logo

Accounts Payable Fraud Detection API

Your AP pipeline processes thousands of invoices monthly. One altered bank detail routes a wire to a criminal. A single API call at document intake verifies every inbound vendor PDF — before it reaches an approver — catching bank-detail swaps, forged W-9s, and BEC-modified invoices.

~3 sec
per document
36 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth

Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t replace AP automation, OCR extraction, or three-way match workflows. We add the structural-integrity layer at document intake that reads the file itself, not the data extracted from it.

AP teams are the last line of defense against invoice fraud

AP automation and OCR read what’s on the page. Email-security filters catch malicious attachments and spoofed senders — they don’t inspect PDF structure. Three-way match ensures the amount matches the PO and receipt; it doesn’t catch a swapped bank account number.

Most BEC fraud ends with a swapped payment detail on an otherwise legitimate invoice. A vendor’s real invoice is intercepted, re-saved with a new IBAN or account number, and forwarded to the AP team. The PDF prints identically; the file structure records the edit.

FBI IC3 data shows $2.7 billion lost to BEC and invoice fraud annually. One in four finance teams reports a BEC incident each year. By the time the wire clears, the money is gone.

Common AP fraud patterns

  • Vendor invoice intercepted and re-saved with a new bank account or IBAN
  • Fraudulent W-9 impersonating a real vendor to redirect payments
  • Fabricated bank account change request claiming to come from a known supplier
  • Invoice amount or line items inflated before forwarding to AP queue
  • Supplier onboarding form forged to establish a fictitious vendor

What the API detects in AP documents

Five forensic layers analyzed on every inbound PDF — results in under 3 seconds

Incremental update trail

The primary marker of BEC and invoice tampering. Any save after the original vendor export creates a detectable update section in the PDF structure, even when the edit was one character.

Producer field mismatch

Authentic accounting software (QuickBooks, Xero, SAP, NetSuite) leaves a known producer signature. Re-saves through editors change it. A producer mismatch on an invoice from a vendor who “always uses QuickBooks” is an immediate flag.

Arithmetic reconciliation

Line-item totals, tax, and grand totals are checked for internal consistency across the invoice. One altered figure breaks the arithmetic chain.

Font and object layout consistency

Edited objects and injected text reveal themselves through font subset prefix shifts and object-number anomalies — invisible to the eye, readable in the file structure.

Digital signature bypass

If the original invoice was digitally signed, HTPBE? detects content added after signing at certainty-level confidence — the highest verdict available.

Multiple xref tables

An unmodified invoice from accounting software has one xref table. A second table means content was added after the original save — the structural signature of a bank-detail swap.

Built for AP teams and finance operations

Integrate at document intake or use the free tool for spot-checks

Catch altered bank accounts and IBANs before a wire is approved

Detect forged W-9s and supplier onboarding forms at vendor setup

Flag invoices where the producer field reveals a PDF editor, not accounting software

Identify fabricated bank account change requests before master data is updated

Integrate with Coupa, Ariba, Tipalti, or Bill.com via webhook at PDF ingestion

Every document produces a named-marker audit trail for finance compliance records

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 36-check breakdown

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

Integrate in minutes

Two calls: POST to analyze, GET to retrieve the result.

Request

bash
curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage.com/inbound-invoice.pdf"}'

Result (GET /v1/result/{id})

json
{
  "id": "c3d4e5f6-a7b8-9012-cdef-345678901234",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Multiple cross-reference tables (incremental updates)",
    "Known PDF editing tool detected"
  ],
  "creator": "QuickBooks Online",
  "producer": "Adobe Acrobat 24.0",
  "creation_date": 1743379200,
  "modification_date": 1743552000,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

creator: “QuickBooks Online” with producer: “Adobe Acrobat 24.0” means the invoice originated from QuickBooks but was subsequently processed through Adobe Acrobat — the AP fraud pattern. The xref_count: 2 confirms an editing session occurred after the original export.

Pricing

Self-serve plans. No sales call, no procurement process.

Starter

$15/mo

30 checks/mo

Manual spot-checks for suspicious vendor documents

Growth

$149/mo

350 checks/mo

Active AP teams processing invoices daily

Pro

$499/mo

1,500 checks/mo

High-volume AP automation and enterprise finance

Enterprise (unlimited, on-premise available) — see full pricing and docs

Secure your workflowView API docs

API key on signup. Free test environment on every plan. No card required.

Frequently Asked Questions

We already have AP automation with OCR. Why add this?

OCR extracts data; it doesn’t verify the document wasn’t edited. The two are complementary — OCR feeds your AP workflow, HTPBE confirms each PDF hasn’t been tampered with before the payment is approved.

Can HTPBE block business email compromise (BEC)?

It closes the last-mile document attack. Most BEC fraud hinges on a swapped payment detail on an otherwise familiar invoice. HTPBE detects the swap at the structural layer where visible appearance can’t hide it.

What’s the false-positive rate on legitimate vendor re-exports?

Legitimate re-exports from known accounting systems (QuickBooks, Xero, SAP, NetSuite) produce a clean producer signature with no incremental update trail — these return INTACT. Modifications after export are what get flagged.

Does this work with Coupa, Ariba, Tipalti, Bill.com, or our custom AP portal?

Yes. The API is stack-agnostic — any platform that accepts PDFs and can make an outbound HTTPS call can integrate via a pre-verification hook.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs

Related: Invoice tamper detection technical guide →

Integrate AP fraud detection in any stack

Two API calls — submit the vendor PDF, read the verdict. Copy-paste examples for cURL, JavaScript, Python, PHP, Go, and Ruby.

bash
# Step 1: Submit PDF for analysis
curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer htpbe_live_..." \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com/document.pdf"}'
# Returns: {"id":"3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"}

# Step 2: Retrieve full results
ID="3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21"
curl -s "https://api.htpbe.tech/v1/result/$ID" \
  -H "Authorization: Bearer htpbe_live_..." \
  | jq '.status'