If you're not shady its pretty easy to prove your legit. Real offline bussinesses have to keep records too, and the same attack can happen in the real world since selling counterfeit goods is a crime (harder to get away with false report though in the physical world)

Records though can be messy across businesses (retailer, wholesaler, manufacturer). A simple example would be if the purchase order id could be entered in different formats like if one vendor has dashes (like [customer]-[order number]) and then that PO id is entered without dashes at another system.

If you do a simple search or table join you aren't going to get a match, and if the person who was asked to provide the records doesn't go the extra step to do the search again you suddenly have a lot of issues.