A T4 sets the borrower’s reported income for the year — and an edited one cascades through underwriting
Mortgage brokers and B-lenders trust the T4 the borrower brings as primary income proof. HR onboarding teams trust the T4 a new starter shares as evidence of prior compensation. When that T4 is fabricated or tampered, the wrong figure is the figure the file is built on.
htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated T4, we’re the most specific tool for it.
When htpbe? returns INCONCLUSIVE on a T4, that’s itself a fraud signal in this context — real T4 exports always come from CRA-compliant payroll software or CRA My Account, never from a desktop tool.
One REST call, one deterministic verdict
Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.
How fake and tampered T4 PDFs actually look
Three real fraud mechanics we catch at the structural PDF layer.
Real T4 edited and re-saved with a higher Box 14
Authentic T4 comes from CRA-compliant payroll software (QuickBooks Canada, Sage 50 CA, Wagepoint, Payworks, Ceridian Dayforce, ADP Canada, Knit, Humi) or from CRA My Account. The borrower opens it in any PDF editor or spreadsheet, edits Box 14 (Employment income), exports as PDF. The producer field changes from the payroll engine to whichever editor was used.
T4 fabricated in Word from a template
A T4-shaped PDF authored in Word using the CRA form layout, populated with a desired employer and earnings, exported. The producer is Microsoft Word; the structured payroll-system metadata authentic T4s carry is missing entirely.
Box arithmetic broken after edit
When Box 14 (Employment income) gets edited up, the dependent boxes — CPP contributions, EI premiums, income tax deducted — usually do not get touched. The arithmetic relationship breaks. Combined with structural edit markers, the verdict is unambiguous.
The scale
Why your existing checks miss this
CRA verification requires the borrower’s consent. Most borrowers who edited the file don’t give it.
Both layers matter. The CRA call only works if the borrower lets you make it.
CRA Auto-fill My Return and similar consent-based tooling can verify T4 figures directly with CRA — when the borrower agrees to grant access. Borrowers who edited the file rarely do. OSFI B-20 guidelines push lenders to verify income, but the verification step is downstream and slow. Equifax Canada and TransUnion verify identity and credit, not document integrity. htpbe? catches the T4 PDF the borrower uploaded at the moment of intake — standalone, no CRA API, no consent required.
Five forensic layers, one deterministic verdict
Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.
Metadata analysis
Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.
File structure
Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.
Digital signatures
Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.
Content integrity
Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.
Verdict with markers
Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.
T4 and adjacent Canadian income-proof PDFs we check
Every type listed below is analyzed at the structural file layer — not the rendered image.
Detection capabilities
Deterministic structural signals. No probabilistic scores, no model training.
Producer signature mismatch
Authentic T4s carry the producer signature of CRA-compliant payroll software or CRA My Account. When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop.
Incremental update trail
A clean payroll export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.
Box arithmetic verification
The relationship between Box 14, CPP contributions, EI premiums, and income tax deducted is verified. Edited boxes break the chain unless every dependent field is also adjusted.
Modification timestamp gap
A real T4 issued in February has CreationDate ≈ ModDate. A months-later modification on a "freshly issued" T4 is a high-confidence flag for post-export editing.
Font subset divergence across pages
Multi-session edits leave font subset prefix shifts. Single-session legitimate exports have consistent subsets across all pages.
Image-stream artefacts in fabricated T4s
Fabricated T4s often paste the CRA form layout from screenshots. Pasted image streams carry different compression characteristics than authentic embedded forms — a structural fingerprint of fabrication.
Two HTTP calls to verify any T4
Buyers can skip this section — developers, the integration is two HTTP calls.
Step 1 — submit the PDF
curl -X POST https://api.htpbe.tech/v1/analyze \
-H "Authorization: Bearer $HTPBE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://your-storage/borrower-t4-2024.pdf"}'Step 2 — read the verdict
{
"id": "t1c2a3n4-5a6d-7a8b-9c0d-e1f2g3h4i5j6",
"status": "modified",
"modification_confidence": "high",
"modification_markers": [
"Spreadsheet producer detected (Microsoft Excel)",
"Two cross-reference tables — incremental update",
"Modification date 9 months after creation date"
],
"producer": "Microsoft Excel",
"creator": "QuickBooks Canada (original)",
"creation_date": 1709251200,
"modification_date": 1733011200,
"has_digital_signature": false,
"xref_count": 2,
"has_incremental_updates": true
}Original came from QuickBooks Canada in February. Then nine months later it was opened in Microsoft Excel and re-saved — adding a second xref table. Verdict: modified at high confidence. The borrower edited a real T4 after employer issuance.
Customer Stories
Teams that stopped document fraud
Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.
Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.
Sarah M.
AP Manager
United States
We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.
Lars V.
Risk Analyst, Online Lending
Netherlands
Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.
Priya K.
HR Operations Lead
India
Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.
Julien R.
Fraud Analyst, Fintech
France
Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.
Marta S.
Compliance Coordinator
Spain
One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.
Tariq A.
Finance Manager
United Arab Emirates
Frequently asked questions
modified or inconclusive with producer-mismatch and missing-metadata flags.Related solutions and guides
Mortgage Underwriting
T4 + NOA + bank statement forensics for Canadian mortgage origination and broker workflows.
Fake NOA Detection
Sister page — same forensics for the CRA Notice of Assessment PDF.
Alternative Lending
Income document forensics for Canadian alt-lenders and fintech underwriting.
Secure your workflow
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.