Why the employment letter is the brittle link
Most hiring decisions rest on a single piece of paper or PDF: the employment verification letter the candidate produced or the previous employer signed. Recruiters accept it. ATS systems file it. Underwriters use it for mortgage decisions. Visa officers use it for adjudication. And the underlying check is often nothing more than a phone number printed on the letter itself.
Generative AI made forging that letter cheaper than ever. The standard 2026 attack: produce a convincing letter in five minutes, register a shell LLC at a real address for plausibility, list a burner number as the verifier, and wait for a naive HR analyst to call. Catching this requires more than one rail.
The four rails that work
Each rail catches a different failure mode. Together they cover the full taxonomy of letter fraud in 2026.
Rail 1: Forensic AI on the letter
The candidate or recruiter uploads the letter PDF or image. The engine inspects PDF producer metadata, ELA across the page, font kerning on the signature line, letterhead vector geometry, and AI-generated text fingerprints. Output: confidence score with the specific signals that fired. Cost: under a minute, cents per check.
This rail catches the AI-generated and Photoshopped letters before any phone call. Roughly one in 10 letters that hit a 2026 verification queue fail this step. The other rails do not catch them as reliably, which is why this rail goes first.
Rail 2: The Work Number
The Work Number, operated by Equifax, is the dominant automated employment-verification source. It covers more than 4.88 million employers contributing employee data directly, returns employer name, tenure, title, and gross income in seconds, and is FCRA-compliant. Verifiers must be credentialed before they can query and must record consent and permissible purpose for each request.
Two limits: small employers and very recent hires. Coverage is excellent for Fortune 5000 and most public payrolls. Coverage for one-person consultancies, gig-platform earnings, and offers that have not yet payrolled is uneven. For those, the next rail does the work.
Rail 3: Direct employer contact
Pick up the phone, but not the number on the letter. Look up the employer through the company website, state business registry, the Better Business Bureau, or a professional directory (LinkedIn company page is fine for orientation but not authoritative). Call the main switchboard and ask for the HR verifier-of-record line.
Confirm three facts: role title, employment dates, and the existence of the verification letter (if the company issues them). Some HR teams will only confirm dates of employment, not salary; this is normal and does not signal a problem with the candidate.
Rail 4: Public-record cross-reference
The candidate’s public footprint should match the letter. LinkedIn profile dates, professional licensing boards, regulatory filings (SEC for executives, FINRA BrokerCheck for financial-services), and any public team page on the employer’s site. A consistent footprint adds confidence. A glaring inconsistency (the letter says VP of Engineering at a 30-person startup; LinkedIn says product manager) triggers a follow-up.
This rail also catches the “identity drift” pattern: the letter is authentic for one John Smith, the candidate is a different John Smith.
Never trust the phone number printed on the letter. The number is the easiest field for the forger to control.
The five fraud patterns that recur
- Shell employer. Candidate registers a real LLC, prints letterhead, lists their own number as verifier. Catch by state business registry plus forensic AI on letterhead vector geometry.
- AI-generated letter. ChatGPT-class output as PDF. Catch by forensic AI fingerprint and PDF producer metadata.
- Real letterhead, altered body. Candidate took a real letter and edited title, dates, or salary. Catch by ELA and font-kerning anomaly on the edited fields.
- Real employer, fictional role. Candidate did work somewhere, but as an intern, not the VP they claim. Catch by direct HR contact and LinkedIn cross-reference.
- Accomplice verifier.A friend answers the candidate’s burner number and vouches. Catch by routing the call through the company’s public switchboard.
The legal frame: FCRA, FCRA, FCRA
If the verification is part of a US employment decision and is performed by a third-party background-check vendor, the Fair Credit Reporting Act applies. The three rules that matter most:
- Written consent before the check.
- A copy of the report and the FCRA summary of rights delivered to the candidate before any adverse action.
- A waiting period of at least five business days between pre-adverse and adverse action notices, so the candidate can dispute findings.
State laws layer additional rules (notably California ICRAA, New York City Article 23-A, and various ban-the-box statutes). The Department of Labor and EEOC also publish guidance on consistency of process, particularly around disparate-impact concerns.
The operational shape of a 2026 verification team
What working teams actually do:
- Forensic AI runs at intake on every letter. Pass-through rate is around 92 percent; the rest are flagged.
- Flagged letters route to a human analyst, who runs the Work Number query and direct employer contact.
- Adverse findings move into the FCRA pre-adverse workflow. The candidate gets the chance to dispute.
- Clean verifications are filed with the artifact set (letter, AI report, Work Number record, contact notes) and stored for the regulatory retention window (typically 5 to 7 years).
For more on the broader hiring verification stack, see our How Employers Verify Education Credentials guide and our 2026 ATS playbook.
Frequently asked questions
What is the fastest way to verify an employment letter?
Run forensic AI on the letter first (under a minute), then The Work Number if the employer participates (seconds). For employers outside The Work Number, the fastest path is the public verifier-of-record line at the employer’s HR or payroll department.
Does the candidate need to consent to verification?
Yes under FCRA for US third-party background checks. The Work Number specifically requires the verifier to attest consent and permissible purpose on every query. International rules vary; GDPR requires a lawful basis that usually amounts to candidate consent.
What if the employer is out of business?
Use payroll service providers (ADP, Paychex, Gusto) for historical records, plus tax records (Social Security earnings statement, W-2s) for attestation. Some defunct employers can be verified through their former payroll vendor.
Can I run all four rails myself, without a vendor?
The Work Number requires enterprise credentialing and FCRA permissible purpose. Forensic AI is available as a single-document service. Direct contact and public records are free. For low-volume needs, a hybrid (AI self-service plus manual call) is workable; for anything above 10 per week, a vendor pays back fast.
What signals an immediate red flag?
A phone number that does not match the company’s public switchboard, a PDF producer that is Microsoft Word or Photoshop, letterhead that does not match the company’s public site, dates that overlap with another job the candidate listed, and a verifier who answers with the candidate’s name rather than the company name.