Manipulated invoices, false account data, high losses - cyber attacks on email communication are on the rise. Two recent judgements show this: Anyone who sends invoices by email must do more than just rely on transport encryption. Qualified electronic signatures (qeS) could be the key to secure communication.
Two cases, one problem: invoice fraud by email
Two recent judgements - from the Higher Regional Court of Karlsruhe and the Higher Regional Court of Schleswig-Holstein - concerned invoices that were sent by email. In both cases, the invoices were manipulated and the recipients paid into the false accounts specified in the manipulated invoices. The money was lost and could not be recovered. The question was whether to pay again or who should bear the loss. The courts came to different judgements - with far-reaching consequences for companies.
TLS vs. E2EE: What really protects?
In its judgement, the Schleswig-Holstein Higher Regional Court effectively demanded the introduction of end-to-end encryption (E2EE) for sending invoices and other critical emails. However, according to Dr Thomas Lapp, specialist lawyer for IT law and Chairman of NIFIS e.V., this view falls short of the mark:
‘E2EE protects confidentiality - but not the authenticity or integrity of a message.’
Even an encrypted email can be manipulated if the recipient does not know for sure who sent it. The solution therefore lies not only in encryption, but also in the electronic signature.
The better solution: qualified electronic signature (qeS)
The qeS is the legally secure proof that a message is unchanged and authentic. It is equivalent to a handwritten signature (Section 126a BGB) and can be used even more easily in future with modern tools such as the EU Digital Identity Wallet. The EU DI Wallet is part of the new German government's digital strategy.
Advantages of qeS:
- Proof of authenticity and integrity
- Manipulations are recognised during signature verification
- Legally compliant in accordance with Section 14 (3) UStG for electronic invoices
What companies should do now
- Send invoices with qeS
Modern signature software such as digiSeal Office pro 500 or other solutions enable simple implementation. - Sensitise recipients
Employees need to know how to recognise a genuine invoice - and when they should become suspicious. - Establish binding communication rules
Companies should agree with their partners: ‘Invoices are only valid with a qualified signature.’ - Check alternatives
Invoice portals or secure download links can offer alternative security for electronic invoices.
________________________________________
Conclusion: Security needs more than encryption
Case law shows that confidentiality alone is not enough. Anyone who sends invoices or other legally relevant documents by email should rely on qualified electronic signatures - and establish this secure communication with their communication partners.
And save a note now:
IT Security Talk: Regulation
26.06.2025 | live, digital and free of charge
- noris network AG
- AI regulation - a brake on innovation or a signpost for secure applications?
- IT service providers and increasing customer requirements according to NIS2, DORA, CRA, etc.
Editorial note:
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 27 May 2025 and was created with the support of KI.
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 27 May 2025 and was created with the support of KI.