logo
Experience letter fraud

Fake Experience Letter Detection — Catch Forged Proof

Built for fraud ops at lending, insurance & compliance teams

A fabricated experience letter looks identical to a real one — until you read the file structure. Talent ops teams, BGV operators, and visa sponsors all face the same pattern: a candidate cannot prove four years at a previous employer, so they author a letter in Microsoft Word, sign it themselves, export to PDF, upload. Visual review passes. Structural analysis does not.

~3 sec
per document
59 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered experience letter, we’re the most specific tool for it.

When HTPBE? returns INCONCLUSIVE on an experience letter, that’s the expected baseline (these documents legitimately come from desktop tools at small employers); combine with other markers before flagging.

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

  • Modified balances or totals after export
  • Swapped IBAN or beneficiary on invoices
  • Post-signature edits on contracts
  • Backdated issue and modification dates
  • Fabricated documents from consumer PDF tools

What this looks like

How fake and tampered experience letters actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Letter authored in Microsoft Word from scratch

No previous employer involved. The candidate writes the letter in Word using the company’s logo lifted from LinkedIn, signs the HR Manager’s name, exports to PDF. The producer field shows Microsoft Word — not the document management system or CRM authentic letters come from.

02

Real letter with edited dates or salary

An applicant has a genuine letter from a brief stint, but the dates or compensation don’t support the role they’re applying for. They open the PDF in Adobe Acrobat or an online editor, change the dates from "Jan 2022 — Aug 2022" to "Jan 2020 — Aug 2024", re-export. Incremental update markers expose the edit.

03

Signature lifted and pasted

A signature image cropped from another document and pasted onto a fabricated letter. Image-layer artefacts (mismatched compression, misaligned baseline, redundant object streams) flag the substitution.

The scale

~1 in 8
job applicants misrepresent prior employment on background checks
$17K+
average cost to replace a fraudulent hire
~3 sec
per experience letter via API

Why your existing checks miss this

BGV calls the employer. It does not inspect the file.

Both layers matter. The employer call only works if they pick up.

BGV platforms (AuthBridge, IDfy, OnGrid, Springworks) call the previous employer to confirm employment dates and role. This works when the employer responds — but Indian BGV failure rates on previous-employment fraud detection routinely run 15–30% (employer non-response, defunct companies, HR-team turnover). When fraud detection cannot be completed, candidates fill the gap with a letter. HTPBE? catches the file the candidate sent, regardless of whether the previous employer responds. Use both: BGV for the fact when reachable, HTPBE? for the file always.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the letter

Authentic experience letters come from the previous employer’s document workflow — typically a payroll engine, HRMS export, or DocuSign workflow. When the producer field shows Microsoft Word, LibreOffice, Google Docs, or Chrome Headless, the letter was authored on a desktop and exported by hand.

Letterhead consistency

Real corporate letterheads are embedded as part of the template’s font and image objects. Lifted-and-pasted logos appear as redundant image streams with mismatched compression — a structural fingerprint of fabrication.

Digital signature presence and chain

Many large employers digitally sign experience letters via DocuSign, Adobe Sign, or HelloSign. Authentic letters carry a valid signature chain. Fabricated letters either lack signatures entirely or have invalidated chains.

Incremental update trail

A clean export from a corporate document system has one xref table. Hand-edited letters have two or more — visible structural evidence of post-issuance editing.

Image-layer artefacts in pasted signatures

Signatures dropped in from external sources have different JPEG/PNG compression characteristics than the rest of the document. The image stream metadata exposes the paste.

Modification timestamp gap

Real letters have ModDate equal or near CreationDate. Hand-edited letters show gaps of days or weeks between creation and modification.

Share with engineering

Wire this into your intake pipeline in under a day

Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.

Full API reference for engineering

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) see full pricing

Secure your workflowView API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

What about letters from genuinely small employers who use Word for everything?

Small employers do exist and may legitimately export from Word. A Word producer alone is not a verdict — HTPBE? combines it with other markers (signature presence, image-stream metadata, incremental updates, modification timestamp). When the only signal is "Word producer", the result is typically inconclusive — a prompt for manual employer fraud detection rather than an automatic reject.

How is this different from BGV employment fraud detection?

BGV calls the previous employer to confirm employment. HTPBE? inspects the file the candidate uploaded. They are complementary — and HTPBE? works even when BGV cannot reach the previous employer (which fails 15–30% of the time in Indian BGV operations).

Can it catch backdated letters where the dates were edited?

Yes. Date edits leave incremental update markers in the xref chain regardless of whether the visual layout looks clean. The verdict will be modified with the incremental-update marker — and your reviewer can see the file was changed after issuance.

What if the candidate provides a photo of a printed letter instead of the PDF?

A phone photo is a raster image with no PDF structure to analyse — outside scope. Always require the original PDF from the previous employer. If the candidate cannot provide it, treat that as a separate signal.

What does an INCONCLUSIVE verdict mean for an experience letter?

HTPBE? returns INCONCLUSIVE when an experience letter PDF was authored on a desktop and lacks edit-trail evidence (no incremental update, no signature chain, no certainty markers fired). For an experience letter, INCONCLUSIVE is the expected baseline rather than an automatic fraud signal — small and mid-size employers legitimately author these letters in Word or Google Docs, and a clean single-session export is normal. Combine INCONCLUSIVE with the other markers HTPBE? returns (image-stream artefacts, signature image hashes, modification timestamp, cross-document signature reuse) before flagging. INCONCLUSIVE alone on an experience letter is a prompt for manual employer fraud detection, not an automatic red flag.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gapSee pricing
Read API docs →