logo
Experience letter fraud

Fake Experience Letter Detection — Catch Forged Proof

A fabricated experience letter looks identical to a real one — until you read the file structure. Talent ops teams, BGV operators, and visa sponsors all face the same pattern: a candidate cannot prove four years at a previous employer, so they author a letter in Microsoft Word, sign it themselves, export to PDF, upload. Visual review passes. Structural analysis does not.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered experience letter, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on an experience letter, that’s the expected baseline (these documents legitimately come from desktop tools at small employers); combine with other markers before flagging.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered experience letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Letter authored in Microsoft Word from scratch

No previous employer involved. The candidate writes the letter in Word using the company’s logo lifted from LinkedIn, signs the HR Manager’s name, exports to PDF. The producer field shows Microsoft Word — not the document management system or CRM authentic letters come from.

02

Real letter with edited dates or salary

An applicant has a genuine letter from a brief stint, but the dates or compensation don’t support the role they’re applying for. They open the PDF in Adobe Acrobat or an online editor, change the dates from "Jan 2022 — Aug 2022" to "Jan 2020 — Aug 2024", re-export. Incremental update markers expose the edit.

03

Signature lifted and pasted

A signature image cropped from another document and pasted onto a fabricated letter. Image-layer artefacts (mismatched compression, misaligned baseline, redundant object streams) flag the substitution.

The scale

~1 in 8
job applicants misrepresent prior employment on background checks
$17K+
average cost to replace a fraudulent hire
~3 sec
per experience letter via API

Why your existing checks miss this

BGV calls the employer. It does not inspect the file.

Both layers matter. The employer call only works if they pick up.

BGV platforms (AuthBridge, IDfy, OnGrid, Springworks) call the previous employer to confirm employment dates and role. This works when the employer responds — but Indian BGV failure rates on previous-employment verification routinely run 15–30% (employer non-response, defunct companies, HR-team turnover). When verification cannot be completed, candidates fill the gap with a letter. htpbe? catches the file the candidate sent, regardless of whether the previous employer responds. Use both: BGV for the fact when reachable, htpbe? for the file always.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Experience letter and adjacent employment-proof PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Experience letter PDFRelieving letter PDFReference letter PDFOffer letter PDF (previous employer)Employment verification letter PDFSalary certificate PDFService certificate PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the letter

Authentic experience letters come from the previous employer’s document workflow — typically a payroll engine, HRMS export, or DocuSign workflow. When the producer field shows Microsoft Word, LibreOffice, Google Docs, or Chrome Headless, the letter was authored on a desktop and exported by hand.

Letterhead consistency

Real corporate letterheads are embedded as part of the template’s font and image objects. Lifted-and-pasted logos appear as redundant image streams with mismatched compression — a structural fingerprint of fabrication.

Digital signature presence and chain

Many large employers digitally sign experience letters via DocuSign, Adobe Sign, or HelloSign. Authentic letters carry a valid signature chain. Fabricated letters either lack signatures entirely or have invalidated chains.

Incremental update trail

A clean export from a corporate document system has one xref table. Hand-edited letters have two or more — visible structural evidence of post-issuance editing.

Image-layer artefacts in pasted signatures

Signatures dropped in from external sources have different JPEG/PNG compression characteristics than the rest of the document. The image stream metadata exposes the paste.

Modification timestamp gap

Real letters have ModDate equal or near CreationDate. Hand-edited letters show gaps of days or weeks between creation and modification.

Integrate in minutes

Two HTTP calls to verify any experience letter

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/candidate-experience-letter.pdf"}'

Step 2 — read the verdict

{
  "id": "x1y2z3a4-5b6c-7d8e-9f0g-h1i2j3k4l5m6",
  "status": "inconclusive",
  "modification_confidence": "none",
  "modification_markers": [
    "Desktop-tool producer (Microsoft Word) — no corporate workflow signature",
    "Single-session creation — no incremental update trail",
    "No digital signature chain to verify"
  ],
  "producer": "Microsoft Word",
  "creator": "Microsoft Word",
  "creation_date": 1707091200,
  "modification_date": 1707091200,
  "has_digital_signature": false,
  "xref_count": 1,
  "has_incremental_updates": false
}

htpbe? returns inconclusive — there is no edit trail to confirm tampering, but the file lacks the corporate-workflow metadata real letters carry. In the experience-letter context, inconclusive is itself a high-confidence fraud signal: a genuine letter from a mid-size or large employer would carry a producer signature from their HRMS, e-sign workflow, or document management system — not Microsoft Word on a desktop. Treat inconclusive on an experience letter as a flag for manual employer verification.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Small employers do exist and may legitimately export from Word. A Word producer alone is not a verdict — htpbe? combines it with other markers (signature presence, image-stream metadata, incremental updates, modification timestamp). When the only signal is "Word producer", the result is typically inconclusive — a prompt for manual employer verification rather than an automatic reject.
BGV calls the previous employer to confirm employment. htpbe? inspects the file the candidate uploaded. They are complementary — and htpbe? works even when BGV cannot reach the previous employer (which fails 15–30% of the time in Indian BGV operations).
Yes. Date edits leave incremental update markers in the xref chain regardless of whether the visual layout looks clean. The verdict will be modified with the incremental-update marker — and your reviewer can see the file was changed after issuance.
A phone photo is a raster image with no PDF structure to analyse — outside scope. Always require the original PDF from the previous employer. If the candidate cannot provide it, treat that as a separate signal.
htpbe? returns INCONCLUSIVE when an experience letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no signature chain, no certainty markers fired). For an experience letter, INCONCLUSIVE is the expected baseline rather than an automatic fraud signal — small and mid-size employers legitimately author these letters in Word or Google Docs, and a clean single-session export is normal. Combine INCONCLUSIVE with the other markers htpbe? returns (image-stream artefacts, signature image hashes, modification timestamp, cross-document signature reuse) before flagging. INCONCLUSIVE alone on an experience letter is a prompt for manual employer verification, not an automatic red flag.
Related

Related solutions and guides

Solution

HR & Hiring

Pre-employment document fraud detection for talent ops and BGV operators.

Read more
Technical guide

Fake Relieving Letter Detection

Sister page — same structural forensics applied to relieving letters at separation.

Read more
Technical guide

Fake Salary Slip Detection

Same forensics for monthly salary slips submitted as previous-employment proof.

Read more
Technical guide

Fake Offer Letter Detection

Same cluster — offer letter forensics for BGV, lending, and visa workflows.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs