Unprotected business transactions:
Why email is unsuitable as a means of transmitting invoices
Why email is unsuitable as a means of transmitting invoices
The Schleswig-Holstein Higher Regional Court (OLG) has sent a clear signal with a recent ruling (Ref.: 12 U 9/24): sending invoices by email poses significant security risks and can be costly for companies.
In the case in question, a simple PDF invoice sent by email was significantly manipulated by hackers – with serious consequences.
What exactly happened?
The hackers altered the content of the unencrypted PDF invoice sent by email. They replaced the invoice issuer's account details with those of a third-party bank.
With disastrous consequences: the customer paid the bill into the wrong account. However, the payment was not recognized as fulfillment by the Higher Regional Court. In other words: the money is gone, but the debt has not been settled.
Email ruling with a signal effect
This alone should raise eyebrows—and confirms how insecure sending transaction documents such as invoices by email can be. But the real significance of this decision lies elsewhere:
The court also clarified that companies must take technical and organizational measures when sending invoices by email to prevent manipulation by third parties. Otherwise, they could not only suffer financial damage but also be held liable—for example, under Article 82 of the GDPR.
What does the ruling mean for the two parties involved?
Consequences for the invoice issuer
who sent the unencrypted email
The company formally retains its claim to the original invoice amount, as the payment made by the customer was not considered to fulfill the payment obligation. However, it is liable for damages.
- In addition, the company could be held liable for data protection violations under Article 82 GDPR because it did not take sufficient security measures when sending the invoice by email.
- The court clarifies that transport encryption alone (e.g., TLS) is not sufficient to protect the invoice from manipulation. End-to-end encryption would have been necessary.
- In future, the company must ensure that invoices are sent via a secure transmission channel (e.g. via Peppol or e-invoicing platforms) in order to avoid liability risks.
For the invoice recipient
who made the payment to the wrong recipient
Strictly speaking, the customer would have to pay the invoice again, as the original payment went to the wrong account and was not legally recognized as fulfillment of the debt.
- However, the court awarded the customer damages under Article 82 of the GDPR. This means that he can theoretically claim back the lost amount from the company because it did not take sufficient protective measures.
- Nevertheless, there remains a great deal of uncertainty for the customer: whether they will actually get their money back depends on whether the company is financially capable of compensating for the damage.
Precedent and signal effect of the ruling
The ruling clearly shows that companies are primarily responsible for the secure transmission of their invoices. Those who rely on insecure transmission methods such as email and do not take additional protective measures risk not only financial losses but also legal consequences.
At the same time, the ruling strengthens the position of invoice recipients: in such cases, they can cite data protection violations and claim damages. In practice, this means that companies should urgently move away from using insecure transmission channels.
Technical background: Why email is not a secure solution for invoices!
For years, digitization and business process specialists such as the experienced providers from the TRAFFIQX® network have been warning that email is no longer a suitable means of transporting electronic invoices. The digital transformation of business processes is advancing. But while companies are increasingly investing in IT security measures, sending invoices by email often remains a gateway for fraud.
Emails are vulnerable: phishing, spoofing, and man-in-the-middle attacks are well-known methods that enable cybercriminals to manipulate invoices or deceive customers. According to the Higher Regional Court of Schleswig, simple transport encryption via TLS is not sufficient to ensure an adequate level of security. Instead, end-to-end encryption should become the standard in order to protect the integrity of invoice documents.
E-invoicing platforms as a future-proof alternative
The solution for secure invoice transmission lies in modern e-invoicing platforms and networks such as Peppol. These systems ensure structured and tamper-proof data exchange between companies and authorities.
A key argument in favor of using Peppol & Co. is the legally compliant documentation of the shipping and receiving process. This is because companies that exchange their invoices via such networks can prove at any time
- when an invoice was sent,
- in the form in which it was received by the recipient and
- whether its content has remained unchanged.
A look into the future: Digital reporting systems require secure transmission channels
With the introduction of mandatory eInvoicing in Germany from 2025 and the ViDA initiative at EU level, a structural change in digital invoicing is beginning. But this is only the first step: by 2030, the entire B2B invoicing process is to be supplemented by digital reporting systems that enable real-time reporting to the tax authorities.
This development makes it all the more urgent for companies to rely on secure and automated processes. Anyone who still relies on email as a means of transmitting invoices today is taking a considerable risk and missing the opportunity to prepare for upcoming requirements at an early stage.
Act now and switch to future-proof solutions!
The ruling by the Higher Regional Court of Schleswig-Holstein underscores the need to make invoice exchange more secure. Companies that continue to rely on email not only expose themselves to the risk of financial losses, but also face liability issues.
Digital invoicing is not a question of “if,” but “how.” Those who switch their processes to secure transmission channels such as Peppol or specialized e-invoicing platforms at an early stage not only secure their own processes, but also ensure long-term stable and compliant invoice processing.
With TRAFFIQX®, companies are already designing their invoicing processes to be secure, efficient, and compliant with legal requirements. Change is in full swing—let's tackle it together!
Would you like to learn more? Schedule a free consultation with our expert Lars Becher, Key Account Manager and Subject Matter Expert for eInvoicing and CTC in the TRAFFIQX® network.
Call him at: +49 (0)6359 - 9 37 90