The problem and current attempts to solve it
While our society is rapidly digitising, new forms of digital fraud are on the rise. Fake invoices are a part of our world, unfortunately. Due to the relative low costs to send out fake invoices, it can still be a very lucrative criminal career.
Invoice fraud can be committed with varying levels of sophistication, in its simplest form the fraudster simply submits an invoice to your business and hopes you will pay it. With a little effort, the fraudster can make the invoice look like one from a known supplier, to make it harder to spot.
Larger companies often even have a policy dictating that invoices below a certain value are not checked for authenticity, simply because it would cost more to check than to just pay the potentially fake invoices. These are the circumstances that keep the creation of fake invoices worthwhile.
Boingboing: Rimasauskas’s grift was pretty bold. He merely sent Google and Facebook invoices for items they hadn’t purchased and that he hadn’t provided, which the companies paid anyway.
It is hard to know the magnitude of the problem in precise numbers, since many companies unknowingly pay fake invoices, or do not want to share their mistakes with the rest of the world.
According to research conducted in 2016 by 3GEM amongst 1,000 business decision makers across the UK, small and medium sized businesses (SMEs) are losing more than £9bn from invoice fraud every year.
SAP Concur questioned 500 businesses in 2015 about their supplier invoicing processes and found that 3% of businesses have paid fraudulent invoices, whilst 21% have received fake invoices without paying. Yet only one in five of those surveyed listed fraud as a concern.
Chris Baker, UK managing director of enterprise at Concur said, “The question for me is, if only 3% know they’ve paid a fraudulent invoice, how many more companies have absolutely no idea and have paid, or indeed are still paying, fraudulent invoices? Once companies have paid the invoice, there is little hope of getting the money back, but it’s not just about the initial outlay, businesses will be falsely reclaiming VAT and are at risk of penalties, plus investigation if HMRC deems that their processes are at risk.”
In nearly every sector, digitalization is mentioned as the way to lower operational costs and increase efficiency. Invoicing is one of the areas where digitalisation is growing fast as well, with good reasons.
The Global Billentis Market Report estimates that the size of the global e-invoicing market will multiply in the coming years, and reach EUR 16.1 billion in 2024, growing from EUR 3.3 billion in 2017.
The European E-invoicing Service Providers Association reports a significant growth of 23% and over 1.9 billion processed e-invoices in 2017
The headline results: 1 984 million electronic invoices were processed and delivered in 2017 by members of the European E-Invoicing Service Providers Association (EESPA). This represented a significant growth of 22.9 per cent over 2016 volumes of 1 615 million.
Digital fraud is easier than ever
Traditional document fraud, like invoice fraud, will not vanish because of digitalisation, unfortunately. It will follow the same path from physical to a digital manifestation. And the concerning part is the fact that currently, digital fraud in general is extremely easy.
It even gets easier in time, thanks to the continuous development and broader availability of sophisticated image manipulation technology.
What is currently being done to tackle fake invoices?
To help people spot fake invoices, there are numerous websites, where lists are updated as much as possible, to warn people. Tips to spot a fake invoice can be found online as well. These measures require an active role from the recipient; to stay up to date, they must regularly visit those websites and read up on the latest developments. Additionally, employers can choose to continually run an educational program with mandatory courses for their employees to prevent damages as much as possible.
Companies that send invoices try to reduce the risk by sometimes using digital signatures, but this requires some extra steps in the process, is costly, and for the recipients, checking is cumbersome. It is also not mandatory in most parts of the world.
Public-key infrastructure (PKI) allows users to sign transactions, documents, and perform high-trust operations. Keeping private signing keys secure is essential, as a compromised private key collapses the entire security model.
With PKI, the recipient needs a key to authenticate the file. This key is commonly stored on dedicated external hardware, like a keycard or USB stick, which makes the process hard to assign to one or more other people. Provisioning and shipping external devices is not scalable, often costly and inefficient for procurement teams. These external hardware devices are also not compatible with mobile devices, like phones.
There are companies who offer a closed network for invoicing. This is done through a completely separate server infrastructure. Your invoice is uploaded to those servers where they are re-formatted into new files. Your data is mined by this third party, which is not something that every business likes. To be able to authenticate the invoices, continuous annual fees to the invoice network for both senders and recipients of invoices are required.
Are we on track to solve this?
So, digitalisation of invoicing is increasing, and websites and courses are used to train people to avoid fraud. PKI is one way to achieve security, but has a lot of caveats and is costly. Then there are the closed networks on offer, which are also costly, and just like PKI, come with a serious impact on workflows.
Is this really the only right path to keep following or should we look in other directions?
Let’s look at digitalisation once more; we know it makes the creation of fakes easier, especially since all the tools one would need are at our fingertips. But this same process of digitalisation could also hold the solution to spotting and intercepting them.
The human filter is fallible
Chris Baker, UK managing director of enterprise at SAP Concur: “That so few people recognised fraud as a concern hints at a prevailing attitude of ‘it won’t happen to us,’ but the fact is that invoicing is still very much a manual process and people won’t get it right all the time. If a scammer gets a fraudulent invoice past your finance team once, they’ll chance their arm until you stop paying.”
Training your employers with instructions on how to spot a fake invoice will never catch every fake invoice, no matter how well they are trained, or how up-to-date the training is. Once fraudsters become aware of the grammar mistakes or badly placed logos giving them away, they will improve upon this, making it harder to spot them. Extrapolate this process, and you will end up with perfect replicas of real invoices, that no one will be able to recognise as fakes.
Well, no human that is, but what about a computer?
Hashing: extracting the digital fingerprint of a file
A file consists of bytes, and each byte is made up of eight bits that are either zeros or ones. Every file is made up of different series of bytes.
SHA256 is a method to calculate a unique digital fingerprint of 64 characters (=256 bits) from any digital file, no matter what it is, or what size it is. This digital fingerprint is called the hash of a file.
A PDF file of a fake invoice will always have a different hash than the PDF file of a real invoice. Even if you would take the real file, and change one comma, or pixel, or byte, the hash would become a completely different set of 64 characters.
This means that, for a computer, it would be extremely easy to see the difference between two files that may look identical to a human.
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA). SHA-2 are the Secure Hash Algorithms required by law for use in certain U.S. Government applications, including use within other cryptographic algorithms and protocols, for the protection of sensitive unclassified information.
Whitelisting fingerprints from authentic files
The next logical step would be to create a whitelist for hashes from the real invoices. Ideally, this whitelist should be viewable by anyone, on a database that is publicly accessible, but also extremely well protected against hackers. Luckily, such a database exists:
V-ID offers a validation service, which enables creators, the publishing organisations, to add hashes of their files, such as digital invoices, to the blockchain. The most important part of V-ID’s validation service is the KYC (know your customer) process. One can only rely on the whitelist as the source of truth, when you know that only the rightful people are adding their hashes to the whitelist.
When you have received a digital invoice, you can check the authenticity of the file with the Verification Terminal. To do this, you start up a browser and go to v-id.org. Within 5 seconds after you have submitted the file, you see a verification report, which tells you whether the file is validated by the actual company or not.
When verifying a file, the hash of the file is extracted on the recipients’ own device. This hash is then uploaded to V-ID and compared to the hashes of verified files on the blockchain. The file itself is never handled by, or uploaded to V-ID, which makes this process GDPR compliant.
One step further: automate it with API’s
Validating is made easy with V-ID’s drag and drop interface, and, when verifying, it only takes 5 seconds to check a file. With 2 API’s, however, the impact on people’s workflows can be eliminated completely.
On the senders’ end, an API connected to the company’s billing software, can validate all outgoing invoices automatically before they are sent out.
On the receiving end, the company can have an API that verifies any invoice before it reaches the inbox of the accounts payable department.
Automated validation and verification
Now you have fully automated validation and verification of an invoicing process. A closed loop, relying on computers simply comparing strings of 256 bits, with no risk of human errors, no constant training needed and, most importantly, no more costly fake invoices slipping through.
This method would have exactly zero impact on existing workflows. Most importantly in this age of cyberthreats, during both validation and verification, the file is never uploaded to, read, or handled by V-ID. The extraction of the fingerprint (hash) happens client-side, which means the file itself never leaves the buyers’ or suppliers’ computer. There is no third party that ever sees the content, since it is just the hash that is sent to V-ID to be secured in the blockchain.
What would it take?
The best practice for validated invoicing is a Validation API installed at all suppliers and a Verification API installed at the buyer.
V-ID’s API itself is very versatile and can be linked with any invoicing software with just a few lines of code. However, it requires some cooperation from the developers behind the invoicing software. Of course, once a software product has accepted the API, their complete customer base is all set to make use of it.
Starting with a selection of suppliers
If a big company has lots of suppliers, chances are that those suppliers use different billing software. This will increase the time and effort needed to get a validation API linked to all suppliers’ software. It is of course possible to start with a partially validated invoicing process with the first succesfully connected suppliers.
Starting on supplier side
The supplier and buyer do not both have have the API installed in order to validate and verify invoices. The supplier could send out validated invoices to everyone with the Validation API, and the recipients can verify them in 5 seconds (free of charge) on v-id.org.
The most controversial GDPR mandate for blockchain is the “Right to be forgotten”. This gives individuals the right to have their personal data removed from a database on their request. However, because of the decentralized character of the largest and safest blockchains, data can not be deleted. Blockchains are designed to last forever and — in principle — to be unchangeable. This brings blockchain in direct conflict with one of the fundamental rights of the GDPR.
For the first challenge, “the right to be forgotten”, there is a method called Keystore to address this.
The second challenge comes from scenarios where the hash can be directly linked to a person by having the knowledge of the context and file structure of which the hash was extracted. To address this, a method called Seeding is available.
V-ID has dived into these GDPR challenges with the help of experts from several companies. Details of the progress that has been made so far are laid out in the article “Blockchain & Compliance”.
Who will start the revolution?
Fortunately, all the tools we need are already available. Now it is just a matter of using them. Is it the large buying company, that convinces its’ suppliers to join by only accepting validated invoices? Or is it the software companies behind billing software, who will start to offer validation as a security add-on? Regardless, V-ID is already actively pursuing both routes.
Our worlds’ digitalisation brings us lots of benefits, but also drawbacks in the forms of fraud. Fake invoices are one of the drawbacks we can eliminate right now.
For more V-ID content on The Daily Chain see the below links
The Daily Chain
Inform. Educate. Succeed.