logo
T4 fraud

A T4 sets the borrower’s reported income for the year — and an edited one cascades through underwriting

Built for fraud ops at lending, insurance & compliance teams

Mortgage brokers and B-lenders trust the T4 the borrower brings as primary income proof. HR onboarding teams trust the T4 a new starter shares as evidence of prior compensation. When that T4 is fabricated or tampered, the wrong figure is the figure the file is built on.

~3 sec
per document
59 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. If your fraud problem is a digitally altered or fabricated T4, we’re the most specific tool for it.

When HTPBE? returns INCONCLUSIVE on a T4, that’s itself a fraud signal in this context — real T4 exports always come from CRA-compliant payroll software or CRA My Account, never from a desktop tool.

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

  • Modified balances or totals after export
  • Swapped IBAN or beneficiary on invoices
  • Post-signature edits on contracts
  • Backdated issue and modification dates
  • Fabricated documents from consumer PDF tools

What this looks like

How fake and tampered T4 PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Real T4 edited and re-saved with a higher Box 14

Authentic T4 comes from CRA-compliant payroll software (QuickBooks Canada, Sage 50 CA, Wagepoint, Payworks, Ceridian Dayforce, ADP Canada, Knit, Humi) or from CRA My Account. The borrower opens it in any PDF editor or spreadsheet, edits Box 14 (Employment income), exports as PDF. The producer field changes from the payroll engine to whichever editor was used.

02

T4 fabricated in Word from a template

A T4-shaped PDF authored in Word using the CRA form layout, populated with a desired employer and earnings, exported. The producer is Microsoft Word; the structured payroll-system metadata authentic T4s carry is missing entirely.

03

Box arithmetic broken after edit

When Box 14 (Employment income) gets edited up, the dependent boxes — CPP contributions, EI premiums, income tax deducted — usually do not get touched. The arithmetic relationship breaks. Combined with structural edit markers, the verdict is unambiguous.

The scale

Top 3
fraud categories in Canadian mortgage applications involve income document tampering
~3 sec
per T4 via API
No CRA
no CRA API call needed — works on the file

Why your existing checks miss this

CRA fraud detection requires the borrower’s consent. Most borrowers who edited the file don’t give it.

Both layers matter. The CRA call only works if the borrower lets you make it.

CRA Auto-fill My Return and similar consent-based tooling can check T4 figures directly with CRA — when the borrower agrees to grant access. Borrowers who edited the file rarely do. OSFI B-20 guidelines push lenders to check income, but the fraud detection step is downstream and slow. Equifax Canada and TransUnion check identity and credit, not document integrity. HTPBE? catches the T4 PDF the borrower uploaded at the moment of intake — standalone, no CRA API, no consent required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic T4s carry the producer signature of CRA-compliant payroll software or CRA My Account. When the producer is Microsoft Excel, Microsoft Word, LibreOffice, Chrome Headless, or a generic PDF library, the document was edited or fabricated on a desktop.

Incremental update trail

A clean payroll export has one cross-reference table. Re-saves through any editor append a second xref — visible structural evidence of post-issuance editing.

Box arithmetic fraud detection

The relationship between Box 14, CPP contributions, EI premiums, and income tax deducted is checked. Edited boxes break the chain unless every dependent field is also adjusted.

Modification timestamp gap

A real T4 issued in February has CreationDate ≈ ModDate. A months-later modification on a "freshly issued" T4 is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits leave font subset prefix shifts. Single-session legitimate exports have consistent subsets across all pages.

Image-stream artefacts in fabricated T4s

Fabricated T4s often paste the CRA form layout from screenshots. Pasted image streams carry different compression characteristics than authentic embedded forms — a structural fingerprint of fabrication.

Share with engineering

Wire this into your intake pipeline in under a day

Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.

Full API reference for engineering

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) see full pricing

Secure your workflowView API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Does HTPBE? work with T4s from any Canadian payroll provider?

Yes. The analysis is producer-agnostic — it inspects whichever PDF the borrower submits. Authentic T4s from QuickBooks Canada, Sage 50 CA, Wagepoint, Payworks, Ceridian Dayforce, ADP Canada, Knit, Humi, or directly from CRA My Account all carry recognisable producer signatures. Re-saves change those signatures, which HTPBE? flags.

Do I need to call CRA to check T4s?

No. HTPBE? performs standalone forensic analysis on the PDF the borrower uploaded — no CRA API call, no Auto-fill My Return integration, no borrower consent for portal access required. The signals are inside the file structure.

Can it catch T4s fabricated entirely from scratch?

Yes. Fabricated T4s authored in Word lack the payroll-system or CRA producer signature and the structural metadata genuine T4s carry. The verdict is typically modified or inconclusive with producer-mismatch and missing-metadata flags.

What about T4s downloaded from CRA My Account directly?

CRA My Account exports carry a recognisable CRA producer signature. Borrowers who download from CRA, then edit the figures and re-save, will trigger producer mismatch and incremental update flags — same as edits to employer-issued T4s.

What does an INCONCLUSIVE verdict mean for a T4?

HTPBE? returns INCONCLUSIVE when a T4 PDF lacks the institutional metadata that genuine CRA-compliant payroll exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from a payroll system such as QuickBooks Canada, Sage 50 CA, ADP Canada, or downloaded from CRA My Account. In the T4 context, INCONCLUSIVE is itself a high-confidence fraud signal: a real T4 always comes from CRA-compliant payroll software or CRA My Account, never from a desktop tool. Treat INCONCLUSIVE on a T4 as fraud-positive and route the case to manual employer fraud detection or CRA Auto-fill My Return consent before underwriting.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gapSee pricing
Read API docs →