invoice (at your office!) and hand carry it to the customer. The company current;y goes by the name United States Postal Service :wink:

They put the REST into POST :tm:


Thank you everyone for the suggestions. I will try and implement a solution and post it here. :slight_smile:


The rabbit hole goes deeper and deeper.

What if someone find a way to alter the address in the email, whether it’s a link or they type it out?

What if someone is waiting for the post to arrive so they can scan the printed invoice, change some details and print it out again?

Being serious, an IT consultant raised this issue with us recently as something to watch for with AP invoices coming in. Our Finance department said it wasn’t worth losing sleep over because our staff are told to always ignore the payment details on any invoice anyway. When we set up a supplier, we confirm all the banking details as part of that process, and then use those once it’s all confirmed. An invoice with contradictory bank details wouldn’t even be noticed.