logo
Offer letter fraud

A fabricated offer letter unlocks personal loans, visas, and competing-offer leverage — visual review never catches it

Lenders see fake offer letters used to qualify for personal and pre-employment loans. Visa officers see them used to demonstrate intended employment. HR teams see them used as competing-offer leverage during salary negotiation. The pattern is the same: author in Microsoft Word using a real company template, set the salary high, sign the HR Manager’s name, export to PDF.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered offer letter, we’re the most specific tool for it.

Offer letters are a mixed-origin document — large employers issue them through HRMS or DocuSign workflows (institutional metadata expected); small employers and startups legitimately export from Word (desktop metadata expected). When htpbe? returns INCONCLUSIVE, the meaning depends on which kind of employer is named on the letter. Read the FAQ for guidance.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered offer letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Letter fabricated in Microsoft Word from scratch

No employer involved. The candidate downloads the company logo from LinkedIn, drops it into Word, types the offer letter with an inflated salary, signs an HR Manager’s name they invented, exports to PDF. The producer field shows Microsoft Word — not the HRMS or DocuSign workflow large employers use.

02

Real letter with edited salary or start date

Candidate has a genuine offer but the salary doesn’t qualify them for the loan amount they want — or the start date doesn’t fit the visa timeline. They open the PDF in any editor, change the figure, re-export. Incremental update markers expose the edit.

03

Letter from a defunct or non-existent shell company

A "subsidiary" company name nobody can verify, with a signed offer letter at a high salary. The structural fingerprints (Word producer, single session, no e-sign chain) match a desktop fabrication regardless of whether the named company exists.

The scale

~12%
of personal loan applications include offer-letter manipulation, per fraud-ops data
$8K–$40K
typical loan amount granted against a fabricated offer letter
~3 sec
per offer letter via API

Why your existing checks miss this

BGV calls the employer. Lenders cannot.

And visual review of an offer letter PDF rarely catches a Word fabrication.

BGV platforms (AuthBridge, IDfy, OnGrid, HireRight, Sterling) call the employer to confirm an offer was made — this works for hiring contexts when the employer responds. But lenders, visa officers, and pre-onboarding HR teams often cannot make that call (no relationship with the named employer, no time, no consent path). htpbe? catches the file the candidate uploaded — standalone, no employer relationship required, no human in the loop until the structural verdict is in.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Offer letter and adjacent employment-proof PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Offer letter PDFAppointment letter PDFJoining letter PDFEmployment contract PDFEmployment verification letter PDFSalary revision letter PDFPre-employment background letter PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the offer

Authentic offer letters from large employers come from HRMS exports (Workday, SuccessFactors, BambooHR), DocuSign / Adobe Sign workflows, or in-house ATS engines. When the producer field shows Microsoft Word, LibreOffice, Google Docs, or a generic PDF library, the letter was authored on a desktop — context-dependent (small employers) but a flag against a Fortune 500 letterhead.

Digital signature presence and chain

Most large-employer offer letters are e-signed via DocuSign, Adobe Sign, or HelloSign. Authentic letters carry a valid signature chain visible in the PDF structure. Fabricated letters either lack signatures entirely or have invalidated chains — visible regardless of the visual signature image.

Incremental update trail

A clean export from an HRMS or e-sign workflow has one cross-reference table. Re-saves through any PDF editor append a second xref — visible structural evidence of post-issuance editing on a salary, start date, or signing party.

Letterhead and image-stream artefacts

Real corporate letterheads are embedded as part of the template’s font and image objects. Lifted-and-pasted logos appear as redundant image streams with mismatched compression characteristics — a structural fingerprint of fabrication.

Modification timestamp gap

A real offer issued at the time of decision has CreationDate matching ModDate (single-session export). A weeks-or-months-later modification on a "freshly issued" offer is a high-confidence flag for post-export editing.

Cross-document signature reuse

When the same hiring manager’s signature image appears across multiple "different" employer letters from a single applicant pool, image-stream hash matching exposes the shared source — a fingerprint of a single fabricator producing multiple offer letters.

Integrate in minutes

Two HTTP calls to verify any offer letter

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/applicant-offer-letter.pdf"}'

Step 2 — read the verdict

{
  "id": "o1f2f3e4-5r6l-7t8r-9z0z-a1b2c3d4e5f6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Two cross-reference tables — incremental update",
    "Modification date 11 days after creation date",
    "PDF editor producer detected"
  ],
  "producer": "Adobe Acrobat Pro",
  "creator": "DocuSign",
  "creation_date": 1707091200,
  "modification_date": 1708041600,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

Original came from DocuSign — institutional source. Then 11 days later it was opened in Adobe Acrobat Pro and re-saved, adding a second xref. Verdict: modified at high confidence. The candidate edited a real DocuSign offer after issuance — likely to bump the salary figure or shift the start date before submitting to a lender or visa officer.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Yes — but the interpretation differs. Large employers (Workday, DocuSign, e-sign workflows) leave institutional metadata; absence of it is a flag. Small employers legitimately export from Word, so a Word producer alone yields inconclusive — combine with other markers (image-stream artefacts, signature image hashes, incremental updates) before flagging. The verdict is producer-aware in context, not a binary reject.
BGV platforms call the employer to confirm the offer exists. htpbe? inspects the PDF the candidate uploaded — works regardless of whether you can reach the employer (lenders, visa officers, and pre-hire HR often cannot). Use both where you have employer access; use htpbe? alone where you don’t.
Yes. Salary edits require opening the PDF in an editor and re-saving — which appends an incremental update to the xref chain. The verdict will be modified with the incremental-update marker even when the visual layout looks pixel-perfect. The reviewer can see the file was changed after issuance.
htpbe? returns INCONCLUSIVE when an offer letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no signature chain, no certainty markers fired). For an offer letter, the meaning depends on the named employer: against a Fortune 500 or any company that uses HRMS or DocuSign workflows, INCONCLUSIVE is a high-confidence flag (real offers from those employers carry institutional metadata). Against a small employer or startup that legitimately exports from Word, INCONCLUSIVE is the expected baseline. Combine with image-stream artefacts, signature image hashes, modification timestamp, and cross-document signature reuse before flagging.
Related

Related solutions and guides

Solution

HR & Hiring

Pre-employment document fraud detection for talent ops and BGV operators.

Read more
Solution

Fintech & Lending

Loan applications using fabricated offer letters — fraud-ops angle for lenders.

Read more
Technical guide

Fake Experience Letter Detection

Sister page — same forensics applied to experience letters from previous employment.

Read more
Technical guide

Fake Employment Letter Detection

Same HR cluster — employment verification letter forensics for lenders and visa officers.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs