Data that gives the appearance of a “legitimate” document is particularly suitable for distributing a Trojan and creating a base for a successful ransomware attack. While traditionally it was mainly application data that was sent, the fraud mafia is increasingly shifting to other, easier targets. PDF invoices are best suited for this purpose, as they are perfect carriers of a Trojan or other malware.

Until a few years ago, precisely until 31.12.2016, the electronic signature was mandatory in Switzerland. Against better knowledge and “to simplify administrative hurdles,” the relevant law was then abolished. What would come next was clear. Currently, invoices are sent without any protection and security features. A land of milk and honey for hackers! Apart from the fact that this also makes fraud attempts around redirected payment very easy, PDFs containing malware are becoming more and more common.

What can be done about it? To secure e-invoices, a multi-level security system is needed, both on the sender and receiver side. This includes technical security measures such as trusted authentication but also the establishment of a control system to verify the content of the demand made:

Fig_60_01b_DEFENCE_Safety_dispositive_E-Invoice

Everything else and details on safeguarding can be found in the Practical Guide to Information Governance, p. 307ff.

By the way: A PDF that looks like an invoice only becomes a receipt when its content (the receivable) has been verified by the invoice recipient.