logo
Xero payslip fraud

Xero Payslip Fraud Detection — Catch Fake Payslips

A real Xero payslip can be edited and re-saved with a higher gross — and we catch the edit. Australian property managers, UK letting agents and lenders see the same script every week: an applicant downloads a genuine Xero payslip, edits the gross figure in any PDF editor, re-exports. The visual is unchanged; the file structure is not. htpbe? detects the re-save trail and the producer mismatch regardless of which editor was used — and catches the batch-creation pattern when "January through June" payslips arrive timestamped within minutes of each other.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We catch tampering, re-saves, and Word/Excel-fabricated payslips that mimic Xero’s layout. We do NOT detect a genuine fresh Xero export — even if the trial-account "employer" behind it does not exist. For that case, pair htpbe? with Open Banking income verification or ABN lookups; htpbe? handles the file, those tools handle the entity.

When htpbe? returns INCONCLUSIVE on a Xero payslip, that’s itself a fraud signal in this context — real Xero exports always carry the Xero producer signature; INCONCLUSIVE means the file does not look like a genuine Xero export.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How tampered and fabricated Xero-style payslips actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Real Xero export edited after download

A genuine Xero payslip downloaded by an actual employee, opened in any PDF editor or spreadsheet, gross bumped or deductions reduced, exported as PDF. The producer field changes from Xero to whichever tool was used, and the xref chain shows an incremental update — visible structural evidence the file was edited after Xero issued it.

02

Word/Excel-fabricated payslip mimicking Xero layout

A payslip authored in Microsoft Word or Excel using a Xero-style template lifted from screenshots — never actually exported from Xero. The producer field is Microsoft Word or Excel rather than Xero, and the structural metadata that real Xero exports carry is missing. A clean producer-mismatch flag.

03

Multiple "monthly" payslips batch-created in one session

Six "monthly" payslips for January through June, all carrying creation timestamps within minutes of each other and identical font subset prefixes. Real monthly payslips are issued one per pay run with creation dates months apart. Cross-document timestamp clustering and font subset consistency expose the batch.

The scale

~50%
of AU/UK tenancy fraud involves fake or doctored income documents
~3 sec
per payslip via API
No Xero
no Xero API integration needed — works on the file

Why your existing checks miss this

Open Banking shows the income. It does not show the employer.

And applicants who fabricated the employer rarely connect the bank.

Tenant-referencing platforms (Snappt, Goodlord, RentProfile, FCC Paragon, Equifax Tenant Tracker) and lending-tech vendors verify income through Open Banking when the applicant agrees to connect — applicants who built a fake Xero company rarely do. ATO Single Touch Payroll data verifies real employers but is not accessible to private property managers or lenders. htpbe? catches the payslip the applicant uploaded, regardless of whether STP or Open Banking is available — standalone, no Xero API, no ATO lookup.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Xero payslips and adjacent income-proof PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Xero payslip PDFMYOB payslip PDFReckon payslip PDFKeyPay / Employment Hero payslip PDFPAYG summary PDFBank statement PDF (salary credits)Superannuation statement PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature mismatch

Authentic Xero payslips carry the Xero producer signature in the PDF metadata. When the producer is Microsoft Excel, LibreOffice, Microsoft Word, Chrome Headless, or a generic PDF library, the document was not exported by Xero — it was edited or fabricated on a desktop using a layout that resembles Xero.

Incremental update trail

A clean Xero export has one cross-reference table. Re-saves through Excel or PDF editors append a second xref — visible structural evidence of post-export editing.

Gross-to-net arithmetic

Line arithmetic across the payslip (Gross → tax → super → net) is verified row by row. Edited gross figures break the chain unless every dependent field is also adjusted — which fraudsters routinely miss.

Cross-payslip timestamp clustering

When multiple "monthly" payslips arrive together, the API surfaces creation timestamps for each. Real monthly issuance produces dates a month apart; batch-generated sets cluster within minutes. Combined with identical font subset prefixes, the batch pattern is unambiguous.

Modification timestamp gap

A real payslip from March has CreationDate ≈ ModDate in March. A six-month gap on a "freshly issued" payslip is a high-confidence flag for post-export editing.

Font subset divergence across pages

Multi-session edits or page reassembly leave font subset prefix shifts. Single-session legitimate exports have consistent subsets.

Integrate in minutes

Two HTTP calls to verify any Xero payslip

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/applicant-payslip-xero.pdf"}'

Step 2 — read the verdict

{
  "id": "x1y2z3a4-5b6c-7d8e-9f0g-h1i2j3k4l5m6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Spreadsheet producer detected (Microsoft Excel)",
    "Two cross-reference tables — incremental update",
    "Modification date 4 months after creation date"
  ],
  "producer": "Microsoft Excel",
  "creator": "Xero (original)",
  "creation_date": 1696464000,
  "modification_date": 1707350400,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

Original came from Xero. Then four months later it was opened in Microsoft Excel and re-saved — adding a second xref table. Verdict: modified at high confidence. The applicant edited a real Xero payslip after download.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

Honest answer: htpbe? will return intact for that file. A fresh PDF really exported by Xero — even from a trial account spun up to fabricate an employer — carries the legitimate Xero producer signature and no edit trail. We can only detect edits to PDFs and fabrications without payroll producer signatures. For trial-account fraud, pair htpbe? with Open Banking (Basiq, Frollo) to verify income against the applicant’s actual bank account, or with ABN Lookup to verify the employer entity. htpbe? handles the file; those tools handle the entity.
Open Banking verifies income from the applicant’s bank account — but only when the applicant agrees to connect. Applicants who fabricated the employer (and therefore have no real salary credit in any bank) rarely consent. htpbe? catches the payslip itself, regardless of whether banking access is available. Use both.
Yes. The analysis is producer-agnostic. We run a dedicated MYOB payslip page (/myob-payslip-fraud-detection) but the same engine handles Reckon, KeyPay, Employment Hero, and any other AU/UK payroll producer.
No. htpbe? performs standalone forensic analysis on the PDF the applicant uploaded — no Xero API call, no ATO/STP lookup, no applicant consent required. The signals are inside the file structure.
htpbe? returns INCONCLUSIVE when a payslip PDF lacks the Xero producer signature and institutional metadata that real Xero exports carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from the Xero payroll engine. In the Xero-payslip context, INCONCLUSIVE is itself a high-confidence fraud signal: a genuine Xero payslip would always carry the Xero producer signature. INCONCLUSIVE means the document does not look like a real Xero export. Treat INCONCLUSIVE as fraud-positive and route the case to Open Banking income verification or ABN lookup before approval.
Related

Related solutions and guides

Solution

Tenant Screening

Payslip + bank statement forensics for AU/UK property managers and tenant-referencing platforms.

Read more
Technical guide

MYOB Payslip Fraud Detection

Sister page — same forensics for MYOB-generated payslips, the other AU SMB payroll standard.

Read more
Technical guide

Fake Super Statement Detection

Australian superannuation statements, the second proof of income most lettings agents and lenders ask for.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs