There’s been some news coverage lately about FalseExpense.com, a service that produces fake receipts to order “for novelty use only.”
The obvious purpose of this is to help people scam their companies’ expense reporting system by “padding” receipts. People who are reimbursed for hotel, meals, etc. can create receipts for slightly more than they actually pay (or for that matter, create receipts for meals they skip altogether or eat a balogna sandwich for) and pocket the difference. Apparently the same company aims to help people rip off their employers in any way they desire, as they also run “Fake Sick Notes USA.” (Though people running that particular scam are often caught by their own actions.)
It’s interesting that receipts are considered “proof” of purchase. A receipt, after all, is just a piece of paper, and what’s more, there is no standard for what a receipt looks like. People know it should be printed on “receipt paper” — which is usually thin thermal paper, but is sometimes quite heavy paper tape that’s inkjet or impact printed — and contain certain pertinent data, like the location of the purchase, the tax, the total, and some legalese at the bottom. In the modern era, receipts often have serial numbers or bar codes on them, which makes the receipt uniquely identifiable by the issuer, but is quite useless for anyone else to authenticate them. After all, only someone who has access to Target’s computer system can say if Target receipt #824935729345 is authentic or not. And when it comes to small mom-and-pop retailers (which often have cash register receipts that contain literally nothing but prices) and online retailers (whose receipts are trivially-forged HTML emails), receipt as proof of anything becomes even more ridiculous.
All this false expense site does is make available to the general public an ability that’s been available to the tech-savvy for years. Someone with Photoshop and a USB thermal printer (easily available on eBay for under $100) has been able to forge receipts since the 1990s. This is another case (like checking accounts) where the “security” of a system comes not from any internal defense, but simply from the fact that most people don’t have a security mindset — most people don’t look at everyday systems and think about their weak points and where they break down. Since a recept is used as proof of purchase, people assume it is proof of purchase.
Unfortunately, there’s really not much to be done to “secure” receipts. To do so would require data-sharing between merchants, employers, and the IRS, so as to make receipt numbers authenticable — and that’s a case of the solution being worse than the disease (the privacy implications would be staggering.) As an employer, the best solution may be to simply avoid the problem — have the company book hotel and travel for the employee (rather than reimbursing after-the-fact), and provide a per diem allowance for expenses rather than reimbursing exact receipts. Any time you rely on receipts from employees, there’s the potential for fraud losses.