logo
Salary slip fraud

A salary slip can be edited and re-saved and still look real to the eye

Background-check teams, NBFC underwriters, and embassy visa reviewers all face the same pattern: a candidate downloads a real salary slip, opens it in any PDF editor, edits the gross or the net, exports back to PDF. The page renders identically. The file structure does not — and we detect the edit regardless of which tool was used.

Also available in:🇩🇪 Deutsch🇫🇷 Français🇪🇸 Español🇳🇱 Nederlands🇮🇹 Italiano🇵🇱 Polski
~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated salary slip, we’re the most specific tool for it.

When htpbe? returns INCONCLUSIVE on a salary slip, that’s itself a fraud signal in this context — real salary slips always come from a payroll system, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered salary slips actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Edit-and-re-save with adjusted figures

Candidate downloads the real PDF from their HRMS, opens it in any PDF editor or spreadsheet, changes the gross or basic, exports as PDF. The producer field reveals an editor — not the payroll system that issued the original. A clean structural fingerprint of tampering, regardless of which tool was used.

02

Generator-tool fabrication

Online "salary slip generator" sites produce a plausible-looking PDF for any employer name and salary the user types in. These tools leave a recognisable producer signature (often Chrome Headless or a specific PDF library) and miss the institutional metadata authentic payroll exports carry.

03

Gross-to-net arithmetic that does not reconcile

When a candidate edits the gross figure but forgets the deductions, the math no longer adds up. Row-by-row arithmetic checks across the slip flag this even before structural analysis kicks in — a high-confidence signal that the PDF was hand-edited.

The scale

1 in 8
job applicants misrepresent earnings on background checks
~3 sec
per salary slip via API
$0
of model training — runs on file structure, not content

Why your existing checks miss this

Database lookups verify the person. They do not verify the file.

Both layers matter. Most teams only run one.

Background-verification platforms confirm employment by calling the previous employer or checking a registry. They cannot tell you whether the PDF the candidate uploaded was edited after issuance. KYC and identity vendors verify the identity behind the document — not the bytes inside the PDF. Manual HR review catches obvious fakes (typos, wrong tax codes), but a clean re-save through any editor passes a visual check every time. htpbe? fills the structural-PDF layer those workflows do not provide — and works standalone, without a reference original.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Salary slip and adjacent payroll PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Monthly salary slip PDFPay stub PDF (US)Payslip PDF (UK / AU)Form 16 PDF (India)Experience letter PDFRelieving letter PDFSalary certificate PDFBank salary credit statement PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the PDF

Real salary slips come from a known HRMS (Workday, ADP, Gusto, Zoho People, GreytHR, RazorpayX) or a payroll engine. When the producer field shows Microsoft Excel, LibreOffice, Chrome Headless, or a generic PDF library, the document was authored on a desktop — not exported from a payroll system.

Incremental update trail

Every save after the original export creates an incremental update section in the PDF — visible in the xref table and trailer chain. Authentic payroll exports have one xref. Edited slips have two or more.

Gross-to-net arithmetic

Table arithmetic across earnings, deductions, and net pay is verified row by row. A single edited number breaks the chain — a marker most generator tools fail to fake.

Font subset divergence across pages

When a slip is edited in multiple sessions or assembled from multiple sources, font subset prefixes diverge between pages. Invisible to the eye, obvious to structural analysis.

Text layer vs. raster layer mismatch

Some fraudsters replace text in the rendered image while leaving the underlying text layer untouched. The two layers stop agreeing — an immediate flag.

Modification timestamp gap

Authentic salary slips have ModDate equal or near CreationDate. A gap of hours, days, or weeks between creation and modification on a "monthly slip" is structural evidence of post-export editing.

Integrate in minutes

Two HTTP calls to verify any salary slip

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/candidate-march-salary-slip.pdf"}'

Step 2 — read the verdict (GET /v1/result/{id})

{
  "id": "a1b2c3d4-5e6f-7a8b-9c0d-e1f2a3b4c5d6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Spreadsheet producer detected (Microsoft Excel)",
    "Multiple cross-reference tables — incremental updates",
    "Modification date 6 hours after creation date"
  ],
  "producer": "Microsoft Excel",
  "creator": "Microsoft Excel",
  "creation_date": 1709280000,
  "modification_date": 1709301600,
  "has_digital_signature": false,
  "xref_count": 3,
  "has_incremental_updates": true
}

Producer Microsoft Excel on a slip that should have come from a payroll engine is the smoking gun. Combined with xref_count: 3 and a six-hour gap between creation and modification, the verdict is modified at high confidence — a clear flag for HR or underwriting review.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Yes. The analysis is producer-agnostic — it inspects whichever PDF the candidate submits. Authentic slips from Zoho People, GreytHR, RazorpayX, Keka, or any HRMS carry recognisable producer signatures. Re-saves through Excel or generator tools change those signatures, which htpbe? flags.
BGV services confirm employment history with the previous employer or a registry — they verify whether the candidate worked there at all. htpbe? verifies whether the specific PDF the candidate uploaded was edited after the payroll system issued it. The two are complementary: BGV verifies the fact; htpbe? verifies the file.
Yes. Generator tools leave fingerprints in the producer field (often Chrome Headless or a specific PDF library) and miss the structured metadata that authentic payroll exports embed. The verdict on a generator-produced slip is typically modified or inconclusive with a producer mismatch flag.
A phone photo is a raster image with no PDF structure to analyse — outside scope for htpbe? Always require digital PDF uploads from candidates. If you cannot enforce that, pair htpbe? with an image-forensics tool for the photo cases.
htpbe? returns INCONCLUSIVE when a salary slip PDF lacks the institutional metadata that real payroll exports carry — typically because the file was authored on a desktop with consumer software (Word, LibreOffice, a generator tool) rather than exported from a payroll system such as Workday, ADP, Gusto, Zoho People, GreytHR, or RazorpayX. In the salary-slip context, INCONCLUSIVE is itself a high-confidence fraud signal: a genuine salary slip would never originate from a desktop tool. Treat INCONCLUSIVE on a salary slip as fraud-positive and route the case to manual employer verification or income-data verification before proceeding.
Related

Related solutions and guides

Solution

Alternative Lending

Salary slip + bank statement forensics for NBFC and alt-lender underwriting pipelines.

Read more
Solution

HR & Hiring

Pre-employment document fraud detection for talent ops and BGV operators.

Read more
Technical guide

PDF Tamper Detection

The technical pillar — how structural PDF analysis catches edits invisible to the eye.

Read more
Technical guide

Fake Form 16 Detection

Indian TDS certificate forensics — same payroll cluster as salary slips.

Read more
Technical guide

Fake ITR Detection

Income Tax Return forensics — submitted alongside salary slips as income proof.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs