Fake US Pay Stub Detection — catch tampered ADP, Paychex, Gusto, and QuickBooks Payroll PDFs
US property managers screening rental applications, US auto-loan and consumer-credit underwriters, and US HR teams onboarding new starters all see the same pattern: an applicant runs a free US pay-stub generator, types in a desired employer and gross, downloads the PDF. Or they take a real ADP / Paychex / Gusto / QuickBooks Payroll / Workday / Rippling stub and edit the figures before uploading. Visual review passes either way; a Form W-2 cross-check at year-end exposes the gap, but by then the lease is signed or the loan is funded.
HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally fabricated or tampered pay stub, we’re the most specific tool for it.
When HTPBE? returns INCONCLUSIVE on a pay stub, that’s itself a fraud signal in this context — real pay stubs always come from a US payroll system, never from a desktop tool or generator site.
The problem
Modern document fraud is invisible to visual review
A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.
Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.
Common tampering patterns
- Modified balances or totals after export
- Swapped IBAN or beneficiary on invoices
- Post-signature edits on contracts
- Backdated issue and modification dates
- Fabricated documents from consumer PDF tools
What this looks like
How fake and tampered pay stubs actually look
Three real fraud mechanics we catch at the structural PDF layer.
Generator-tool fabrication
Free online pay-stub generator sites produce a plausible-looking PDF for any employer name and gross the user types in. These tools leave a recognisable producer signature (often Chrome Headless or a specific PDF library) and miss the institutional metadata real payroll exports carry. Producer mismatch is unambiguous.
Real pay stub edited after issuance
Authentic pay stub from a US payroll system (ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks). The applicant downloads it, opens it in any PDF editor or spreadsheet, edits Gross or YTD, exports as PDF. Producer field changes from the payroll engine to whichever editor was used.
Multiple "monthly" stubs batch-created in one session
Six monthly stubs for January through June, all carrying creation timestamps within minutes of each other and identical font subset prefixes. Real monthly issuance produces dates a month apart. Cross-document timestamp clustering exposes the batch.
The scale
Why your existing US checks miss this
W-2 cross-check arrives in February. The stub was uploaded in March.
Plaid, Finicity, and The Work Number help when they help — they do not cover the PDF the applicant submitted.
US tenant-screening platforms (Snappt, The Closing Docs, RentSpree) and consumer-lending vendors run income checks through Plaid, Finicity, MX, or The Work Number — when the applicant consents or when the employer is in coverage. Applicants who fabricated the pay stub almost never connect a bank, and many small employers are outside Work Number coverage. Form W-2 reconciliation against IRS data only happens at tax filing — too late. HTPBE? catches the pay stub PDF at the moment of intake: ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks all carry recognisable producer signatures; a Word, Excel, or Chrome Headless producer is the smoking gun.
What HTPBE? checks
Detection capabilities
Deterministic structural signals. No probabilistic scores, no model training.
Producer signature mismatch
Authentic pay stubs carry the producer signature of US payroll software (ADP, Paychex, Gusto, QuickBooks Payroll, Workday, Rippling, Square Payroll, Justworks). When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop or generator tool.
Generator-tool fingerprint detection
Pay-stub generator sites typically render PDFs through headless browsers or specific PDF libraries. Their producer signatures and document structure differ from authentic payroll exports — a clean detection signal.
Incremental update trail
A clean payroll export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.
Gross-to-net arithmetic
Line arithmetic across the stub (Gross → federal tax → Social Security → Medicare → state tax → net) is checked row by row. Edited gross figures break the chain unless every dependent field is also adjusted.
Cross-document timestamp clustering
When multiple "monthly" stubs arrive together, the API surfaces creation timestamps for each. Real monthly issuance produces dates a month apart; batch-fabricated sets cluster within minutes — combined with identical font subsets, the batch pattern is unambiguous.
Modification timestamp gap
A real stub from March has CreationDate ≈ ModDate in March. A months-later modification on a "fresh" stub is a high-confidence flag for post-export editing.
Share with engineering
Wire this into your intake pipeline in under a day
Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.
Pricing
Self-serve plans, no sales call
All plans include the same forensic checks. Pick the quota that matches your monthly document volume.
manualStarter
$15/mo
30 checks/mo
Manual spot-checks and integration testing
most commonGrowth
$149/mo
350 checks/mo
Active document processing pipelines
high volumePro
$499/mo
1,500 checks/mo
High-volume automation and API integrations
Enterprise (unlimited, on-premise available) — see full pricing
API key on signup. Free test environment on every plan. No card required.
Customer Stories
Teams that stopped document fraud
Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.
Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.
Sarah M.
AP Manager
United States
We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.
Lars V.
Risk Analyst, Online Lending
Netherlands
Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.
Priya K.
HR Operations Lead
India
Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.
Julien R.
Fraud Analyst, Fintech
France
Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.
Marta S.
Compliance Coordinator
Spain
One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.
Tariq A.
Finance Manager
United Arab Emirates
FAQ
Frequently asked questions
Does HTPBE? work with pay stubs from any US payroll provider?
Can it catch pay stubs from generator websites?
How is this different from Snappt or The Closing Docs?
What about phone photos of pay stubs?
What does an INCONCLUSIVE verdict mean for a pay stub?
Secure your workflow
Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.