Test your AP defenses before attackers do

PayBreach sends controlled, realistic fake invoices to your Accounts Payable department — by email and physical mail — to see if your team catches them before payment.

89% of AP teams receive scam invoices
$26B+ in global invoice fraud losses
79% of orgs hit by payment fraud in 2024
See How It Works Learn About Certification

What We Do

Fake Invoices. Real Training. Defensible Diligence.

We simulate real-world invoice fraud attacks on a recurring basis so you can find weaknesses before criminals do. Companies that pass earn PayBreach Certified status.

White Box Testing

You provide your AP contacts, mailing addresses, and organizational details. We craft targeted test invoices to evaluate your processing controls and employee vigilance.

Black Box Testing

We independently research your organization to identify AP contacts, vendor relationships, and employee names — simulating how a real attacker would approach your company.

PayBreach Certified

Reject 100% of our test invoices and earn the only third-party certification for AP fraud resilience. Prove to partners, auditors, and insurers that your controls work.

Ready to test your AP defenses?

Most companies discover their AP vulnerabilities only after real money has been lost. Find out before attackers do.

Get Started

From signup to certification in six steps

PayBreach integrates into your operations with minimal setup. Here's the complete process from initial engagement through ongoing protection.

The Quick Version

You sign up.

Tell us about your business and your AP team in a short online questionnaire.

We send fake invoices.

Throughout the year, our test invoices arrive at your AP department by email and mail.

We tell you what happened.

Use your online portal to learn which were caught, which were attempted to be paid, and where your process needs work.

How It Works

1

Choose from monthly, quarterly or annual plans based on your organization's size, risk profile, and testing frequency needs. While annual plans are the most cost effective, monthly plans provide the most effective testing and highest level of confidence.

2

Before testing can begin, we need to confirm you are authorized by your organization to initiate this type of engagement. This verification process protects your organization, your reputation, and PayBreach from any misunderstanding about the nature of our testing.

  1. Register your information. Provide your full name, title, and business email address. Your email must belong to the same domain as the organization you are authorizing for testing. Generic email providers such as Gmail, Yahoo, Hotmail, Outlook.com, and Protonmail are not permitted.
  2. Review and sign an engagement agreement. This agreement defines the scope of testing, outlines the responsibilities of both parties, and includes important confidentiality and liability provisions. No testing will begin until this agreement is fully executed.
  3. Authorization verification. PayBreach will verify your authority to represent the organization using publicly available records, your organization's website, or professional directories. If we are unable to verify through these methods, additional verification may be required:
    • Co-signature by an authorized official — a corporate officer, owner, partner, or equivalent (e.g., CEO, CFO, COO, General Counsel).
    • Written authorization on company letterhead — a signed letter confirming your authority to engage PayBreach.
    • Direct confirmation from the organization — PayBreach may independently contact the organization using a phone number or email obtained through our own research to confirm the engagement.
    • Board resolution or authorization memo — for larger organizations, a copy of an internal document authorizing the engagement.
3

For white box testing, provide your AP email addresses, mailing addresses, vendor names, and employee details. For black box testing, simply authorize us to begin — we research your organization independently. Both modes can be combined.

4

PayBreach sends realistic fake invoices through email and physical mail using a range of attack scenarios: fictitious vendors, vendor impersonation with altered payment details, rush payment requests, and more.

5

After each testing cycle, you receive a detailed report showing which invoices were flagged, rejected, or processed — along with a breakdown of where controls succeeded or failed and prioritized recommendations for improvement.

6

Reject 100% of test invoices and earn PayBreach Certified status — valid for 12 months. If any invoice is processed, you receive a comprehensive remediation report. Six consecutive months of clean results are required to earn certification after a failure.

Attack scenarios we use

Each testing cycle includes a mix of these methods, with new variations introduced over time to keep pace with evolving threats.

Fictitious Vendors

Completely fabricated companies submitting invoices for services never rendered.

Vendor Impersonation

Invoices mimicking real vendor names but with altered payment addresses.

Employee Name Drops

Invoices listing real employees as purchase approvers to exploit trust and familiarity.

Rush Requests

Urgent payment demands designed to pressure AP staff into bypassing standard controls.

Threshold Testing

Invoices at various amounts to test approval limits, duplicate detection, and routing logic.

Multi-Channel

Simultaneous delivery via email, physical mail, and PDF to test all intake channels.

Start protecting your AP department

Choose a plan and begin testing within days. No complex integrations required.

Subscribe Now

The Risk

No organization is immune

Invoice fraud has hit the largest and most sophisticated organizations in the world. If they can be fooled, any company is vulnerable.

Invoice fraud is one of the most prevalent threats to corporate finance. Attackers submit fake invoices, impersonate known vendors, alter payment details, and exploit weak internal controls — often successfully.

AI tools are making fraudulent invoices more convincing and easier to produce at scale. While companies invest heavily in IT penetration testing, virtually no one stress-tests the human processes and controls within Accounts Payable.

Most organizations discover their AP vulnerabilities only after real money has been lost.

Abstract visualization representing financial vulnerability

Real-world cases

Google & Facebook

$122M

A single individual sent forged invoices impersonating a real supplier and collected $99M from Facebook and $23M from Google over two years before being caught.

Yale University

$40M

One employee submitted fake technology purchase invoices and drained $40M from the university before detection.

Toyota Boshoku

$37M

Attackers impersonated a trusted vendor via email, changed the bank details on a routine invoice, and Toyota's AP team wired $37M without question.

City of Fort Lauderdale

$1.2M

A fraudster impersonated a contractor building the city's new police station. The paperwork matched prior requests so closely that AP wired $1.2M immediately.

UK National Trust

£1M

An employee authorized 148 fake invoices submitted by his own sons posing as vendors. An audit found no evidence of any work performed.

U.S. Dept. of Defense

$624K

A civilian employee created 185 fraudulent invoices from fictitious vendors over four years, using 78 different account names to hide the trail.

89%
of AP teams have received scam invoices
79%
of organizations experienced payment fraud in 2024
$26B+
estimated global BEC and invoice fraud losses (2016–2019)

Don't wait until it's real

Find your AP vulnerabilities with controlled testing before attackers find them for you.

See How It Works

Certification

PayBreach Certified

The first and only third-party credential verifying that an organization's AP department can detect and reject fraudulent invoices. Three certification tiers reflect your testing commitment. A pass/fail standard at every level — no partial credit.

Verify Existing Certification Here

Silver

Annual Plan

Validates your AP controls once per year. Ideal for establishing a baseline and demonstrating due diligence to auditors and insurers.

Gold

Quarterly Plan

Demonstrates ongoing vigilance with testing four times per year. Shows partners and regulators that your organization maintains consistent AP security.

Platinum

Monthly & Monthly Premier Plans

The highest level of certification. Proves your AP department withstands continuous or unpredictable testing — the strongest signal of fraud resilience available.

How certification works

Every tier follows the same absolute standard. Pass or fail — no partial credit.

Pass — Certified

Successfully identify and reject 100% of test invoices across all attack vectors. The standard is absolute — a single invoice processed for payment constitutes a failure.

  • Certification at your plan's tier (Silver, Gold, or Platinum)
  • Unique certification serial number
  • Customized digital badge with company name
  • Formal certification certificate (.pdf)
  • Status valid for 12 months with active subscription

Fail — Remediation

If any test invoice is processed for payment, certification is not awarded. Instead, you receive a comprehensive remediation package.

  • Copies of every test invoice — caught and missed
  • Delivery method and attack vector for each test
  • Timeline of where controls broke down
  • Root cause analysis for each failure
  • Prioritized recommendations
  • 6 consecutive clean months required for certification

Why certification matters

Third-Party Validation

Demonstrate to stakeholders, auditors, insurers, and business partners that your AP controls have been independently tested and passed.

Vendor Confidence

Share your PayBreach Certified status with vendors and partners as proof of responsible payment practices.

Insurance Advantage

Support reduced premiums on crime or fidelity insurance policies by demonstrating proactive fraud prevention.

Regulatory Alignment

Support compliance with SOX, COSO, and industry-specific financial control frameworks.

Competitive Edge

Distinguish your organization as one that takes payment integrity and financial controls seriously.

Continuous Improvement

The 6-month remediation path after failure ensures certification reflects sustained improvement, not luck.

Earn your certification

Subscribe, pass the testing, and demonstrate to the world that your AP controls are battle-tested.

Subscribe Now

Pricing

Simple, transparent pricing

Every plan includes annual certification, downloadable certificates and badges, full access to penetration test results, and detailed remediation reports. Frequency determines how often we test your AP defenses.

Annual

$ 249 /year

One test per year

Silver Certification

A low-cost entry point for small organizations that want to validate their AP controls and earn PayBreach Certified status without a large commitment. Ideal for companies with lower invoice volume or simpler AP operations that want annual assurance their defenses hold up.

  • Annual penetration test
  • Silver certification & badge
  • Customized certificate (.pdf)
  • Full results & remediation report
  • White box & black box testing
Get Started

Quarterly

$ 129 /quarter

Four tests per year

Gold Certification

The right balance of cost and security for organizations that want to stay sharp without monthly overhead. Quarterly waves introduce new attack scenarios each cycle, keeping your AP team on their toes and ensuring complacency never sets in.

  • Quarterly penetration tests
  • Gold certification & badge
  • Customized certificate (.pdf)
  • Full results & remediation reports
  • Escalating attack scenarios each wave
Get Started
Recommended

Monthly

$ 79 /month

Twelve tests per year

Platinum Certification

The most comprehensive scheduled approach to AP security. Continuous monthly testing delivers a steady stream of reportable results and keeps your team perpetually vigilant. Also ideal for creating internal incentive programs — reward AP employees who consistently catch test invoices and build a culture where vigilance is recognized and celebrated.

  • Monthly penetration tests
  • Platinum certification & badge
  • Customized certificate (.pdf)
  • Full results & remediation reports
  • Continuous reporting for auditors
  • Ideal for employee incentive programs
Get Started
Most Secure

Monthly Premier

$ 99 /month

18 tests per year — random intervals

Platinum Certification

Maximum unpredictability. Eighteen tests delivered at random intervals throughout the year mean your AP team can never predict when the next test is coming. This eliminates the possibility of heightened alertness only during expected testing windows and provides the truest measure of your organization's everyday fraud resilience.

  • 18 penetration tests at random intervals
  • Platinum certification & badge
  • Customized certificate (.pdf)
  • Full results & remediation reports
  • Continuous reporting for auditors
  • Unpredictable testing schedule
  • Ideal for employee incentive programs
Get Started

All plans include both white box and black box testing modes. Certification tier (Silver, Gold, or Platinum) is determined by your plan. Failed certifications require 6 consecutive months of clean monthly testing before recertification — the Monthly and Monthly Premier plans are the fastest path back to certified status.

Verify

Check company certification

Verify whether a company holds current PayBreach Certified status. Search by company name or certification serial number.

This is a demo. In production, certification lookups query the PayBreach database in real time.

FAQ

Frequently asked questions

Everything you need to know about PayBreach's AP penetration testing and certification.

General

What is PayBreach?

PayBreach is an accounts payable penetration testing service. We send controlled, realistic fake invoices to your AP department — via email and physical mail — to see if your team catches them before payment. Companies that successfully reject 100% of test invoices earn PayBreach Certified status.

How is this different from IT penetration testing?

Traditional penetration testing targets your computer networks, servers, and software. PayBreach targets the human processes and controls within your Accounts Payable department. We don't access any of your systems — we test whether your people and procedures can identify and reject fraudulent invoices delivered through normal business channels.

Do you access our computer systems or networks?

No. PayBreach testing is conducted exclusively via two channels: physical mail and email. We never access, log into, or interact with your computer networks, servers, databases, ERP systems, payment platforms, or any other electronic systems. No software, scripts, or network-based tools are used.

Who is PayBreach designed for?

Any organization with an Accounts Payable function — from small businesses to large enterprises. If your company receives and pays invoices, your AP process can be tested and certified.

How Testing Works

What types of fake invoices do you send?

Each testing cycle includes a mix of attack scenarios: fictitious vendors, vendor impersonation with altered payment details, rush payment requests, threshold testing at various dollar amounts, and multi-channel delivery (email and physical mail simultaneously).

What is white box vs. black box testing?

In white box testing, you provide your AP contacts, mailing addresses, and organizational details so we can craft targeted test invoices. In black box testing, we independently research your organization to identify AP contacts, vendor relationships, and employee names — simulating how a real attacker would approach your company. Both modes can be combined.

How often will we receive test invoices?

Testing frequency depends on your plan. Annual plans include one test per year. Quarterly plans include four tests per year. Monthly plans include 12 tests per year. Monthly Premier plans include up to 18 tests per year, sent at randomized intervals for maximum unpredictability.

Will our AP team know when a test is coming?

That's up to you. Keep in mind the purpose is to increase awareness and diligence within your AP department, not to try to "catch" people failing. Therefore we recommend informing your team about the process, and even implementing an incentive program for when they do find a fake invoice.

What happens if our AP department pays a test invoice?

No real money EVER changes hands. Test invoices contain only a URL for credit card payment, ACH or other payment types. But that URL does not have the ability to actually process any of those methods. It only collects the invoice number, and optional contact info of the payer so we can report back that the invoice payment attempt was made. No bank account numbers, routing numbers, wire instructions, or ACH details appear on any test invoice. No physical address is provided to accept payment.

Certification

What is PayBreach Certified?

PayBreach Certified is the first and only third-party credential verifying that an organization's AP department can detect and reject fraudulent invoices. It's a pass/fail standard — no partial credit.

What does it take to pass?

You must reject 100% of test invoices across all attack vectors. A single invoice processed for payment constitutes a failure.

What are the certification tiers?

There are three tiers based on your testing frequency: Silver (annual testing), Gold (quarterly testing), and Platinum (monthly or monthly premier testing). The standard is the same at every level — 100% rejection — but higher tiers demonstrate a greater commitment to ongoing vigilance.

How long is certification valid?

Certification is valid for 12 months with an active subscription.

What happens if we fail?

You receive a comprehensive remediation package including copies of every test invoice (caught and missed), delivery methods and attack vectors used, a timeline of where controls broke down, root cause analysis, and prioritized recommendations. To earn certification after a failure, you must complete 6 consecutive months of successful monthly testing with zero failures.

Can anyone verify our certification?

Yes. The PayBreach website includes a public verification page where anyone can check a company's certification status using their certification serial number.

Payment & Invoices

Will PayBreach ever accept payment from a test invoice?

Never. PayBreach will never accept, collect, deposit, or otherwise convert any payment in connection with any test invoice. All payment details on test invoices are non-functional. When a client attempts to pay an invoice, we collect the invoice number and ask for payment type. Once the client selects the payment type, we notify the client it was a test invoice and never actually ask for any payment instrument like a credit card or ACH account. We report back to the client contact what invoice was attempted to be paid.

What payment methods do test invoices include?

Test invoices include only a URL for credit card payment, ACH or Other payment methods. The URL only collects the invoice number and does not actually collect any payment information. No bank account numbers, routing numbers, wire instructions, or ACH details will ever appear on a test invoice or be requested from a client.

Pricing & Plans

What plans are available?

We offer four plans: Annual ($249/year, 1 test, Silver certification), Quarterly ($129/quarter, 4 tests, Gold certification), Monthly ($79/month, 12 tests, Platinum certification), and Monthly Premier ($99/month, up to 18 randomized tests, Platinum certification).

What's included in every plan?

All plans include annual certification, a downloadable certificate and digital badge, full access to penetration test results, detailed remediation reports if any test is failed, and both white box and black box testing.

Which plan do you recommend?

For most organizations, the Monthly plan at $79/month provides the best balance of testing frequency, certification level (Platinum), and value. Monthly Premier adds randomized timing and a higher volume of tests for organizations that want the most rigorous assessment.

Can I change plans?

Yes, you can upgrade or downgrade your plan at any time through the client portal.

Legal & Authorization

Do I need to sign anything before testing begins?

Yes. Before any testing begins, an authorized representative of your organization must sign a formal Authorization Agreement. This agreement outlines the scope of testing, confirms that the signer has authority to authorize testing, and establishes the legal framework for the engagement.

Who can sign the Authorization Agreement?

Any current employee who has the authority to bind the organization and authorize third-party security testing of the AP processes. The signer certifies under penalty of perjury that they have this authority and that all required internal approvals have been obtained.

Why do you require a corporate email to sign up?

We use corporate email domain verification as one method to confirm organizational affiliation. Personal email addresses (Gmail, Outlook, Hotmail, ProtonMail, etc.) are not accepted. This helps ensure that the person requesting testing is actually affiliated with the organization being tested.

What legal protections are in place?

The Authorization Agreement includes strong attestation language where the signer certifies under penalty of perjury that they have authority, that all information is accurate, and that the testing is requested in good faith. The signer agrees to personal liability if any representation is false. The agreement also cites applicable federal fraud statutes (mail fraud, wire fraud, and computer fraud) as deterrents against unauthorized requests.

Is this legal?

Yes. PayBreach testing is conducted exclusively through ordinary business communication channels (mail and email). We do not access any computer systems. The Authorization Agreement establishes clear legal authorization from the client organization before any testing begins. This is similar to how organizations authorize IT penetration testing firms — except our scope is limited to paper and email.

Security & Confidentiality

Are our test results kept confidential?

Yes. All test results, reports, and findings are confidential. PayBreach will not disclose your identity or test results to any third party without your prior written consent, except as required by law.

Can other people in my company access the results?

PayBreach may disclose test results and engagement details to any individual at your organization who is a current officer, director, or senior manager, provided they verify their identity through corporate credentials and hold a position of equal or greater authority than the person who originally signed up.

What data do you collect about our organization?

We collect the information needed to conduct testing: company name, AP contact information, mailing addresses, and (for white box testing) organizational details you provide. We do not access your financial systems, vendor databases, or any internal data beyond what you share with us.

Getting Started

How quickly can testing begin after we sign up?

Testing can typically begin within a few days of completing your Authorization Agreement and onboarding information.

Is there a long-term commitment?

No. Monthly and quarterly plans can be cancelled with 30 days' written notice. Annual plans run for the full year.

How do I sign up?

Visit our Get Started page to create an account, choose your plan, sign the Authorization Agreement, and begin the onboarding process.

Still have questions?

Contact us and we'll be happy to walk you through how PayBreach can strengthen your AP defenses.

Contact Us

Contact

Talk with the PayBreach team

Share your organization details and goals. We will review and follow up at info@paybreach.com. You can also reach us toll free at 1-855-APTEST5 (1-855-278-3785).