Xero payslip fraud

Xero Payslip Fraud Detection — Catch Fake Payslips

Q: What about a genuine fresh Xero export from a trial account with a fake employer?

Honest answer: HTPBE? will return intact for that file. A fresh PDF really exported by Xero — even from a trial account spun up to fabricate an employer — carries the legitimate Xero producer signature and no edit trail. We can only detect edits to PDFs and fabrications without payroll producer signatures. For trial-account fraud, pair HTPBE? with Open Banking (Basiq, Frollo) to check income against the applicant’s actual bank account, or with ABN Lookup to check the employer entity. HTPBE? handles the file; those tools handle the entity.

Built for fraud ops at lending, insurance & compliance teams

A real Xero payslip can be edited and re-saved with a higher gross — and we catch the edit. Australian property managers, UK letting agents and lenders see the same script every week: an applicant downloads a genuine Xero payslip, edits the gross figure in any PDF editor, re-exports. The visual is unchanged; the file structure is not. HTPBE? detects the re-save trail and the producer mismatch regardless of which editor was used — and catches the batch-creation pattern when "January through June" payslips arrive timestamped within minutes of each other.

~3 sec

per document

59 checks

forensic layers

From $15

per month

1,500+

docs / month on Growth

Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We catch tampering, re-saves, and Word/Excel-fabricated payslips that mimic Xero’s layout. We do NOT detect a genuine fresh Xero export — even if the trial-account "employer" behind it does not exist. For that case, pair HTPBE? with Open Banking income source-of-truth check or ABN lookups; HTPBE? handles the file, those tools handle the entity.

When HTPBE? returns INCONCLUSIVE on a Xero payslip, that’s itself a fraud signal in this context — real Xero exports always carry the Xero producer signature; INCONCLUSIVE means the file does not look like a genuine Xero export.

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

Modified balances or totals after export
Swapped IBAN or beneficiary on invoices
Post-signature edits on contracts
Backdated issue and modification dates
Fabricated documents from consumer PDF tools

What this looks like

How tampered and fabricated Xero-style payslips actually look

Three real fraud mechanics we catch at the structural PDF layer.

Real Xero export edited after download

A genuine Xero payslip downloaded by an actual employee, opened in any PDF editor or spreadsheet, gross bumped or deductions reduced, exported as PDF. The producer field changes from Xero to whichever tool was used, and the xref chain shows an incremental update — visible structural evidence the file was edited after Xero issued it.

Word/Excel-fabricated payslip mimicking Xero layout

A payslip authored in Microsoft Word or Excel using a Xero-style template lifted from screenshots — never actually exported from Xero. The producer field is Microsoft Word or Excel rather than Xero, and the structural metadata that real Xero exports carry is missing. A clean producer-mismatch flag.

Multiple "monthly" payslips batch-created in one session

Six "monthly" payslips for January through June, all carrying creation timestamps within minutes of each other and identical font subset prefixes. Real monthly payslips are issued one per pay run with creation dates months apart. Cross-document timestamp clustering and font subset consistency expose the batch.

The scale

~50%

of AU/UK tenancy fraud involves fake or doctored income documents

~3 sec

per payslip via API

No Xero

no Xero API integration needed — works on the file

Why your existing checks miss this

Open Banking shows the income. It does not show the employer.

And applicants who fabricated the employer rarely connect the bank.

Tenant-referencing platforms (Snappt, Goodlord, RentProfile, FCC Paragon, Equifax Tenant Tracker) and lending-tech vendors check income through Open Banking when the applicant agrees to connect — applicants who built a fake Xero company rarely do. ATO Single Touch Payroll data checks real employers but is not accessible to private property managers or lenders. HTPBE? catches the payslip the applicant uploaded, regardless of whether STP or Open Banking is available — standalone, no Xero API, no ATO lookup.

Results in under 3 seconds·30 to 1,500+ documents/month·From $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic Xero payslips carry the Xero producer signature in the PDF metadata. When the producer is Microsoft Excel, LibreOffice, Microsoft Word, Chrome Headless, or a generic PDF library, the document was not exported by Xero — it was edited or fabricated on a desktop using a layout that resembles Xero.

Incremental update trail

A clean Xero export has one cross-reference table. Re-saves through Excel or PDF editors append a second xref — visible structural evidence of post-export editing.

Gross-to-net arithmetic

Line arithmetic across the payslip (Gross → tax → super → net) is checked row by row. Edited gross figures break the chain unless every dependent field is also adjusted — which fraudsters routinely miss.

Cross-payslip timestamp clustering

When multiple "monthly" payslips arrive together, the API surfaces creation timestamps for each. Real monthly issuance produces dates a month apart; batch-generated sets cluster within minutes. Combined with identical font subset prefixes, the batch pattern is unambiguous.

Modification timestamp gap

A real payslip from March has CreationDate ≈ ModDate in March. A six-month gap on a "freshly issued" payslip is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits or page reassembly leave font subset prefix shifts. Single-session legitimate exports have consistent subsets.

Share with engineering

Wire this into your intake pipeline in under a day

Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.

Full API reference for engineering

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) — see full pricing

Secure your workflow View API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

What about a genuine fresh Xero export from a trial account with a fake employer?

Honest answer: HTPBE? will return intact for that file. A fresh PDF really exported by Xero — even from a trial account spun up to fabricate an employer — carries the legitimate Xero producer signature and no edit trail. We can only detect edits to PDFs and fabrications without payroll producer signatures. For trial-account fraud, pair HTPBE? with Open Banking (Basiq, Frollo) to check income against the applicant’s actual bank account, or with ABN Lookup to check the employer entity. HTPBE? handles the file; those tools handle the entity.

How is this different from Open Banking income source-of-truth check?

Open Banking checks income from the applicant’s bank account — but only when the applicant agrees to connect. Applicants who fabricated the employer (and therefore have no real salary credit in any bank) rarely consent. HTPBE? catches the payslip itself, regardless of whether banking access is available. Use both.

Can it catch payslips from Xero alternatives like MYOB or Reckon?

Yes. The analysis is producer-agnostic. We run a dedicated MYOB payslip page (/use-cases/fake-pay-stub-detection/myob-payslip-fraud-detection) but the same engine handles Reckon, KeyPay, Employment Hero, and any other AU/UK payroll producer.

Do we need to call Xero or the ATO to check?

No. HTPBE? performs standalone forensic analysis on the PDF the applicant uploaded — no Xero API call, no ATO/STP lookup, no applicant consent required. The signals are inside the file structure.

What does an INCONCLUSIVE verdict mean for a Xero payslip?

HTPBE? returns INCONCLUSIVE when a payslip PDF lacks the Xero producer signature and institutional metadata that real Xero exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from the Xero payroll engine. In the Xero-payslip context, INCONCLUSIVE is itself a high-confidence fraud signal: a genuine Xero payslip would always carry the Xero producer signature. INCONCLUSIVE means the document does not look like a real Xero export. Treat INCONCLUSIVE as fraud-positive and route the case to Open Banking income source-of-truth check or ABN lookup before approval.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gap See pricing

Read API docs →