logo
Asset & gift letter fraud

Fake Asset Letter Detection — Catch Tampered Mortgage PDFs

A gift letter is a one-page PDF that decides whether the down payment counts — and one borrowers know how to fake. Mortgage processors clear asset letters and gift letters as evidence of down-payment funds. The borrower needs the donor to confirm the money is a gift, not a loan; or the bank to confirm the balance. When the donor is reluctant — or when the balance does not actually exist — the temptation is the same: edit the letter or build one in Word with a lifted signature.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated asset / gift letter, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on an asset or gift letter, that’s the expected baseline (these documents legitimately come from desktop tools — a donor’s Word document or a small bank’s letter template); combine with other markers before flagging.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered asset / gift letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Real letter edited after issuance

A genuine asset letter was issued by the bank or signed by the donor. Borrower opens it in any PDF editor, edits the balance figure or the relationship-to-borrower line, exports as PDF. The xref chain shows an incremental update — visible structural evidence of post-issuance editing.

02

Letter authored from scratch with lifted signature

No real letter exists. Borrower builds one in Word using bank letterhead lifted from a public source, pastes a signature image lifted from another document or social media, exports as PDF. The pasted signature image carries different JPEG/PNG compression than the surrounding document — a clean structural fingerprint of fabrication.

03

Same signature reused across "different" donor letters

Multiple gift letters from supposedly different donors carry visually identical signatures with identical image-stream metadata — the signature image was recycled. Cross-document image hash comparison surfaces the reuse.

The scale

$11B+
in annual mortgage application fraud exposure (US)
~3 sec
per asset / gift letter via API
No bank API
no bank-side or donor consent required — works on the file

Why your existing checks miss this

VOD calls the bank. The donor letter has no bank to call.

Both layers matter. The PDF the borrower uploaded is what your underwriter signs off.

Verification of Deposit services call the bank to confirm the balance — useful for asset letters but not for gift letters from individual donors. Day 1 Certainty asset verification (Account Aggregation) requires the borrower to connect the account; borrowers who fabricated the balance rarely consent. Manual donor verification is rare and slow. htpbe? catches the asset / gift letter PDF the borrower uploaded at the moment of intake — standalone, no bank-side or donor consent required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Asset, gift, and supporting mortgage PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Asset letter PDF (bank-issued)Gift letter PDF (donor-signed)Verification of Deposit (VOD) PDFBank statement PDF (asset balance)Earnest money deposit receipt PDFSource-of-funds letter PDFBrokerage statement PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Image-stream artefact detection

Lifted-and-pasted signatures and bank logos carry different JPEG/PNG compression characteristics than the surrounding document. Image-stream metadata mismatches are a structural fingerprint of fabrication or post-issuance signature swapping.

Incremental update trail

A clean letter has one cross-reference table. Edits to balance figures, dates, or signatures append a second xref — visible structural evidence of post-issuance editing.

Cross-document signature reuse

When multiple gift letters from "different" donors arrive in the same file, the API surfaces image hashes for each signature. Identical hashes across donors flag signature recycling.

Modification timestamp gap

A real letter dated last week has CreationDate ≈ ModDate within days. A months-later modification on a "freshly signed" letter is a high-confidence flag for post-issuance editing.

Producer signature analysis

Asset letters legitimately come from bank document systems or from desktop tools (small-bank letters often originate in Word). The signal is not Word-versus-bank-system; it is Word + lifted signature image + no incremental update versus Word + clean content. Combined producer + image + update markers produce the verdict.

Font subset divergence across pages

Multi-session edits leave font subset prefix shifts. Single-session legitimate letters have consistent subsets across all pages.

Integrate in minutes

Two HTTP calls to verify any asset / gift letter

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/borrower-gift-letter.pdf"}'

Step 2 — read the verdict

{
  "id": "g1i2f3t4-5l6e-7t8t-9e0r-f1g2h3i4j5k6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Signature image stream metadata mismatch",
    "Two cross-reference tables — incremental update",
    "Modification date 3 weeks after creation date"
  ],
  "producer": "Microsoft Word",
  "creator": "Microsoft Word",
  "creation_date": 1706054400,
  "modification_date": 1707955200,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

A real gift letter from a donor would typically be a single-session Word-to-PDF export with the donor’s signature embedded as a consistent image stream. Here the signature image carries different compression than the surrounding document (lifted from elsewhere), and the file was re-saved three weeks after creation (post-signing edit). Verdict: modified at high confidence. The borrower fabricated the gift letter or edited a real one after the donor signed.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

A genuine letter authored in Word and exported once will return intact or inconclusive — it has a Word producer signature but no incremental update trail and no signature image-stream artefacts. The verdict combines multiple markers; a Word producer alone is not a flag. The combination of Word producer + lifted-signature artefacts + post-creation modification is what triggers modified.
Yes. VOD PDFs from bank document systems carry recognisable producer signatures. Re-saves change those signatures and append xref tables. Word-fabricated VODs trigger producer-mismatch flags. The same forensics applies.
Yes. When multiple gift letters arrive in the same file, the API surfaces image hashes for each signature region. Identical image hashes across "different" donors signal signature recycling — a high-confidence fraud flag.
No. Manual donor verification — calling the donor to confirm the gift — remains the gold standard. htpbe? inspects the file at intake, before manual verification, to flag obvious tampering and prioritise which letters need the slower manual call.
htpbe? returns INCONCLUSIVE when an asset or gift letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no certainty markers fired). For asset and gift letters, INCONCLUSIVE is the expected baseline rather than an automatic fraud signal — a donor writing a gift letter in Word, or a small bank or credit union drafting an asset letter in Word, is entirely normal. Combine INCONCLUSIVE with the other markers htpbe? returns (signature image-stream artefacts, cross-document signature reuse, modification timestamp gap) before flagging. INCONCLUSIVE alone on an asset or gift letter is a prompt for manual verification, not a red flag.
Related

Related solutions and guides

Solution

Mortgage Underwriting

Asset / gift letter + W-2 + tax return + bank statement forensics for US mortgage origination.

Read more
Technical guide

Fake W-2 Detection

Sister page — same forensics for the W-2 PDF that accompanies asset letters in the mortgage file.

Read more
Technical guide

Fake Bank Statement Detection

Bank statement forensics — the second source of asset evidence in mortgage files.

Read more
Technical guide

Fake 1099 Detection

Same cluster of US mortgage income docs — forensics for 1099 PDFs.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs