Processing PDFs with AI: Beware of Prompt Injection

The hidden risk inside your documents

AI-powered document processing is transforming how finance teams handle invoices, purchase orders, and receipts. But there is a security risk that most vendors are not talking about: prompt injection.

Prompt injection is a technique where malicious text is embedded inside a document — often invisible to the human eye — to manipulate the AI model processing it. When an LLM reads the document to extract fields like vendor name, amounts, or line items, the injected text can trick the model into returning fabricated data, skipping validation, or leaking information.

How prompt injection works in PDFs

A PDF is not just text on a page. It can contain hidden layers, white-on-white text, metadata fields, embedded JavaScript, and overlapping elements. An attacker can exploit any of these to insert instructions that target the AI model:

• White text on white background — Invisible to a human reviewer but fully readable by an OCR or AI extraction pipeline.
• Metadata fields — PDF author, subject, and keyword fields can carry injected prompts that some extraction tools feed directly to the model.
• Overlapping elements — A visible “Total: $1,500.00” can sit on top of a hidden “Total: $15,000.00” that only the machine reads.
• Font size zero text — Text rendered at zero point size is invisible on screen but still present in the document stream.

Real-world scenarios

This is not theoretical. Consider these attack scenarios:

1. Invoice fraud — A supplier sends a PDF invoice with hidden text instructing the AI to change the bank account number in the extracted output. If the system blindly trusts the AI output, funds get routed to the wrong account.
2. Amount manipulation — Hidden instructions tell the model to add a zero to line item quantities or unit prices. A $500 charge becomes $5,000.
3. Validation bypass — Injected text instructs the model to mark all fields as “high confidence,” skipping the human review queue entirely.

How OnPaper defends against this

We designed our extraction pipeline with these threats in mind from day one:

• Multi-engine cross-validation — OnPaper fuses results from multiple independent OCR engines. A prompt injection that fools one engine is unlikely to produce the same manipulated output across all of them. Discrepancies trigger automatic flags.
• Structured extraction, not free-form prompting — Our AI models extract data into strict schemas with typed fields and value constraints. The model cannot “decide” to change a bank account format or skip a required field.
• Pre-processing sanitization — Before any AI model touches a document, our pipeline strips hidden layers, zero-size text, and suspicious metadata. The model only sees what a human would see.
• Human-in-the-loop by design — Every extracted document passes through a review state. Anomalies in confidence scores, field values, or cross-engine agreement surface for human verification.

What you should ask your vendor

If you use any AI-powered document processing tool, ask these questions:

1. How do you handle hidden text and invisible elements in PDFs?
2. Do you cross-validate extraction results across multiple engines?
3. Can the AI model override validation rules based on document content?
4. Is there always a human review step before data posts to the ERP?

If the answers are vague, your pipeline may be vulnerable.

The bottom line

AI extraction is a massive productivity gain for finance teams, but it is not magic. The same flexibility that lets a model understand messy, unstructured documents also makes it susceptible to manipulation. The solution is not to avoid AI — it is to build layered defenses that treat every document as potentially adversarial.

At OnPaper, security is not an afterthought. It is part of the architecture. See how it works.