Payslip Fraud in HR: How Fake Salary Documents Pass Review

Industry surveys consistently put credential misrepresentation among job applicants in the order of one in ten to one in five, depending on the cohort and the definition used — exact figures vary, and we cite no single source as authoritative here. The most common target is the payslip — a document that unlocks salary negotiation, employment history verification, and visa sponsorship decisions simultaneously. The average cost of a bad hire, including termination, rehiring, and productivity loss, runs into five figures and is typically discovered after onboarding, when the discrepancy is already embedded in the payroll system.

Background check platforms close the gap on criminal records and education. They leave payslip authenticity almost entirely to human judgment — and human judgment cannot see inside a PDF file.

Why Payslips Are the Easiest Document to Fake

A payslip carries more decision weight per page than almost any document in the hiring process. Salary history determines the offer range. Months of continuous payslips confirm employment tenure. Payroll details confirm a candidate’s claimed role and compensation tier.

All of that information is controlled by the candidate before submission. They choose which files to send. They control the file content. Most ATS platforms accept any PDF upload without examining it.

The fabrication toolchain is not sophisticated. Candidates with real payslips from a lower-paying job open the file in Adobe Acrobat or an online PDF editor, change a salary figure, and save. Candidates without qualifying employment history use payslip generator websites — payslipgenerator.co.uk and similar services — to produce a plausible-looking document in minutes. Both methods leave structural evidence inside the file that content review cannot see.

Three Fraud Patterns and What They Leave Behind

Salary Inflation on a Real Payslip

This is the most common pattern. The candidate has a genuine payslip from their current employer and changes the gross salary figure upward — sometimes by 10–15%, sometimes by 50%.

The edit requires opening the PDF in an editor. That editor re-saves the file. The re-save overwrites the producer metadata field — the field that records which software last wrote the file — while leaving the creator field intact from the original payroll system. A payslip produced by Sage, ADP, or SAP carries a specific producer string. When that same file is re-saved in Microsoft Word, Smallpdf, or iLovePDF, the producer changes.

The xref table compounds the evidence. PDF uses an incremental update architecture: every edit session appends a new cross-reference section to the file. A legitimate payslip from a payroll system has one xref entry. A modified payslip has two or more. The original content — including the unmodified salary figure — remains in the binary. The update chain is a direct record of every post-creation edit.

The forensic response on a modified payslip:

{
  "id": "ck_4f9a2c1e-7d3b-4e8a-b5f2-9c0d6e8a1b4c",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": ["PRODUCER_MISMATCH", "INCREMENTAL_UPDATES"],
  "creator": "ADP Workforce Now",
  "producer": "Smallpdf",
  "xref_count": 2,
  "creation_date": 1746057600,
  "modification_date": 1746316800
}

creator: "ADP Workforce Now" alongside producer: "Smallpdf" is structurally inconsistent with ADP’s documented distribution flow — ADP emits the PDF directly, and a normal candidate workflow does not include re-export through an online compression tool. The combination is a high-confidence anomaly that warrants escalation; the legitimate edge cases (a candidate compressing the file to meet an upload size limit, a corporate mailbox sanitiser re-encoding the attachment) are rare in practice but real, so treat the verdict as a trigger for human review rather than as automatic disqualification. The modification_date trailing creation_date by three days is consistent with the window between employer issuance and candidate edit.

Entirely Fabricated Payslips from Generator Sites

Candidates who need to fabricate employment history wholesale — not just inflate a salary — turn to payslip generator services. These sites render payslips using headless browser automation: Puppeteer, Chrome headless, or similar tools that produce valid PDF output with plausible formatting.

The structural tell is the producer string. Institutional payroll systems — Sage, ADP, Xero, MYOB, SAP, QuickBooks Payroll — each have recognizable producer signatures. A payslip generated by a web service shows producer: "Puppeteer" or producer: "Chromium" or a generic headless renderer string. No real employer’s payroll system produces PDFs this way.

These documents return inconclusive, not modified. There is no original file to compare against, so no modification can be detected. But inconclusive is not a clean result — it is a signal about document origin:

{
  "id": "ck_8b1d5e3a-2c7f-4a9b-c3e4-1d0f8a2b6c5e",
  "status": "inconclusive",
  "producer": "Puppeteer",
  "creator": null,
  "origin_type": "consumer",
  "modification_markers": []
}

origin_type: "consumer" combined with producer: "Puppeteer" indicates the document was rendered by a web automation tool rather than a recognised payroll system. The institutional payroll providers in mature markets do not, in any documented workflow we have seen, distribute payslips via raw Puppeteer or Chromium producer strings — these are characteristic of payslip generator services or in-house rendering scripts. Treat the combination as a strong fabrication signal that warrants employer verification, with the understanding that the small number of legitimate cases (a niche local employer running their own headless rendering pipeline) still exist and need a human reviewer to confirm.

Xero or MYOB Free-Trial Payslips

A more sophisticated pattern: candidates create a free trial account on Xero or MYOB, set up a fictitious company, enter themselves as an employee, and export a payslip. The resulting PDF carries the genuine Xero or MYOB producer string and looks structurally legitimate.

Structural analysis alone cannot distinguish a payslip generated by a real Xero client from one generated on a trial account. This is an honest limitation. The file structure is clean because the tool was used as designed.

The signal to layer on here is employer fraud detection: if the payslip shows Xero formatting but the employer cannot be reached or does not exist in business registries, the structural “clean” result becomes context for escalation rather than approval. Structural forensics is one layer — it is not a replacement for employment confirmation calls.

Why Background-Check Platforms Miss This

Standard background checks check employment by contacting the claimed employer directly or querying employment databases. They confirm dates of employment, job title, and sometimes salary. They do not analyze the submitted document’s file structure.

A well-fabricated payslip passes human review because the formatting matches what reviewers expect. It passes database checks if the employer exists and confirms employment. The structural layer — the producer field, the xref chain, the modification date delta — is never examined.

Employment history databases only work when the employer is listed and responds. Many small businesses are not in these databases. Many employers outside the US and UK cannot be checked by query. In those cases, the submitted PDF is the only evidence — and if no one checks the file structure, the fraud has already passed.

False Positives, Adversarial Adaptation, and Where Structural Analysis Wears Thin

Treat any structural verdict as a signal into review, not as a hiring decision on its own. Five recurring sources of benign modified and origin-drift signatures come up across HR document pipelines:

• Candidate compression. A candidate compresses the payslip in Smallpdf or iLovePDF to meet an ATS upload size limit. Same content, new producer, xref_count of two — superficially indistinguishable from salary inflation, structurally.
• Mailbox sanitisers and ATS preprocessors. Enterprise security mail filters and some ATS platforms re-encode attached PDFs on receipt, leaving their own producer fingerprints.
• Mobile share pipelines. A payslip shared from a mobile banking or payroll app through iOS Files or Android share-sheet may be re-encoded by the intermediate app on the way out.
• Corporate archival re-export. Some employers run their own PDF/A normalisation on payroll output before distribution; the resulting file looks modified to a forensic check that has not been calibrated for that employer’s pipeline.
• Print-to-PDF roundtrips. A candidate who prints the payslip, scans it, and re-attaches submits a structurally different file with no content change.

Adversarial adaptation is the other axis. A motivated fraudster who knows this layer exists can:

• Print the payslip, scan it, and submit the scan — which returns inconclusive because the structural surface is now a raster, not a PDF object graph.
• Flatten the PDF before edit, so the producer drift looks like a single legitimate export from a flatten-capable tool.
• Strip metadata before submission — also lands as inconclusive, which is itself a signal but no longer points at a specific edit.
• Route the edit through a real payroll system (free trial accounts on Xero or MYOB, the case covered above) so the structure looks clean.

The right operational shape for a hiring pipeline is to start every modified verdict and every institutional-origin inconclusive in human review, log the reviewer’s ground-truth outcome (real fraud / honest re-save / employer-side workflow quirk), and tighten the auto-routing rules only after several weeks of labelled data. Precision and recall numbers come out of that loop, not out of vendor decks.

The India Context

Salary slip fraud has been widely reported as endemic in the Indian job market. Operators in the local background-verification industry have publicly cited flag rates in the tens of percent on submitted salary slips — exact figures vary across studies and are sometimes overstated for marketing; we cite no specific number as authoritative here. The pattern matches the rest of the global signal: candidates inflate compensation to negotiate higher offers or to cross salary band thresholds for roles or visa categories.

Indian payroll systems — including payslips generated from Form 16 salary certificates, company-issued salary certificates, and EPF-linked documents — carry recognizable structural signatures when generated by institutional HR platforms. The same forensic approach applies: producer field mismatch and incremental update markers surface edits regardless of whether the document is from Mumbai or Manchester. See the fake salary slip detection technical guide for format-specific details.

Integration in the Hiring Workflow

Run the payslip check at document upload during the background screening stage — before the hiring manager sees the results, before salary negotiation begins. Most ATS platforms (Greenhouse, Lever, Workday, BambooHR) support webhooks or document upload triggers that can call an external API.

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage.example.com/candidates/jane-doe-payslip-oct-2025.pdf"}'

The response comes back with a verdict, named modification markers, and producer metadata. Your downstream routing logic branches on three outcomes:

• intact — file structure consistent with payroll system origin; proceed to content review
• modified + PRODUCER_MISMATCH or INCREMENTAL_UPDATES — post-creation edit detected; escalate before progressing the candidate
• inconclusive + producer: "Puppeteer" or origin_type: "consumer" — fabrication signal; treat as unchecked and request an employer-issued alternative

The check ID is stored against the candidate record. If a discrepancy surfaces later, the forensic report is retrievable via GET /api/v1/result/{check_id} — a permanent audit trail for the hiring decision.

HR teams evaluating the approach can run a sample of recent payslip submissions against the API before integration. The verdict and named markers are the same whether the document came from an ATS upload, an email attachment, or a portal — the routing logic on your side is what turns the signal into a hiring decision.

The neighboring document vectors in HR fraud follow the same structural logic: fake experience letter detection and fake diploma detection both use producer and xref analysis against the same institutional software signatures. For the H-1B salary-slip flavour of this problem, the H-1B Indian salary slip fraud breakdown covers region-specific producer profiles.

Frequently Asked Questions

How can I detect a fake payslip from a job applicant?

The reliable signal is structural. A payslip emitted by an enterprise payroll system (ADP, Sage, SAP, Xero, MYOB) carries a recognisable producer string and a single cross-reference entry. After re-saving in an editor that producer string is overwritten and a second xref entry is appended. A submitted payslip showing producer: "Smallpdf" or producer: "Microsoft Word" against a creator of "ADP Workforce Now" is structurally inconsistent with how ADP distributes payslips — worth flagging before the offer stage.

What is a payslip generator and why does it produce inconclusive?

Payslip generator sites render documents through headless browsers (Puppeteer, Chromium) rather than payroll systems. There is no original to compare against, so structural forensics returns inconclusive rather than modified. The signal lives in the producer string itself: institutional payroll providers do not distribute payslips with a raw Puppeteer or Chromium producer in any documented workflow, which makes the combination a strong fabrication signal that warrants employer verification.

Can a Xero or MYOB free-trial account beat the structural check?

Yes — this is an honest limitation. A candidate who opens a free trial, sets up a fictitious company, and exports a payslip produces a structurally clean file with a genuine Xero or MYOB producer. Structural forensics cannot distinguish that file from a payslip emitted by a real Xero client. Employer fraud detection through registry lookups and reference calls is the layer that catches this pattern.

Do background-check platforms verify the payslip’s file structure?

Standard background checks confirm employment dates, job title, and sometimes salary against employer databases or direct contact. They do not analyse the submitted file’s internal structure. For employers outside the major databases — small businesses, international employers — the submitted PDF is often the only evidence, which is exactly where a structural check adds the most.