logo
Employment letter fraud

Fake Employment Letter Detection — Catch Forged Letters

Built for fraud ops at lending, insurance & compliance teams

An employment fraud detection letter is the cheapest piece of paper a borrower or tenant can fabricate — and the one your underwriting team trusts. Mortgage and personal-loan underwriters, leasing agents, immigration officers, and HR onboarding teams all accept employment fraud detection letters as proof. Fraud rings know it. They author letters in Microsoft Word using a real employer’s template, sign an HR Manager’s name, export to PDF. Visual review passes; structural analysis does not.

~3 sec
per document
59 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered employment fraud detection letter, we’re the most specific tool for it.

Employment letters are mixed-origin: large employers issue them through HRMS, voluntary-VOE platforms (The Work Number), or DocuSign workflows (institutional metadata expected); small employers and HR managers legitimately export from Word (desktop metadata expected). When HTPBE? returns INCONCLUSIVE, the meaning depends on the named employer. Read the FAQ for guidance.

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

  • Modified balances or totals after export
  • Swapped IBAN or beneficiary on invoices
  • Post-signature edits on contracts
  • Backdated issue and modification dates
  • Fabricated documents from consumer PDF tools

What this looks like

How fake and tampered employment letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Letter authored in Microsoft Word from scratch

No employer involved. The applicant downloads the company logo from LinkedIn, drops it into Word, types the fraud detection letter with an inflated salary or invented role, signs an HR Manager’s name they invented, exports to PDF. The producer field shows Microsoft Word — not the HRMS, VOE platform, or DocuSign workflow large employers use.

02

Real letter with edited salary, dates, or role

Applicant has a genuine letter but the salary or tenure doesn’t support the loan, lease, or visa they want. They open the PDF in any editor, change the figure or date, re-export. Incremental update markers expose the edit even when the visual layout looks pixel-perfect.

03

Letter signed by a non-existent or impersonated HR Manager

A "Director of Human Resources" name nobody at the named company has heard of, with a signature that doesn’t match anything else from that employer. The structural fingerprints (Word producer, single-session export, no e-sign chain) match a desktop fabrication regardless of the visual letterhead.

The scale

~10–15%
of mortgage and personal-loan applications include some form of income or employment misrepresentation
$25K+
average underwriting loss per fraudulent loan with falsified employment proof
~3 sec
per employment letter via API

Why your existing checks miss this

VOE platforms check the fact when they have the employer. Underwriters often don’t.

And visual review of an employment letter PDF rarely catches a Word fabrication.

VOE platforms (The Work Number, Truework, Argyle) cover roughly two-thirds of large US employers — they confirm employment instantly when the named employer is in network. Outside that network (small employers, international, gig, recent hires), underwriters fall back to the PDF letter the applicant uploaded. HTPBE? catches the file the applicant uploaded — works regardless of VOE coverage. Use VOE where you have it; use HTPBE? everywhere else.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the letter

Authentic employment letters from large employers come from HRMS exports (Workday, SuccessFactors, BambooHR), VOE platforms (The Work Number, Truework), or DocuSign / Adobe Sign workflows. When the producer field shows Microsoft Word, LibreOffice, Google Docs, or a generic PDF library, the letter was authored on a desktop — context-dependent at small employers, a high-confidence flag against a Fortune 500 letterhead.

Digital signature presence and chain

Most large-employer fraud detection letters are e-signed via DocuSign, Adobe Sign, or HelloSign. Authentic letters carry a valid signature chain visible in the PDF structure. Fabricated letters either lack signatures entirely or have invalidated chains.

Incremental update trail

A clean export from an HRMS or e-sign workflow has one cross-reference table. Re-saves through any PDF editor append a second xref — visible structural evidence of post-issuance editing on a salary, tenure, or signing party.

Letterhead and image-stream artefacts

Real corporate letterheads are embedded as part of the template’s font and image objects. Lifted-and-pasted logos appear as redundant image streams with mismatched compression characteristics — a structural fingerprint of fabrication.

Modification timestamp gap

A real letter issued at the time of request has CreationDate matching ModDate (single-session export). A weeks-or-months-later modification on a "freshly issued" letter is a high-confidence flag for post-export editing.

Cross-document signature reuse

When the same HR signature image appears across multiple "different" employer letters from a single applicant pool, image-stream hash matching exposes the shared source — a fingerprint of a single fabricator producing multiple fraud detection letters.

Share with engineering

Wire this into your intake pipeline in under a day

Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.

Full API reference for engineering

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) see full pricing

Secure your workflowView API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Does this work for letters from any size employer?

Yes — but the interpretation differs. Large employers (Workday, DocuSign, VOE platforms) leave institutional metadata; absence is a flag. Small employers legitimately export from Word, so a Word producer alone yields inconclusive — combine with other markers (image-stream artefacts, signature image hashes, incremental updates, cross-document signature reuse) before flagging. The verdict is producer-aware in context, not a binary reject.

How is this different from VOE platforms?

VOE platforms (The Work Number, Truework, Argyle) connect to employer payroll systems and confirm employment instantly when the employer is in network. HTPBE? inspects the PDF the applicant uploaded — works regardless of VOE coverage. They are complementary: VOE for the fact when reachable, HTPBE? for the file always.

Can it catch a salary or tenure edit on an otherwise real letter?

Yes. Salary or tenure edits require opening the PDF in an editor and re-saving — which appends an incremental update to the xref chain. The verdict will be modified with the incremental-update marker even when the visual layout looks clean.

What does an INCONCLUSIVE verdict mean for an employment fraud detection letter?

HTPBE? returns INCONCLUSIVE when an employment letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no signature chain, no certainty markers fired). For an employment letter, the meaning depends on the named employer: against a Fortune 500 or any company that uses HRMS or DocuSign workflows, INCONCLUSIVE is a high-confidence flag. Against a small employer or startup that legitimately exports from Word, INCONCLUSIVE is the expected baseline. Combine with image-stream artefacts, signature image hashes, modification timestamp, and cross-document signature reuse before flagging.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gapSee pricing
Read API docs →