Fake Employment Letter Detection — Catch Forged Letters
An employment verification letter is the cheapest piece of paper a borrower or tenant can fabricate — and the one your underwriting team trusts. Mortgage and personal-loan underwriters, leasing agents, immigration officers, and HR onboarding teams all accept employment verification letters as proof. Fraud rings know it. They author letters in Microsoft Word using a real employer’s template, sign an HR Manager’s name, export to PDF. Visual review passes; structural analysis does not.
htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered employment verification letter, we’re the most specific tool for it.
Employment letters are mixed-origin: large employers issue them through HRMS, voluntary-VOE platforms (The Work Number), or DocuSign workflows (institutional metadata expected); small employers and HR managers legitimately export from Word (desktop metadata expected). When htpbe? returns INCONCLUSIVE, the meaning depends on the named employer. Read the FAQ for guidance.
One REST call, one deterministic verdict
Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.
How fake and tampered employment letters actually look
Three real fraud mechanics we catch at the structural PDF layer.
Letter authored in Microsoft Word from scratch
No employer involved. The applicant downloads the company logo from LinkedIn, drops it into Word, types the verification letter with an inflated salary or invented role, signs an HR Manager’s name they invented, exports to PDF. The producer field shows Microsoft Word — not the HRMS, VOE platform, or DocuSign workflow large employers use.
Real letter with edited salary, dates, or role
Applicant has a genuine letter but the salary or tenure doesn’t support the loan, lease, or visa they want. They open the PDF in any editor, change the figure or date, re-export. Incremental update markers expose the edit even when the visual layout looks pixel-perfect.
Letter signed by a non-existent or impersonated HR Manager
A "Director of Human Resources" name nobody at the named company has heard of, with a signature that doesn’t match anything else from that employer. The structural fingerprints (Word producer, single-session export, no e-sign chain) match a desktop fabrication regardless of the visual letterhead.
The scale
Why your existing checks miss this
VOE platforms verify the fact when they have the employer. Underwriters often don’t.
And visual review of an employment letter PDF rarely catches a Word fabrication.
VOE platforms (The Work Number, Truework, Argyle) cover roughly two-thirds of large US employers — they confirm employment instantly when the named employer is in network. Outside that network (small employers, international, gig, recent hires), underwriters fall back to the PDF letter the applicant uploaded. htpbe? catches the file the applicant uploaded — works regardless of VOE coverage. Use VOE where you have it; use htpbe? everywhere else.
Five forensic layers, one deterministic verdict
Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.
Metadata analysis
Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.
File structure
Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.
Digital signatures
Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.
Content integrity
Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.
Verdict with markers
Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.
Employment verification PDFs we check
Every type listed below is analyzed at the structural file layer — not the rendered image.
Detection capabilities
Deterministic structural signals. No probabilistic scores, no model training.
Producer signature on the letter
Authentic employment letters from large employers come from HRMS exports (Workday, SuccessFactors, BambooHR), VOE platforms (The Work Number, Truework), or DocuSign / Adobe Sign workflows. When the producer field shows Microsoft Word, LibreOffice, Google Docs, or a generic PDF library, the letter was authored on a desktop — context-dependent at small employers, a high-confidence flag against a Fortune 500 letterhead.
Digital signature presence and chain
Most large-employer verification letters are e-signed via DocuSign, Adobe Sign, or HelloSign. Authentic letters carry a valid signature chain visible in the PDF structure. Fabricated letters either lack signatures entirely or have invalidated chains.
Incremental update trail
A clean export from an HRMS or e-sign workflow has one cross-reference table. Re-saves through any PDF editor append a second xref — visible structural evidence of post-issuance editing on a salary, tenure, or signing party.
Letterhead and image-stream artefacts
Real corporate letterheads are embedded as part of the template’s font and image objects. Lifted-and-pasted logos appear as redundant image streams with mismatched compression characteristics — a structural fingerprint of fabrication.
Modification timestamp gap
A real letter issued at the time of request has CreationDate matching ModDate (single-session export). A weeks-or-months-later modification on a "freshly issued" letter is a high-confidence flag for post-export editing.
Cross-document signature reuse
When the same HR signature image appears across multiple "different" employer letters from a single applicant pool, image-stream hash matching exposes the shared source — a fingerprint of a single fabricator producing multiple verification letters.
Two HTTP calls to verify any employment letter
Buyers can skip this section — developers, the integration is two HTTP calls.
Step 1 — submit the PDF
curl -X POST https://api.htpbe.tech/v1/analyze \
-H "Authorization: Bearer $HTPBE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://your-storage/applicant-employment-letter.pdf"}'Step 2 — read the verdict
{
"id": "e1m2p3l4-5o6y-7m8e-9z0t-a1b2c3d4e5f6",
"status": "inconclusive",
"modification_confidence": "none",
"modification_markers": [
"Desktop-tool producer (Microsoft Word) — no HRMS or e-sign workflow signature",
"Single-session creation — no incremental update trail",
"No digital signature chain"
],
"producer": "Microsoft Word",
"creator": "Microsoft Word",
"creation_date": 1707091200,
"modification_date": 1707091200,
"has_digital_signature": false,
"xref_count": 1,
"has_incremental_updates": false
}htpbe? returns inconclusive — there’s no edit trail, but the file lacks the institutional metadata real letters carry. If the named employer is a Fortune 500 or any company that uses HRMS or DocuSign workflows, inconclusive with a Word producer is a high-confidence fraud signal. If the named employer is a small business that legitimately uses Word, inconclusive is the expected baseline — combine with other markers (image-stream artefacts, signature image hashes, timestamps) before flagging.
Customer Stories
Teams that stopped document fraud
Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.
Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.
Sarah M.
AP Manager
United States
We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.
Lars V.
Risk Analyst, Online Lending
Netherlands
Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.
Priya K.
HR Operations Lead
India
Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.
Julien R.
Fraud Analyst, Fintech
France
Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.
Marta S.
Compliance Coordinator
Spain
One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.
Tariq A.
Finance Manager
United Arab Emirates
Frequently asked questions
inconclusive — combine with other markers (image-stream artefacts, signature image hashes, incremental updates, cross-document signature reuse) before flagging. The verdict is producer-aware in context, not a binary reject.modified with the incremental-update marker even when the visual layout looks clean.Related solutions and guides
Fintech & Lending
Mortgage and personal-loan applications using fabricated VOE letters — fraud-ops angle.
HR & Hiring
Pre-employment document fraud detection for talent ops and BGV operators.
Fake Offer Letter Detection
Sister page — same forensics applied to job offer letters in lending, visa, and onboarding.
Fake Diploma Detection
Same HR cluster — degree and transcript forensics for hiring and visa workflows.
Secure your workflow
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.