Free PDF Check

Stop BEC Invoice Fraud — Detect Vendor-Impersonation Tampering

HTPBE? is a REST API that catches the BEC vendor-impersonation pattern: a real invoice from a real vendor, intercepted in transit, with one field changed — the IBAN, the SWIFT/BIC, the wire-routing line, the beneficiary name. Every other check downstream still passes; the structural fingerprint of the editing session does not. In a business email compromise attack, the vendor name, amount, and invoice number are all legitimate. Only the payment destination changed. That single edit leaves a forensic trace HTPBE? finds before the wire goes out.

~3 sec

per document

56 checks

forensic layers

From $15

per month

1,500+

docs / month on Growth

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

Modified balances or totals after export
Swapped IBAN or beneficiary on invoices
Post-signature edits on contracts
Backdated issue and modification dates
Fabricated documents from consumer PDF tools

What this looks like

How BEC fraud lands a tampered invoice on your AP queue

Three real fraud mechanics we catch at the structural PDF layer.

IBAN-swap fingerprint — producer changed after vendor export

The genuine vendor invoice was rendered by SAP, NetSuite, Xero, QuickBooks, or another accounting platform — producer field carries that engine’s signature. The BEC operator opens it in a desktop PDF editor (Acrobat, Foxit, an online editor) just long enough to overtype the IBAN and re-export. The producer field no longer matches an accounting engine — the smoking gun for an in-flight edit.

Last-minute beneficiary-name swap on a real-vendor invoice

Some BEC variants change only the beneficiary-name line under the IBAN to a similar-looking entity (“Acme Holdings Ltd” instead of “Acme Ltd”). Visual review treats it as the same vendor; the editing session leaves an incremental update record in the xref chain anyway. That extra revision layer is what HTPBE? returns.

ModDate postdates the printed invoice date

The invoice date printed on the page and the PDF’s internal ModDate are independent fields. An attacker overtyping the IBAN cannot rewrite the ModDate without specialised tooling. A ModDate later than the printed invoice date on a vendor PDF is a direct in-transit-tampering signal.

Vendor digital signature stripped or invalidated

Enterprise accounting platforms often sign invoices on export. The BEC editor cannot keep the signature valid after editing; in many cases the attacker simply strips it. An invoice from a vendor whose other invoices in your system are signed, but this one is not — that is the BEC fingerprint.

56 layers

Forensic checks per document

~3 sec

Median analysis time, end to end

From $15

Self-serve per month, no sales call

The detection gap

KYC platforms check the document. HTPBE? checks the file.

Two different checks — both matter.

KYC & identity platforms

Plaid · Persona · Alloy · Jumio

Is this a real bank statement template?
Does the account number match the identity?
Is the document format consistent with the issuing bank?

Detects fake documents. Does not detect edited real documents.

HTPBE? tamper detection API

Structural PDF integrity

Was this specific PDF file modified after it was generated?
Do metadata timestamps match the file structure?
Were digital signatures valid at the time of signing?

Catches edits invisible to visual review and template checks.

Results in under 3 seconds·30 to 1,500+ documents/month·From $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

The PDF claims to come from one tool but the binary structure points to another. The first signal of post-export editing.

Incremental update trail

Every save after the original creates an incremental update. Long chains mean multiple editing sessions on the same file.

Multiple xref tables

Each editing session adds a new cross-reference table. Genuine institutional PDFs have one. Tampered PDFs have several.

Modification timestamp gap

A real PDF has matching CreationDate and ModDate. Months between them is a high-confidence forgery signal.

Digital signature validation

When a digital signature exists, we verify the coverage map. Modifications after signing return certain-confidence verdicts.

Font and object consistency

Edited text introduces new font subsets or objects with origin patterns inconsistent with the rest of the document.

Integrate in minutes

Two HTTP calls, deterministic verdict

Buyers can skip this section — developers, the integration is two HTTP calls.

Request — POST /v1/analyze

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage.com/document.pdf"}'

Response — JSON verdict

{
  "id": "3f9c8b7a-2e1d-4c5f-9b8e-7a6d5c4b3a21",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Multiple xref tables detected",
    "Different creation and modification dates"
  ],
  "creator": "Microsoft Word",
  "producer": "Adobe PDF Library 15.0",
  "has_incremental_updates": true,
  "xref_count": 3
}

POST a public PDF URL, get back a check ID, then GET the verdict. The API is the same regardless of document type — the structural markers in the response describe the specific tampering signals detected.

Get your API key — free test keys included Full API documentation

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) — see full pricing

Secure your workflow View API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

How do BEC invoice attacks actually work?

Business email compromise invoice fraud typically works in one of two ways. In the first, attackers compromise or spoof a vendor’s email account, intercept an outgoing invoice, edit the bank account details in the PDF, and resend it from the vendor’s address. In the second, attackers impersonate a vendor entirely and send a fabricated invoice with their own banking details. In both cases, the amount, vendor name, and invoice number are legitimate — only the payment destination has changed.

Can it detect if just the bank account number was changed?

HTPBE? does not perform visual content analysis — it does not read text and compare specific values. What it detects is the structural evidence that the PDF was modified: a changed producer fingerprint, an added revision layer, or a timestamp delta. If an attacker changed the bank account number using a standard PDF editor, those structural changes will be present and will be flagged. Highly sophisticated attacks that reconstruct the entire PDF from scratch may not leave detectable traces, but those are rare in practice.

How do I add this to our invoice approval workflow?

The HTPBE? API accepts a PDF URL and returns a JSON response with a verdict and modification markers. It can be called from your ERP, AP automation platform, or a simple webhook integration. Free test keys are available on all plans, so your team can build and test the integration before committing to a paid plan. The Starter plan at $15/month covers 30 checks; the Growth plan at $149/month covers 350 checks — suitable for most mid-market AP volumes.

What if the invoice was created in Word?

HTPBE? works on any PDF regardless of the original application. If the vendor created the invoice in Word and exported to PDF, the Word fingerprint will appear in the creator field. If an attacker then edited that PDF, the producer field will reflect the editing tool, not Word — that mismatch is a detectable integrity failure. The tool checks application consistency as one of its core detection layers.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gap See pricing

Read API docs →