logo
1099 fraud

Fake 1099 Detection — Catch Tampered Self-Employment PDFs

A 1099 is the only income proof a self-employed borrower has — and the easiest one to inflate. Self-employed borrowers face stricter income-verification standards than W-2 employees. Many lenders treat the 1099 PDF as the primary document of record. When the contractor edits the figure on Box 1 (NEC) or Box 7 (Nonemployee compensation, MISC) before uploading, the wrong number anchors the entire underwriting decision.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated 1099, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a 1099, that’s itself a fraud signal in this context — real 1099 exports always come from an accounting platform or payer system, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered 1099 PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Real 1099 edited after issuance

Authentic 1099 comes from the payer’s accounting software (QuickBooks, Xero, Wave, FreshBooks) or a platform issuer (Stripe Tax, Square, PayPal for 1099-K, Uber/Lyft/DoorDash). The contractor downloads it, opens it in any PDF editor or spreadsheet, edits Box 1 (NEC) or Box 7 (MISC), exports as PDF. The producer field changes from the source system to whichever editor was used.

02

1099 fabricated in Word from a template

A 1099-shaped PDF authored in Word using the IRS form layout copied from screenshots, populated with desired payer and amount, exported. The producer is Microsoft Word; the structured payer-system metadata authentic 1099s carry is missing entirely.

03

Multiple "monthly" 1099s aggregated to claim higher annual

A contractor stitches together "1099s" from several fake clients to claim higher aggregate income than reality. Cross-document timestamp clustering and font-subset consistency reveal that "five different payers" all generated PDFs within minutes of each other in the same session.

The scale

$11B+
in annual mortgage application fraud exposure (US)
~3 sec
per 1099 via API
No IRS
no IRS Get Transcript call needed — works on the file

Why your existing checks miss this

IRS Get Transcript verifies via consent. Most lenders cannot use it at scale.

Both layers matter. The PDF the contractor uploaded is what your underwriter opens.

IRS Get Transcript can verify 1099 figures with the IRS — but only with the borrower’s consent and one-by-one transcript pulls, which most lenders cannot run at scale. Bank-statement parsing platforms (Plaid, Finicity, MX) verify deposit history when the contractor connects their bank account — contractors who edited the 1099 rarely do. htpbe? catches the 1099 PDF the contractor uploaded at the moment of intake — standalone, no IRS API, no consent required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

1099 and adjacent self-employment income PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

1099-NEC PDF (Nonemployee Compensation)1099-MISC PDF (Miscellaneous Income)1099-K PDF (Payment Card and Third-Party Network Transactions)1099-INT / 1099-DIV / 1099-R PDFW-2 PDFTax return Schedule C PDF (self-employed profit/loss)Bank statement PDF (deposit history)Profit & loss statement PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic 1099s carry the producer signature of the payer’s accounting software or platform issuer (Stripe, Square, PayPal, Uber, etc.). When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop.

Incremental update trail

A clean accounting export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.

Cross-document timestamp clustering

When multiple 1099s arrive together claiming different payers, the API surfaces creation timestamps for each. Real 1099 issuance from different payers happens at different times. Batch-generated sets cluster within minutes — combined with identical font subsets, the batch pattern is unambiguous.

Box arithmetic verification

For 1099 forms with multiple boxes (federal income tax withheld, state info), arithmetic relationships are verified. Edited boxes break the chain unless every dependent field is also adjusted.

Modification timestamp gap

A real 1099 issued by January 31 has CreationDate ≈ ModDate. A months-later modification on a "freshly issued" 1099 is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits leave font subset prefix shifts. Single-session legitimate exports have consistent subsets across all pages.

Integrate in minutes

Two HTTP calls to verify any 1099

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/contractor-1099nec-2024.pdf"}'

Step 2 — read the verdict

{
  "id": "z1n2e3c4-5o6n7e8z-9z0z-z1z2z3z4z5z6",
  "status": "inconclusive",
  "modification_confidence": "none",
  "modification_markers": [
    "Desktop-tool producer (Microsoft Word) — no accounting platform signature",
    "Single-session creation — no incremental update trail",
    "Image-stream artefacts in form layout"
  ],
  "producer": "Microsoft Word",
  "creator": "Microsoft Word",
  "creation_date": 1707091200,
  "modification_date": 1707091200,
  "has_digital_signature": false,
  "xref_count": 1,
  "has_incremental_updates": false
}

htpbe? returns inconclusive — there is no edit trail, but the file lacks the accounting-platform metadata genuine 1099s carry. In the 1099 context, inconclusive is itself a high-confidence fraud signal: a genuine 1099 from a paying client would carry a producer signature from QuickBooks, Stripe, Square, PayPal, or similar — not Microsoft Word on a desktop. Combined with image-stream artefacts in the IRS form layout (a screenshot pasted in), treat inconclusive as a flag for manual payer verification or income-data verification.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Yes. The analysis is producer-agnostic — it inspects whichever PDF the contractor submits. Authentic 1099s from QuickBooks, Xero, Wave, FreshBooks, Stripe Tax, Square, PayPal (for 1099-K), Uber/Lyft/DoorDash, and other platform issuers all carry recognisable producer signatures. Re-saves change those signatures, which htpbe? flags.
Yes. When multiple 1099s arrive together claiming different payers, the API surfaces creation timestamps for each. Real 1099s from different payers have creation timestamps spread across late January (the IRS issuance window). Batch-fabricated sets cluster within minutes of each other in the same session — combined with identical font subset prefixes across "different payers", the batch pattern is unambiguous.
No. IRS Get Transcript is the authoritative source when usable. htpbe? inspects the 1099 PDF the contractor uploaded — covering cases where Get Transcript is impractical (manual one-off pulls, consent friction). Use both: Get Transcript for the data when available, htpbe? for the file always.
Authentic 1099s from these platforms carry recognisable producer signatures from the platform’s document engine. Re-saves and Word-fabricated copies show producer mismatches the same way major platforms do.
htpbe? returns INCONCLUSIVE when a 1099 PDF lacks the institutional producer signature that genuine payer-system exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from an accounting platform such as QuickBooks, Xero, or a payer platform such as Stripe Tax, Square, or PayPal. In the 1099 context, INCONCLUSIVE is itself a high-confidence fraud signal: a real 1099 from any legitimate payer carries that payer’s producer signature — a desktop-tool 1099 is a strong indicator of fabrication. Treat INCONCLUSIVE on a 1099 as fraud-positive and route the case to payer verification or income-data verification before any underwriting decision.
Related

Related solutions and guides

Solution

Alternative Lending

Income document forensics for US alt-lenders, MCA platforms, and gig-economy fintech.

Read more
Solution

Mortgage Underwriting

1099 + W-2 + bank statement forensics for self-employed mortgage origination.

Read more
Technical guide

Fake W-2 Detection

Sister page — same forensics for employer-issued W-2 PDFs.

Read more
Technical guide

Fake Pay Stub Detection

Pay stub forensics — same US income-proof cluster submitted alongside 1099s.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs