logo
ITR fraud

An Income Tax Return PDF can be edited and re-saved with a higher gross — and still print clean

NBFCs use it as primary income proof. Embassies use it as supporting documentation. And every applicant who needed a higher loan or a stronger visa case knows that the original ITR-V from the Income Tax portal can be edited in five minutes. The page renders identically. The file structure does not.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated ITR, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on an ITR, that’s itself a fraud signal in this context — real ITR-V exports always come from the Income Tax portal, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered ITR PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Gross taxable income inflated in Excel

Authentic ITR-V comes from the Income Tax portal as a generated PDF with the IT Department’s producer signature. The applicant downloads it, opens it in any PDF editor or spreadsheet, edits the Gross Total Income, exports as PDF. The producer field changes from the IT portal to whichever editor was used. Visual layout preserved; file fingerprint flipped.

02

Acknowledgement number fabricated to match a fake ITR

The applicant builds a phony ITR PDF in Word using a screenshot of the layout, types in a plausible 15-digit acknowledgement number, exports. The structural metadata of the IT Department’s portal is missing entirely — and the producer field is Microsoft Word, not the portal’s engine.

03

Refund amount edited up to support claimed income

When the gross is increased, the refund or tax payable should change to match. Edited ITRs often leave the refund untouched, which the structural arithmetic check catches. Combined with the producer mismatch, the verdict is unambiguous.

The scale

~$3.1B
fraudulent loan applications use altered income docs annually
~3 sec
per ITR via API
No DB
no Income Tax Department API call needed — works on the file

Why your existing checks miss this

Document parsers extract numbers. They do not verify the file.

OCR can read whatever the PDF shows — even if the PDF was edited after issuance.

NBFC document-parsing platforms (Perfios, ScoreMe, Karza) extract figures from ITRs via OCR and run rules — they don’t analyse the PDF’s file structure. If the applicant edits the gross after issuance and re-exports, the OCR happily reads the inflated number. The IT Department portal has its own verification but requires the applicant’s consent for portal access — most teams cannot rely on it. htpbe? fills the structural-PDF layer those workflows do not provide — standalone, no IT Department call, no candidate consent for portal access.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

ITR and adjacent income-proof PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

ITR-V acknowledgement PDFITR Form (1, 2, 3, 4) PDFForm 16 PDFForm 26AS PDFComputation of income statement PDFBank statement PDF (refund credits, advance tax)CA-attested income certificate PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the ITR PDF

Authentic ITR-V comes from the Income Tax portal — a unique, recognisable producer signature. When the producer is Microsoft Excel, LibreOffice, Microsoft Word, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop.

IT portal metadata block presence

Real ITR-V embeds structured metadata from the Income Tax portal — acknowledgement digest, e-filing receipt identifiers, system-generated barcodes encoded as objects. Generator-tool fakes don’t reproduce this metadata. Missing or malformed identifiers are a clean signal of fabrication.

Incremental update trail

Authentic ITR PDFs have one cross-reference table. Re-saves through Excel or PDF editors append a second xref — visible structural evidence of post-issuance editing.

Income arithmetic

Line arithmetic across the computation (Gross → exemptions → deductions → Taxable → Tax → Refund) is verified row by row. Edited gross figures break the chain unless every dependent field is also adjusted — which fraudsters routinely miss.

Modification timestamp gap

A real ITR filed in July has CreationDate ≈ ModDate. A six-month gap on a "freshly filed" ITR is a high-confidence flag for post-export editing.

Font subset and barcode object integrity

The IT portal embeds barcodes as specific object streams; tampered files often break or omit these objects. Font subset prefix divergence across pages is another structural fingerprint of multi-session editing.

Integrate in minutes

Two HTTP calls to verify any ITR PDF

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/applicant-itr-fy2024.pdf"}'

Step 2 — read the verdict

{
  "id": "i1t2r3x4-5y6z-7a8b-9c0d-e1f2g3h4i5j6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Spreadsheet producer detected (LibreOffice Calc)",
    "IT portal metadata block missing",
    "Incremental update detected — three xref tables"
  ],
  "producer": "LibreOffice Calc 7.6",
  "creator": "Income Tax Portal (original)",
  "creation_date": 1689638400,
  "modification_date": 1707955200,
  "has_digital_signature": false,
  "xref_count": 3,
  "has_incremental_updates": true
}

Original came from the Income Tax Portal. Then six months later it was opened in LibreOffice Calc and re-saved twice — adding two more xref tables. The IT portal metadata block is gone. Verdict: modified at high confidence. The applicant edited the figures after filing.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

No. htpbe? performs standalone forensic analysis on the PDF itself — no IT Department API call, no candidate consent for portal access, no third-party database. The signals are inside the file structure.
OCR-based parsers extract figures from the PDF — they read whatever the PDF shows, even if the figures were edited after issuance. htpbe? inspects the file structure to detect that editing happened. Use both: parsers for data extraction, htpbe? for integrity verification.
Yes. Fabricated ITRs lack the IT portal’s producer signature and the structured metadata block authentic ITR-V carries. Generator tools cannot reproduce these identifiers correctly. The verdict is typically modified or inconclusive with producer-mismatch and missing-metadata flags.
CA-filed ITRs come from the same IT portal export when the applicant downloads the ITR-V — the producer signature and metadata are identical to self-filed returns. The CA’s involvement does not change the file structure of the official PDF.
htpbe? returns INCONCLUSIVE when an ITR PDF lacks the institutional metadata that genuine Income Tax portal exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than downloaded from the IT portal as an official ITR-V. In the ITR context, INCONCLUSIVE is itself a high-confidence fraud signal: a legitimate ITR-V always comes from the Income Tax portal, never from a desktop tool. Treat INCONCLUSIVE on an ITR as fraud-positive and route the case to manual income verification or request the original ITR-V download before approving.
Related

Related solutions and guides

Solution

Alternative Lending

ITR + Form 16 + bank statement forensics for NBFC and alt-lender underwriting pipelines.

Read more
Technical guide

Fake Form 16 Detection

Sister page — same structural forensics for the employer-issued TDS certificate.

Read more
Technical guide

Fake Salary Slip Detection

Salary slips submitted alongside ITR as supporting income proof.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs