logo
Relieving letter fraud

A relieving letter is the easiest document to forge — and the one HR trusts most

Onboarding teams use it to confirm the candidate left the previous employer cleanly. The candidate knows it. So when an exit was messy or a notice period was skipped, a quick edit in Word can rewrite history. Visual review passes. Structural analysis does not.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered relieving letter, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a relieving letter, that’s the expected baseline (these documents legitimately come from desktop tools at many employers); combine with other markers before flagging.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered relieving letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Reason for separation rewritten

Candidate was terminated for cause but writes the letter as a voluntary resignation. Original document opened in Adobe Acrobat or an online editor; one paragraph replaced; re-export. Incremental update markers in the xref chain expose the edit.

02

Last working day backdated to skip the notice-period gap

There is a six-month gap between the real last working day and the next employer’s start date — the candidate was either out of work or working somewhere they can’t mention. The date on the relieving letter gets pushed forward. The visual page still looks signed and stamped; the modification timestamp tells a different story.

03

Letter authored from scratch when no real one exists

No relieving letter was issued — the candidate left badly or the previous employer refuses to issue one. The candidate writes one in Word, lifts the company logo from LinkedIn, signs HR Manager’s name, exports. Producer field shows Microsoft Word; image-stream metadata exposes the lifted logo.

The scale

~1 in 8
job applicants misrepresent prior employment terms on background checks
$17K+
average cost to replace a fraudulent hire
~3 sec
per relieving letter via API

Why your existing checks miss this

BGV calls the employer. The employer does not always answer.

When BGV cannot complete, the candidate fills the gap with a letter. Read the file.

BGV platforms (AuthBridge, IDfy, OnGrid, Springworks) call the previous employer to confirm separation. Indian BGV employer-response rates routinely run 70–85% — meaning 15–30% of cases get filled with the candidate’s submitted documents alone. htpbe? catches the file the candidate sent, regardless of whether the previous employer responds. Use both: BGV when reachable, htpbe? always.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Relieving letter and adjacent separation PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Relieving letter PDFExperience letter PDFNo dues / clearance letter PDFFinal settlement statement PDFService certificate PDFForm 16 PDF (Part B)Bank salary credit statement PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the letter

Authentic relieving letters come from the previous employer’s HRMS, payroll, or document-management system — recognisable producer signatures. When the producer is Microsoft Word, LibreOffice, Google Docs, or Chrome Headless, the letter was authored on a desktop.

Incremental update trail

Date edits, paragraph replacements, and signature swaps all leave incremental updates in the PDF’s xref chain. Authentic single-session exports have one xref; tampered files have two or more.

Letterhead and logo image consistency

Real corporate letterheads ship as part of the document template. Lifted-and-pasted logos appear as redundant image streams with mismatched compression — a structural fingerprint of fabrication.

Digital signature presence and chain validity

Many large employers digitally sign relieving letters. Authentic letters carry a valid signature chain; tampered letters either lack signatures or have invalidated chains.

Modification date vs. claimed last working day

The PDF’s ModDate is the moment the document was last touched. When ModDate is months after the claimed last working day, the file was edited after issuance — a high-confidence flag for backdated separations.

Font subset divergence across pages

Multi-session edits or page reassembly leave font subset prefix shifts. Single-session legitimate exports have consistent subsets across all pages.

Integrate in minutes

Two HTTP calls to verify any relieving letter

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/candidate-relieving-letter.pdf"}'

Step 2 — read the verdict

{
  "id": "r1l2m3n4-5o6p-7q8r-9s0t-u1v2w3x4y5z6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Adobe Acrobat producer with incremental update",
    "Modification date 5 months after creation date",
    "Two xref tables — content was edited after original export"
  ],
  "producer": "Adobe Acrobat 24.0",
  "creator": "Workday HRMS",
  "creation_date": 1693526400,
  "modification_date": 1706659200,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

The original was exported from Workday HRMS (a real corporate workflow). Then five months later it was opened in Adobe Acrobat and re-saved — adding a second xref table. The verdict is modified at high confidence. The candidate took a real letter and edited it after the fact.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

BGV calls the previous employer to confirm separation terms. htpbe? inspects the relieving letter PDF the candidate uploaded. They are complementary — and htpbe? works even when BGV cannot reach the previous employer (which fails 15–30% of the time in Indian BGV operations).
Yes. Date edits leave incremental update markers in the PDF’s xref chain, regardless of how clean the visual layout looks. The verdict will be modified with the incremental-update flag and modification timestamp gap.
A Word producer alone is not a verdict — htpbe? combines it with other markers (signature presence, image-stream metadata, incremental updates, modification timestamp). Small employers using Word legitimately typically return inconclusive, prompting manual employer verification rather than an automatic reject.
No. htpbe? performs standalone forensic analysis on the PDF the candidate uploaded — the structural signals of editing live inside the file itself. No reference copy required, no third-party database.
htpbe? returns INCONCLUSIVE when a relieving letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no signature chain, no certainty markers fired). For a relieving letter, INCONCLUSIVE is the expected baseline rather than an automatic fraud signal — many employers, especially smaller ones, author these letters in Word and export them as a single-session PDF. Combine INCONCLUSIVE with the other markers htpbe? returns (image-stream artefacts from lifted logos or pasted signatures, modification timestamp, cross-document signature reuse) before flagging. INCONCLUSIVE alone is a prompt for manual employer verification, not an automatic reject.
Related

Related solutions and guides

Solution

HR & Hiring

Pre-employment document fraud detection for talent ops and BGV operators.

Read more
Technical guide

Fake Experience Letter Detection

Sister page — structural forensics for previous-employment letters.

Read more
Technical guide

Fake Salary Slip Detection

Salary slips submitted alongside relieving letters as employment proof.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs