Invoice Tampering Detection for Accounts Payable
HTPBE.tech is a REST API that detects modified vendor invoices before payment is released. It performs binary forensic analysis on the PDF — finding the structural evidence of tampering even when the change was as small as a single bank account number.
In a business email compromise attack, the vendor name, amount, and invoice number are all legitimate. Only the bank account changed. That change leaves a forensic trace.
How Invoice Tampering Is Detected
Every PDF carries hidden evidence of its history. Here is what to look for.
Producer tool changed after the vendor created it
A genuine vendor invoice is generated by accounting software. When a BEC attacker intercepts the invoice, modifies the bank account details, and resends it, the PDF’s producer field changes to reflect the editing tool they used. The vendor’s original producer fingerprint is gone — replaced by a consumer editor’s signature.
Modification date postdates the invoice date
The invoice date printed on the document and the internal modification timestamp embedded in the PDF are independent values. An attacker editing a real invoice cannot change the internal timestamp without specialized tools. When the PDF was last modified after the stated invoice date, the file was altered in transit.
Structural revision layer from the editing session
Opening a vendor’s PDF in an editor and changing the bank details adds a new revision layer to the file’s internal structure. The vendor’s original single-layer file now has two layers. That structural change is invisible in any PDF viewer but immediately visible to forensic analysis.
Digital signature absent or invalidated
Vendors using enterprise accounting platforms often sign invoices at generation. Any modification after signing breaks the cryptographic signature. An attacker may strip the signature entirely to hide this — but its absence on an invoice type that routinely carries one is itself a flag for manual review.
The Easy Way: Use HTPBE
All checks run automatically in seconds — no technical knowledge required.
Verify before the invoice enters the approval queue
When a vendor invoice arrives, your AP system sends the PDF URL to the HTPBE API before routing it for approval. The check adds under 3 seconds to the intake process.
Forensic analysis returns a structured verdict
HTPBE checks producer fingerprints, timestamp deltas, revision layer count, and signature status simultaneously. The JSON response includes a verdict and the specific modification markers detected.
Flag modified invoices for out-of-band verification
Invoices returning a “modified” verdict are held from the approval queue. Your AP team contacts the vendor directly — by phone, using a number from your existing records, not from the invoice — to confirm bank details before releasing payment.
Frequently Asked Questions
How do BEC invoice attacks actually work?
Business email compromise invoice fraud typically works in one of two ways. In the first, attackers compromise or spoof a vendor’s email account, intercept an outgoing invoice, edit the bank account details in the PDF, and resend it from the vendor’s address. In the second, attackers impersonate a vendor entirely and send a fabricated invoice with their own banking details. In both cases, the amount, vendor name, and invoice number are legitimate — only the payment destination has changed.
Can it detect if just the bank account number was changed?
HTPBE does not perform visual content analysis — it does not read text and compare specific values. What it detects is the structural evidence that the PDF was modified: a changed producer fingerprint, an added revision layer, or a timestamp delta. If an attacker changed the bank account number using a standard PDF editor, those structural changes will be present and will be flagged. Highly sophisticated attacks that reconstruct the entire PDF from scratch may not leave detectable traces, but those are rare in practice.
How do I add this to our invoice approval workflow?
The HTPBE API accepts a PDF URL and returns a JSON response with a verdict and modification markers. It can be called from your ERP, AP automation platform, or a simple webhook integration. Free test keys are available on all plans, so your team can build and test the integration before committing to a paid plan. The Starter plan at $15/month covers 30 checks; the Growth plan at $149/month covers 350 checks — suitable for most mid-market AP volumes.
What if the invoice was created in Word?
HTPBE works on any PDF regardless of the original application. If the vendor created the invoice in Word and exported to PDF, the Word fingerprint will appear in the creator field. If an attacker then edited that PDF, the producer field will reflect the editing tool, not Word — that mismatch is a detectable integrity failure. The tool checks application consistency as one of its core detection layers.
For Teams
Checking PDFs at scale?
The same tamper detection analysis runs via REST API. Integrate into your lending, accounts payable, or compliance workflow — self-serve from $15/mo, no sales call required.
Who uses this in production
The same detection engine, framed for the teams that rely on it.
Invoice Fraud
Fraud-ops angle: altered vendor invoices, swapped payment details, fabricated suppliers.
Accounts Payable
AP-team angle: W-9 forgeries, bank account change requests, supplier onboarding fraud.
Insurance Claims
Repair invoices, medical bills, and adjuster estimates verified before payout.