← Back to tool

Phishing and fake invoices in XRechnung and ZUGFeRD

Fake invoices by email are not a new problem. What is new is that invoices are now increasingly sent as structured e-invoices, for example as XRechnung or ZUGFeRD. According to the current state of research, there is still no widely documented official case series specifically on phishing involving XRechnung or ZUGFeRD. That does not make the issue harmless: invoice phishing has been an established attack pattern for years. Structured e-invoices help with review because their data can be compared more easily with your own records. But a format on its own never proves that an invoice is genuine.

How to handle a suspicious e-invoice

If you are unsure, use a fixed process. That way you keep plausibility, file type and content review clearly separate:

1. 1. Check plausibility first. Look at the overall context: does the supplier fit, does the transaction fit, does the timing fit? Check the sender email carefully, especially the domain and not just the display name. Important: even a plausible sender address is not proof of authenticity, because email senders can be spoofed.
2. 2. Was the invoice expected? If not, do not open or download the attachment. In doubtful cases, the review already ends here: contact the supplier directly through a known, independent channel and not by replying to the same email.
3. 3. If the email seems plausible: check the file extension. A .pdf is generally safe to open. You can download a .xml, but you should not open it by double-clicking because raw XML is barely readable. Instead, upload the file to digital-rechnung.de or another trusted viewer. How to assess whether an external service handles your data carefully is explained here: Open invoices safely with other services. Be careful with .exe, .bat, .zip, .rar and double extensions such as Invoice.pdf.exe.
4. 4. Compare the XML content with your known data. Check whether the IBAN has already been used by this sender, whether invoice number, order reference and amount match your records and whether the invoice recipient is correct. But: a known IBAN on its own is not enough. In edge cases, an attacker could use a real, known IBAN such as one from a bank from which you regularly receive invoices and only manipulate the reference so that the payment benefits their account. If the IBAN matches but the reference looks unfamiliar or implausible, ask.
5. 5. If in doubt, ask again through a secure channel. If anything remains unclear, contact the supplier directly, again not by replying to the suspicious message but through a known and independent contact route.

Widely documented cases specifically involving XRechnung or ZUGFeRD have hardly been analysed publicly so far. Anyone who already separates the review of such invoices properly is preparing for a problem that is likely to become more visible as e-invoices spread further.

What is the real problem with e-invoices?

The problem is not XRechnung or ZUGFeRD as such. The problem is the combination of email, social pressure and manipulated payment data. An invoice can look formally correct and still lead to a wrong IBAN, an unsuitable order reference or an invented context.

The BSI points out that supposed invoices by email can appear both as attachments and as links. In its materials on fraudulent messages and in the NoPhish context, SECUSO recommends checking the sender, attachments, links and the entire message content for plausibility and not letting urgency put you under pressure. In addition, the BSI describes typical misconceptions about email security.

XML fields: a comparison tool, not proof

A common mistake is to think: if the XML fields look plausible, the invoice must be genuine. That is not true. Anyone who spoofs the sender of an email and creates the invoice also controls all XML fields. IBAN, invoice number, supplier, buyer reference or order reference can all be set freely.

That is why the value of XML lies elsewhere: you can compare structured data against your own records. Do the IBAN, amount, invoice number, contact person or known purchase order numbers match your transactions? That is exactly where XML is strong. But the fields are only a comparison instrument, not proof of authenticity.

With ZUGFeRD the visible PDF and the embedded XML should also match in content. If they contain different information, that is a clear warning sign. For public contracting authorities, the Leitweg-ID is an important field to check, but again only as a plausibility indicator.

How digital-rechnung.de helps

digital-rechnung.de makes the contents of an XRechnung or ZUGFeRD file visible directly in the browser. It does not authenticate an email sender, but it makes invoice data quickly readable: for example IBAN, issuer, recipient, invoice number, amounts, due date and references.

This is particularly useful in suspicious cases because it allows you to compare structured details quickly with known master data, purchase orders or earlier invoices.

If something has already happened

If something has already happened to you: these attacks are often carried out very professionally. They look credible, arrive at the right moment and also affect people who are usually very cautious. Anyone can fall for this, regardless of experience or technical background. It is not a personal failure.

What matters then is acting quickly and feeling no shame. Speak to your IT administrator or IT service provider directly and simply say what happened. Those people are there for exactly these situations. If money was transferred to a wrong IBAN, call your bank immediately because the time window for a possible recovery is short. People who stay silent for too long out of shame often only make the situation harder and more expensive.