Peppol is not a quality certification that prevents fraud—far from it!
The Peppol network alone in no way guarantees that invoice fraud will disappear. According to expert Olaf Passchier, technology alone is not enough: we must also rethink how we deal with fraud.
Although Peppol aims to combat VAT fraud, the system does not eliminate all fraud risks overnight. Its impact is primarily focused on traditional forms of invoice fraud. This significantly reduces the risk of receiving fake invoices via email. Furthermore, since Peppol is a closed network, it is no longer possible to intercept and alter invoices. Thanks to the use of structured data, encrypted transmission, and authentication of the sender and recipient, any form of manipulation becomes more difficult.
“However, that doesn’t mean all risks disappear,” clarifies Olaf Passchier, Customer Advisory Lead for Fraud, Compliance, and Public Security in the Netherlands and Belgium at SAS. “With Peppol, the weak link is no longer the transmission of the invoice, but the sender’s identity!”
Most forms of fraud are still very much possible
The network is based on the principle of “single sign-on, connection to everyone.” To a certain extent, you can compare it to a cell phone number. Once you’re connected to the phone network via that number, you can call any other number. In the Peppol network, this “number” corresponds to an Access Point. Invoices are forwarded from one Access Point to another. “In principle, both parties are registered users… but that doesn’t take fraudsters into account!”
If a fraudster manages to impersonate a company and exploit an Access Point or an inadequately secured software platform, they can use Peppol to send fake invoices that look legitimate. “The situation is comparable to that of a cybercriminal who, once his identity has been validated by the system, can move freely through an organization’s network,” continues Olaf Passchier. “From that moment on, most forms of fraud remain entirely possible, even within Peppol.”
AI Makes Fraud More Credible
Peppol therefore limits itself to confirming that an invoice was sent via the network and from an Access Point, but does not guarantee that the person who created this invoice was actually authorized to send it. “ Malicious actors could register using the business number of an existing company. Although no cases of fraud via Peppol have been reported so far, cybersecurity experts are already warning of the risks.”
Furthermore, AI makes it much easier for fraudsters to make their identity fraud attempts appear credible. “Generative AI is capable of writing realistic emails, in multiple languages, without a single error,” warns Olaf Passchier. It can mimic suppliers and even reproduce a company’s tone of voice.
Thanks to AI, fraudsters can also collect large amounts of data about a company, identify its business partners, and thus create fake invoices that are as credible as possible.
Furthermore, Peppol is easy to use, which has led many organizations to scale back human oversight. When invoices are automatically integrated into the company’s system, AI-generated fraud cases can more easily slip through the cracks.
That said, Peppol is, above all, an excellent initiative for detecting fraud. Because the data is structured, more checks are possible. Everything is traceable in real time, and any deviation can be efficiently logged via Peppol, adds Olaf Passchier. “However, companies must realize that Peppol does not automatically assume this role. Peppol is not a quality seal that guarantees an invoice is secure simply because it originates from the network. Similarly, one should not automatically trust an email sent via a recognized program such as Microsoft 365.”
How to Make the Most of Peppol
Even within Peppol, control mechanisms remain indispensable. This starts with the choice of a reliable Peppol provider. “Also implement internal measures and have every payment approved,” advises Olaf Passchier. For example, apply the four-eyes principle: the procurement manager confirms that the goods have actually been delivered, and the finance department verifies that the corresponding invoice is legitimate. In this case, fraudsters would have to bypass two checks. ”
Technology should facilitate these checks. Since fraudsters are increasingly using artificial intelligence, companies must also invest in smart detection tools. For example, by implementing rules and models that automatically flag any anomalous invoice: a new bank account number, an amount significantly higher than usual, a sender who suddenly sends more invoices, or an unknown supplier. Such a system will not be able to identify fraud with certainty, but may require a human review in cases of doubt.
In short, although Peppol provides authorities with insight into VAT irregularities and makes it possible to detect fraud more quickly thanks to the available data, it is up to companies to “make good use of the system by combining it with internal controls and monitoring based on smart technology.”



