Technical signs and forensic techniques to detect fake PDFs
A forged PDF frequently carries digital footprints that distinguish it from an authentic document. At a technical level, examine the file’s metadata and internal structure: fields such as /CreationDate, /ModDate, /Producer and XMP metadata often reveal whether a document has been edited, what software produced it, and when. Many forged files show mismatches between visible timestamps and metadata or contain multiple modification entries that suggest post-creation tampering. Use a text editor or a dedicated forensic tool to inspect the PDF’s object structure, cross-reference object IDs, and look for incremental updates or appended content streams that may mask changes.
Digital signatures and certificate chains are among the most reliable defenses against tampering. A valid cryptographic signature proves that document content has not been altered since signing and that the signatory’s certificate was issued by a trusted authority. Check signature validity, certificate revocation lists (CRLs), and timestamping authorities; an unsigned or invalid signature is a strong indicator of potential fraud but not the only one. Beyond signatures, look at embedded fonts and resource streams—differences in font families, glyph mapping, or suspiciously large embedded images where vector content is expected can point to a document that was reconstructed from screenshots or other altered sources.
Image and text inconsistencies are also revealing. Run OCR on scanned PDFs and compare the extracted text to visible text layers; discrepancies can indicate overlayed or spliced content. Hash the file and compare with known-good versions when possible, or re-save the document and compare byte-level differences. Lastly, analyze hyperlinks and embedded scripts—malicious or misleading links, shortened URLs, and obfuscated JavaScript are common in fraudulent PDFs that aim to redirect recipients or trigger downloads.
Practical red flags for invoices and receipts and a workflow to detect fraud
Recognizing patterns typical of fake invoices and receipts starts with basic bookkeeping checks and moves into forensic validation. Begin with content-level red flags: incorrect vendor names, inconsistent logo placement, low-resolution logos that appear pasted in, mismatched fonts within the same document, erroneous tax numbers or bank account details, and totals that don’t add up or use an unusual number format. Cross-check header addresses, invoice numbers and dates against prior correspondence and the vendor’s official records. A sudden change in payment account or an urgent payment request should trigger direct verification through a trusted phone number or portal—not by replying to the invoice email.
Next, validate the delivery chain: inspect the original email headers and attachments. Spoofed sender addresses and relay routes that don’t match the vendor’s known mail servers are immediate warnings. If an invoice came as a PDF attachment, extract and inspect embedded links without clicking them; compare the link domains to official vendor domains and look for typosquatting or subdomain tricks. For receipts, confirm transaction IDs against payment processor records and request scanned originals with accompanying bank statements if reimbursement approval is needed. Use multi-factor verification for high-value payments—require a purchase order number, a confirmation email from a listed contact, or a phone call confirmation when thresholds are exceeded.
Implement a repeatable verification workflow: (1) validate arithmetic and reference numbers, (2) inspect PDF metadata and signature status, (3) check email headers and link domains, (4) contact the issuer by a known channel, and (5) when in doubt, escalate to your fraud or legal team. Combine human review with automated tools to flag anomalies at scale and train staff on these red flags to reduce the risk of falling for sophisticated forgeries.
Real-world examples, case studies, and tools to detect fake invoice schemes
Case study: a mid-size supplier was targeted with a convincing invoice that matched the customer’s formatting and header style. The attacker substituted the bank account number and used a slightly altered font for the footer. The accounts payable team noticed the font inconsistency during routine review and found that the PDF’s XMP metadata indicated it had been produced by an unknown document converter. Follow-up verification with the vendor confirmed the fraud attempt and prevented a six-figure loss. This illustrates how small visual or metadata inconsistencies often reveal larger deceptions.
Another example involved an expense reimbursement submission where the receipt image had been cropped and re-saved multiple times. OCR extracted a different merchant name than the visible text; comparing the OCR output to the human-readable text revealed the manipulation. The organization’s policy requiring original card statements for high-value reimbursements caught the mismatch and prevented fraudulent reimbursement.
Practical tools and services can accelerate detection. PDF viewers with signature validation, forensic PDF analyzers, and automated scanners that flag suspicious metadata are valuable. For teams that need a quick, focused check specifically to detect fake invoice content and metadata anomalies, specialized online services can provide immediate analysis of signatures, timestamps, embedded resources, and link destinations. Combine such tools with manual checks—contact verification, arithmetic validation, and email header analysis—to build a layered defense.
Rio filmmaker turned Zürich fintech copywriter. Diego explains NFT royalty contracts, alpine avalanche science, and samba percussion theory—all before his second espresso. He rescues retired ski lift chairs and converts them into reading swings.