logo
P45 fraud

Fake P45 Detection — Catch Edited Leaver PDFs

A P45 sets the new starter’s tax code and pay-to-date — and an edited one cascades into payroll. New-employer HR teams trust the P45 the starter brings. Payroll uses it to set the tax code and the pay-and-tax-to-date for the year. When that P45 is fabricated or tampered, the error compounds across every payslip until HMRC eventually corrects it — and the discrepancy lands on someone’s desk.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated P45, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a P45, that’s itself a fraud signal in this context — real P45 exports always come from a UK payroll engine, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered P45 PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Pay and tax to date edited up

Authentic P45 comes from the leaver’s previous employer payroll system. The new starter opens it in any PDF editor or spreadsheet, edits the Total pay to date or Total tax to date, exports as PDF. Producer field changes from the payroll engine to whichever editor was used. Visual layout preserved; file fingerprint flipped.

02

P45 fabricated to skip a gap of unemployment

There is a six-month gap between the real last working day and the new start date — the candidate was either out of work or working under the table. They build a P45 in Word using a template, type in plausible figures, export to PDF. Producer field shows Microsoft Word; structured payroll metadata is missing.

03

Tax code rewritten to favour the starter

A BR or D0 emergency code on the original P45 means more tax. The starter edits the code to their preferred letter (1257L, etc.) before submitting. Even when the visual layout is clean, incremental update markers in the xref chain expose the post-issuance edit.

The scale

~1 in 8
job applicants misrepresent prior employment on background checks
~3 sec
per P45 via API
Cascades
a wrong P45 figure propagates into every payslip until HMRC corrects it

Why your existing checks miss this

Payroll trusts the P45 figures. Trust them too readily and the error cascades.

HMRC eventually flags the discrepancy. By then payroll has been paying the wrong figures for months.

New-employer payroll systems take the P45 figures at face value when adding a starter — that is the design intent. HMRC catches the discrepancy through Real Time Information once the new employer files an FPS, but the lag can run weeks or months. Tampered P45s used in fraudulent loan or housing applications meanwhile pass through HR and payroll undetected. htpbe? inspects the P45 PDF at the moment of intake, before payroll trusts the numbers — standalone, no HMRC API, no payroll-bureau lookup.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

P45 and adjacent UK leaver / starter PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

P45 PDF (parts 1A, 2, 3)P60 PDF (annual)Payslip PDF (final pay)Starter checklist PDF (HMRC)Reference letter PDFSettlement agreement PDFRight-to-work share code letter PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the P45

Authentic P45s come from a UK payroll engine — Sage, IRIS, Brightpay, Moneysoft, Xero, QuickBooks Payroll, Moorepay, ADP UK. When the producer is Microsoft Excel, LibreOffice, Word, Chrome Headless, or a generic PDF library, the P45 was edited or fabricated on a desktop.

Incremental update trail

Edits to pay-to-date, tax-to-date, or tax code leave incremental updates in the xref chain. Authentic single-session payroll exports have one xref; tampered files have two or more.

Tax code and figures arithmetic

The relationship between gross pay, tax code, NI, and tax-to-date is verified. Edited figures break the chain in ways that spreadsheets routinely miss.

Modification timestamp gap

A real P45 issued on the leaving date has CreationDate ≈ ModDate. A months-later modification on a "freshly issued" P45 is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits or multi-source assembly leave font subset prefix shifts. Single-session legitimate exports have consistent subsets across all parts of the P45.

Text layer vs. raster layer mismatch

Replaced text in a rendered image leaves the underlying text layer untouched. The two layers stop agreeing — an immediate flag.

Integrate in minutes

Two HTTP calls to verify any P45

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/new-starter-p45.pdf"}'

Step 2 — read the verdict

{
  "id": "p2q3r4s5-6t7u-8v9w-0x1y-z2a3b4c5d6e7",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "LibreOffice Calc producer detected",
    "Two cross-reference tables — incremental update",
    "Modification date 4 months after creation date"
  ],
  "producer": "LibreOffice Calc 7.6",
  "creator": "Brightpay (original)",
  "creation_date": 1696464000,
  "modification_date": 1707350400,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

Original came from Brightpay in October. Then four months later it was opened in LibreOffice Calc and re-saved — adding a second xref table. Verdict: modified at high confidence. The starter edited the P45 figures before bringing it to onboarding.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Yes. The analysis is producer-agnostic — it inspects whichever PDF the starter submits. Authentic P45s from Sage, IRIS, Brightpay, Moneysoft, Xero Payroll, QuickBooks Payroll, Moorepay, or ADP UK all carry recognisable producer signatures. Re-saves through Excel or generator tools change those signatures, which htpbe? flags.
Genuinely small employers using Word are uncommon for P45s — HMRC mandates RTI submission, which most small employers handle through cloud payroll (Brightpay, Moneysoft, Xero) rather than Word. A Word-producer P45 is rare enough that the verdict is typically inconclusive with a producer-mismatch flag, prompting manual employer verification.
Yes. Tax-code edits leave incremental update markers in the xref chain regardless of how clean the visual layout looks. The verdict will be modified with the incremental-update flag.
No. htpbe? performs standalone forensic analysis on the PDF the starter uploaded — the structural signals of editing live inside the file itself. No reference copy required, no HMRC API call.
htpbe? returns INCONCLUSIVE when a P45 PDF lacks the institutional metadata that genuine UK payroll-engine exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from a payroll system such as Sage, IRIS, Brightpay, or Moneysoft. In the P45 context, INCONCLUSIVE is itself a high-confidence fraud signal: HMRC mandates RTI submission, which means virtually all legitimate employers use cloud payroll software — a desktop-tool P45 is highly anomalous. Treat INCONCLUSIVE on a P45 as fraud-positive and request manual confirmation from the previous employer before adding the starter to payroll.
Related

Related solutions and guides

Solution

HR & Hiring

Pre-employment and starter document fraud detection for UK HR and onboarding teams.

Read more
Technical guide

Fake P60 Detection

Sister page — same forensics for the annual P60 PDF.

Read more
Technical guide

Sponsor Licence Document Fraud Detection

P45 and adjacent records that sponsor-licence holders must keep on file for Home Office audit.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs