logo
NOA fraud

A CRA Notice of Assessment is the most-trusted income proof in Canada — and the most-edited

Mortgage brokers and B-lenders treat the NOA as authoritative — it’s the official CRA verdict on the borrower’s declared income. Express Entry candidates submit it as proof of Canadian work history. Whenever an applicant needs a higher figure, the temptation is the same: download the real NOA from CRA My Account, edit the line that matters, re-export. The page renders identically. The file structure does not.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated NOA, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a Notice of Assessment, that’s itself a fraud signal in this context — real NOA exports always come from CRA My Account, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered NOA PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Real NOA edited and re-saved with a higher Total income

Authentic NOA comes from CRA My Account as a generated PDF with the CRA producer signature. The applicant downloads it, opens it in any PDF editor or spreadsheet, edits Line 15000 (Total income) or Line 26000 (Taxable income), exports as PDF. The producer field changes from CRA to whichever editor was used. Visual layout preserved; file fingerprint flipped.

02

NOA fabricated in Word from a screenshot of the CRA layout

A Word document built using the NOA layout copied from CRA documentation, populated with desired figures, exported as PDF. The producer is Microsoft Word; the CRA producer signature and structured CRA portal metadata authentic NOAs carry are missing entirely.

03

Tax year backdated to fill an income gap

A real NOA from one tax year gets edited to show a different year — covering a gap when the applicant was not earning Canadian income. Visual page looks legitimate; modification timestamp and incremental update markers reveal the post-issuance edit.

The scale

Top 3
fraud categories in Canadian mortgage applications involve income document tampering
~3 sec
per NOA via API
No CRA
no CRA API call needed — works on the file

Why your existing checks miss this

CRA Auto-fill My Return verifies via consent. Borrowers who edited the file rarely consent.

Both layers matter. The CRA call only works if the borrower lets you make it.

CRA Auto-fill My Return and similar consent-based tooling can verify NOA figures directly with CRA — when the borrower agrees to grant access. Borrowers who edited the file rarely do. OSFI B-20 guidelines push lenders to verify income, but the verification step is downstream and slow. IRCC immigration officers see NOAs in PDF form without consent-based CRA verification at all. htpbe? catches the NOA PDF the borrower or applicant uploaded at the moment of intake — standalone, no CRA API, no consent required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

NOA and adjacent CRA-issued PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

NOA PDF (Notice of Assessment)NOR PDF (Notice of Reassessment)T4 PDF (Statement of Remuneration)T4A PDF (Pension, Self-employment income)T1 General PDF (Income Tax and Benefit Return)Proof of income statement PDF (CRA My Account)Bank statement PDF (CRA refund credits)
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic NOAs carry the CRA producer signature. When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop — it did not come fresh from CRA.

CRA portal metadata block presence

Real NOAs embed structured CRA metadata in the PDF — assessment identifiers, system-generated reference codes encoded as objects. Generator-tool fakes don’t reproduce these correctly. Missing or malformed identifiers are a clean signal of fabrication.

Incremental update trail

A clean CRA export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.

Line arithmetic across the assessment

Line arithmetic across the NOA (Total income → deductions → Taxable income → tax owed/refund) is verified row by row. Edited lines break the chain unless every dependent figure is also adjusted.

Modification timestamp gap

A real NOA issued in spring has CreationDate ≈ ModDate within days of CRA assessment. A months-later modification on a "freshly issued" NOA is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits leave font subset prefix shifts. Single-session legitimate CRA exports have consistent subsets across all pages.

Integrate in minutes

Two HTTP calls to verify any NOA

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/borrower-noa-2023.pdf"}'

Step 2 — read the verdict

{
  "id": "n1o2a3c4-5a6n-7a8d-9a0b-c1d2e3f4g5h6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Spreadsheet producer detected (Microsoft Excel)",
    "Two cross-reference tables — incremental update",
    "CRA portal metadata block missing"
  ],
  "producer": "Microsoft Excel",
  "creator": "CRA My Account (original)",
  "creation_date": 1683417600,
  "modification_date": 1707350400,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

Original came from CRA My Account in May. Then eight months later it was opened in Microsoft Excel and re-saved — adding a second xref table. The CRA portal metadata block is gone. Verdict: modified at high confidence. The borrower edited the NOA after CRA issued it.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

No. htpbe? performs standalone forensic analysis on the PDF the borrower or applicant uploaded — no CRA API call, no Auto-fill My Return integration, no borrower consent required. The signals are inside the file structure.
Yes. Fabricated NOAs lack the CRA producer signature and the structured CRA portal metadata genuine NOAs carry. The verdict is typically modified or inconclusive with producer-mismatch and missing-metadata flags.
Equifax Canada and TransUnion verify identity and credit history — they do not analyse the file structure of the NOA the borrower uploaded. htpbe? inspects that PDF directly. Use both: credit bureaus for the borrower, htpbe? for the file.
IRCC officers receive NOAs as PDF supporting documents — without consent-based CRA verification. htpbe? inspects the same file an officer would open: producer mismatch, incremental update trail, missing CRA portal metadata, line arithmetic. Verdicts are deterministic and audit-ready.
htpbe? returns INCONCLUSIVE when an NOA PDF lacks the institutional metadata that genuine CRA My Account exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than downloaded from CRA My Account. In the NOA context, INCONCLUSIVE is itself a high-confidence fraud signal: a real CRA Notice of Assessment always comes from CRA My Account and carries the CRA producer signature — it would never originate from a desktop tool. Treat INCONCLUSIVE on an NOA as fraud-positive and route the case to CRA consent-based verification or manual income review before any mortgage or immigration decision.
Related

Related solutions and guides

Solution

Mortgage Underwriting

NOA + T4 + bank statement forensics for Canadian mortgage origination and broker workflows.

Read more
Technical guide

Fake T4 Detection

Sister page — same forensics for the employer-issued T4 PDF.

Read more
Solution

Alternative Lending

Income document forensics for Canadian alt-lenders and fintech underwriting.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs