The risk of identity fraud with e-invoicing via Peppol: What businesses need to know

Like many European countries, and in line with the EU’s VAT in the Digital Age (ViDAViDA or 'VAT in the Digital Age', is an EU initiative proposed by the European Commission that seeks to modernise and harmonise VAT processes for member states, by embracing new technologies. It is aimed at updating processes for the management of VAT, and reduce the VAT gap and fraud. The proposal also aims to address challenges in the area of VAT raised by the development of the platform economy.) initiative, governments are moving rapidly toward mandatory electronic invoicing for B2B transactions.

Belgium implemented mandatory e-invoicingElectronic invoicing - widely referred to as e-invoicing - is the exchange of a digital document between a supplier and a buyer. E-invoices are issued, transmitted and received in a structured data format that enabled automatic and electronic processing. They contain data in a machine-readable format so that an AP system can read an invoice without manual data entry, leading to faster and more efficient invoicing. at the start of this year, with Poland and France expected to follow, signalling a decisive shift away from paper and PDF invoices toward structured, real-time digital reporting.

At the heart of this transformation is Peppol (Pan-European Public Procurement Online), a standardised network designed to enable secure, system-to-system invoice exchange.

While Peppol promises improved VAT compliance, efficiency, and data quality, it also introduces new identity and fraud risks that businesses must be prepared to manage.

E-invoicing reduces some risk but creates new ones

Moving invoicing into a closed, structured network significantly reduces traditional fraud techniques such as invoice interception, PDF manipulation, and email-based phishing. However, fraud does not disappear – it evolves.

With Peppol, trust shifts from the invoice document itself to the identity of the parties registered on the network. If a fraudulent or impersonated entity gains access to Peppol, invoices may appear technically valid while still being commercially false.

Identity fraud risk

Belgian cybersecurity companies SalesBridge and SafeByte recently demonstrated that it is technically possible to send fraudulent invoices through Peppol in a way that appears completely legitimate to recipients.

The core issue lies not in Peppol’s architecture but in the governance of Peppol IDs and the robustness of Access Point (AP) controls.

Key vulnerabilities

1. Automative and unclaimed Peppol IDs –
   In some jurisdictions, including Belgium, Peppol IDs have been generated automatically through national platforms such as Hermes. As a result, many businesses may be unaware that a Peppol ID already exists in their name. This lack of awareness can create an opportunity for fraudsters to step in and take control of an unclaimed identifier before the legitimate business does.
2. Weak access point verification –
   Where onboarding controls are weak, there is a risk that fraudsters could enrol using another organisation’s business details, such as its registered name, VAT number, or existing Peppol ID.
3. Misleading delivery assurances –
   Peppol provides confirmation that an invoice has been successfully transmitted through the network. However, this confirmation only reflects technical delivery, not whether the invoice was actually received or processed by the intended recipient.

How businesses can mitigate the risks

1. Claim and control your Peppol ID
2. Use only certified access points
3. Strengthen internal verification – IBANs, VAT numbers or supplier master data changes
4. Consider digital signatures at the invoice level

Mandatory e-invoicing under ViDA represents a fundamental shift in how VAT is reported and how invoices move across Europe. Peppol delivers significant benefits in efficiency, compliance, and transparency, but it also shifts fraud risk toward identity verification and system integrity.

As more countries follow Belgium’s lead, businesses must recognise that technical compliance alone is not enough. Robust identity controls, careful access point selection, and disciplined internal processes will determine whether e-invoicing reduces fraud or simply creates new opportunities for it.