logo
Work-eligibility compliance

Right-to-Work Document Fraud Detection

Built for fraud ops at lending, insurance & compliance teams

Your audit trail is whatever PDFs you kept. If a supporting file was altered before it reached your folder, you may still have followed the online check — but the evidence you retain is not what the issuer produced. Employers everywhere face stiff sanctions when eligibility checks fail under review. Read the file before it gets filed.

~3 sec
per document
59 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

HTPBE? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. Official online eligibility checks and identity-verification vendor sessions remain the primary identity step. HTPBE? catches tampering on the supporting PDF evidence you keep on file.

When HTPBE? returns INCONCLUSIVE on a work-eligibility supporting document, that’s itself a fraud signal in this context — real portal outputs and verified vendor results almost always come from institutional systems, not from a desktop editor.

The problem

Modern document fraud is invisible to visual review

A growing class of document fraud opens a genuine PDF, edits a balance, a date, or a beneficiary, and re-saves it. Visually nothing changes — the document passes pixel-level review, layout review, and KYC.

Structural PDF analysis reads the layers rendering engines never expose: revision history, object structure, signature coverage maps. That is where edits leave fingerprints they cannot wipe.

Common tampering patterns

  • Modified balances or totals after export
  • Swapped IBAN or beneficiary on invoices
  • Post-signature edits on contracts
  • Backdated issue and modification dates
  • Fabricated documents from consumer PDF tools

What this looks like

How fake and tampered work-eligibility PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Portal confirmation letter fabricated or edited

Someone obtains a genuine confirmation from an official portal for one status, then opens the resulting letter in a word processor and edits conditions or expiry — or fabricates an entire letter that mimics the portal layout. Producer fields shift from an institutional stack to Microsoft Word; structural metadata diverges.

02

Permit or ID-page scan with edited expiry or conditions

A scanned residence permit, visa, or passport ID-page PDF is opened in an editor and the expiry date or conditions are changed. The image layer is preserved; the text or annotation layer changes. Structural analysis surfaces the divergence.

03

Supporting employment evidence backdated

Payslips, contracts, or training records are backdated so the file matches the period the worker was supposedly eligible. Modification timestamps and xref trails reveal post-creation edits.

The scale

High stakes
employer sanctions and clawback risk when eligibility reviews fail
~3 sec
per supporting document via API
Audit-ready
every verdict produces an audit trail of structural markers

Why your existing checks miss this

The live check covers the session. It does not cover the file you keep.

Reviews look at retained evidence — the PDF folder, not the live screen.

Identity-verification vendors and official portals handle the live proofing step. The evidence pack you retain for an audit or internal review is what reviewers open — not the live session. If a supporting PDF in that pack was altered between issuance and retention, upstream checks do not rescue the file. HTPBE? inspects every supporting PDF at intake — standalone, no portal API, no vendor session required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo

What HTPBE? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the supporting PDF

Portal and payroll exports carry recognisable producer signatures. Identity-verification vendor outputs do too. When the producer is Microsoft Word, Excel, LibreOffice, or a generic PDF library, the document was authored on a desktop — not exported from the issuing system.

Incremental update trail

Edits to confirmation letters or scanned permit PDFs leave incremental updates in the xref chain. Authentic single-session exports have one xref; tampered files have two or more.

Annotation and form-field tampering

Form-field edits and annotation layer changes are tracked separately in PDF structure. Edited expiry dates or conditions on overlays show structural traces.

Modification timestamp gap

A genuine letter generated yesterday has CreationDate ≈ ModDate. A later modification on a supposedly fresh export is a strong flag for post-export editing.

Image stream artefacts

Scanned permits or passport pages with edited regions often show image-stream metadata mismatches — the edited region carries different JPEG/PNG compression than the surrounding scan.

Font subset divergence across pages

Multi-session edits or multi-source assembly leave font subset prefix shifts across pages of the same supporting document.

Share with engineering

Wire this into your intake pipeline in under a day

Two API calls — one POST to submit the PDF, one GET to retrieve the verdict. Forward this page to your engineering team; the full API reference, quotas, and copy-paste examples in cURL, JavaScript, Python, PHP, Go, and Ruby are one click away.

Full API reference for engineering

Pricing

Self-serve plans, no sales call

All plans include the same forensic checks. Pick the quota that matches your monthly document volume.

manual

Starter

$15/mo

30 checks/mo

Manual spot-checks and integration testing

most common

Growth

$149/mo

350 checks/mo

Active document processing pipelines

high volume

Pro

$499/mo

1,500 checks/mo

High-volume automation and API integrations

Enterprise (unlimited, on-premise available) see full pricing

Secure your workflowView API docs

API key on signup. Free test environment on every plan. No card required.

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use HTPBE? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for checked originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Does this replace the official online eligibility check or our IDV vendor?

No. Those steps remain primary for live proofing. HTPBE? inspects the supporting PDFs you retain — portal letters, vendor results, payroll evidence — so none were tampered between issuance and filing. Use both.

Will it catch a confirmation letter that was never issued by the real portal?

Often yes. A forgery authored in Word lacks the producer signature and structural metadata genuine exports carry. The verdict is typically modified or inconclusive with producer-mismatch and missing-metadata flags.

What about scanned passport or permit PDFs?

Pure scans often return inconclusive — institutional metadata is thin because the scanner authored a fresh PDF. Edited regions (expiry, conditions) can leave image-stream mismatches that HTPBE? flags. Combine with live verification or manual review for raster content.

Is this suitable for employer sponsorship evidence packs?

Yes. Sponsors must retain payslips, contracts, qualification letters, and eligibility proof. HTPBE? returns structured markers per PDF for an audit trail. Compliance teams run it before documents are filed.

What does INCONCLUSIVE mean for a work-eligibility supporting document?

HTPBE? returns INCONCLUSIVE when a PDF lacks the institutional metadata typical of genuine portal or vendor exports — often because it was built in consumer software rather than exported from the issuer. In this context, INCONCLUSIVE is often a fraud signal: a real confirmation or vendor result rarely originates from a desktop tool alone. Treat it as fraud-positive, re-run the official check, and escalate before onboarding.

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Start free — close the structural fraud gapSee pricing
Read API docs →