logo
Pay stub fraud

Pay-stub generator sites churn out plausible PDFs in seconds — and visual review cannot tell the difference

Property managers screening rental applications, auto-loan underwriters, and HR teams onboarding new starters all see the same pattern: an applicant runs a free pay-stub generator, types in a desired employer and gross, downloads the PDF. Or they take a real ADP/Gusto/Paychex stub and edit the figures before uploading. Visual review passes either way.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered pay stub, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a pay stub, that’s itself a fraud signal in this context — real pay stubs always come from a US payroll system, never from a desktop tool or generator site.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered pay stubs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Generator-tool fabrication

Free online pay-stub generator sites produce a plausible-looking PDF for any employer name and gross the user types in. These tools leave a recognisable producer signature (often Chrome Headless or a specific PDF library) and miss the institutional metadata real payroll exports carry. Producer mismatch is unambiguous.

02

Real pay stub edited after issuance

Authentic pay stub from a US payroll system (ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks). The applicant downloads it, opens it in any PDF editor or spreadsheet, edits Gross or YTD, exports as PDF. Producer field changes from the payroll engine to whichever editor was used.

03

Multiple "monthly" stubs batch-created in one session

Six monthly stubs for January through June, all carrying creation timestamps within minutes of each other and identical font subset prefixes. Real monthly issuance produces dates a month apart. Cross-document timestamp clustering exposes the batch.

The scale

~1 in 6
rental applications contain misrepresented financial information
$3,500+
average eviction cost when fraudulent income passes screening
~3 sec
per pay stub via API

Why your existing checks miss this

Open Banking shows the income. It only works when the applicant connects.

Applicants who fabricated the stub rarely connect the bank.

Tenant-screening platforms (Snappt, The Closing Docs, RentSpree) and lending-tech vendors verify income through Open Banking (Plaid, Finicity, MX) when the applicant agrees to connect — applicants who fabricated the pay stub rarely do. VOE services (The Work Number, manual employer calls) work but are slow and partial. htpbe? catches the pay stub PDF the applicant uploaded at the moment of intake — standalone, no Open Banking consent, no employer call required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Pay stub and adjacent income-proof PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Pay stub PDF (US monthly)W-2 PDF (annual)1099 PDFBank statement PDF (salary credits)Employment verification letter PDFOffer letter PDF (current employer)YTD payroll summary PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic pay stubs carry the producer signature of US payroll software (ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks). When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop or generator tool.

Generator-tool fingerprint detection

Pay-stub generator sites typically render PDFs through headless browsers or specific PDF libraries. Their producer signatures and document structure differ from authentic payroll exports — a clean detection signal.

Incremental update trail

A clean payroll export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.

Gross-to-net arithmetic

Line arithmetic across the stub (Gross → federal tax → Social Security → Medicare → state tax → net) is verified row by row. Edited gross figures break the chain unless every dependent field is also adjusted.

Cross-document timestamp clustering

When multiple "monthly" stubs arrive together, the API surfaces creation timestamps for each. Real monthly issuance produces dates a month apart; batch-fabricated sets cluster within minutes — combined with identical font subsets, the batch pattern is unambiguous.

Modification timestamp gap

A real stub from March has CreationDate ≈ ModDate in March. A months-later modification on a "fresh" stub is a high-confidence flag for post-export editing.

Integrate in minutes

Two HTTP calls to verify any pay stub

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/applicant-paystub.pdf"}'

Step 2 — read the verdict

{
  "id": "p1a2y3s4-5t6u-7b8u-9s9p-d1f2g3h4i5j6",
  "status": "inconclusive",
  "modification_confidence": "none",
  "modification_markers": [
    "Generator-tool producer (Chrome Headless) — no payroll-system signature",
    "Missing payroll-system institutional metadata",
    "Single-session creation — no incremental update trail"
  ],
  "producer": "Chrome Headless 124.0",
  "creator": "Chrome Headless 124.0",
  "creation_date": 1707350400,
  "modification_date": 1707350400,
  "has_digital_signature": false,
  "xref_count": 1,
  "has_incremental_updates": false
}

htpbe? returns inconclusive — there is no edit trail, but the file lacks the payroll-system metadata genuine pay stubs carry. In the pay-stub context, inconclusive is itself a high-confidence fraud signal: a real pay stub from any major US payroll provider carries that provider’s producer signature. Chrome Headless is the fingerprint of a generator-tool render — typically a free pay-stub site’s server. Treat inconclusive on a pay stub as a strong fraud-positive flag.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Yes. The analysis is producer-agnostic — it inspects whichever PDF the applicant submits. Authentic stubs from ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks, BambooHR Payroll, or smaller in-house systems all carry recognisable producer signatures.
Yes — that pattern (free pay-stub generator → desired employer + gross → PDF download) is one of the most common US rental and lending fraud signatures. Generator tools leave fingerprints in the producer field (often Chrome Headless or a specific PDF library) and miss the institutional metadata authentic payroll exports embed.
Snappt and The Closing Docs operate at the property-manager UI layer with proprietary detection. htpbe? is a developer API — the same forensic depth, exposed via REST, suitable for tenant-screening platforms, PropTech builders, and any system that accepts PDF uploads programmatically. They are aimed at different buyers.
Phone photos are raster images with no PDF structure to analyse — outside scope. Always require digital PDF uploads from applicants. If you cannot enforce that, pair htpbe? with image-forensics tooling for the photo cases.
htpbe? returns INCONCLUSIVE when a pay-stub PDF lacks the institutional producer signature that genuine US payroll-system exports carry — typically because the file was authored on a desktop or generator tool (Chrome Headless, Word, Excel) rather than exported from a payroll engine such as ADP, Paychex, Gusto, Workday, or Rippling. In the pay-stub context, INCONCLUSIVE is itself a high-confidence fraud signal: a real pay stub from any major US payroll provider carries that provider’s producer signature — a generator-tool or desktop-tool stub is a strong indicator of fabrication. Treat INCONCLUSIVE on a pay stub as fraud-positive and route the case to Open Banking income verification or employer VOE before any tenancy, lending, or hiring decision.
Related

Related solutions and guides

Solution

Tenant Screening

Pay stub + bank statement forensics for US property managers and tenant-screening platforms.

Read more
Technical guide

Fake W-2 Detection

Sister page — same forensics for the annual W-2 PDF.

Read more
Solution

Alternative Lending

Income document forensics for US alt-lenders and consumer fintech underwriting.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs