AI has turned document forgery from a skilled craft into a one-prompt task. The result looks right — clean letterhead, crisp logo, a plausible signature — which is exactly why surface impressions are now worthless as evidence. Digital document forgeries rose 244% year over year in 2024 and overtook physical counterfeits for the first time, making up 57% of all document fraud (Entrust 2025 Identity Fraud Report), while deepfake fraud attempts surged 2,137% over three years (Signicat, 2025).
This guide enumerates the red flags that still give AI-generated documents away, then closes with a 60-second verification ritual. The core message: these tells help, but visual inspection alone is no longer sufficient — only an independent, verifiable check is.
Which fraud trends make this urgent in 2026?
AI-driven document fraud is now the dominant category, not a niche threat, which is why every team that accepts documents needs a verification step. Digital document forgeries rose 244% in 2024 and became the majority of document fraud at 57% (Entrust 2025 Identity Fraud Report), deepfake fraud attempts jumped 2,137% over three years (Signicat, 2025), and global deepfake incidents grew tenfold from 2022 to 2023, then a further fourfold into 2024 to reach 7% of all fraud (Sumsub Identity Fraud Report). The losses are not theoretical: U.S. cybercrime cost a record $16.6B in 2024 (FBI IC3 2024 Internet Crime Report). The takeaway for HR, lending, and compliance teams is that fakes are now common enough that you should expect to encounter them, and design your process to catch them rather than hope you will notice.
What are the seven red flags of a fake document?
Most AI-generated fakes trip on the same recurring tells. Scan for these before you trust anything:
- **No independent way to verify it.** The single biggest red flag: no QR proof page, no validatable digital signature, and no issuer contact you can reach through a channel you found yourself.
- **Metadata that contradicts the document.** Creation or modification dates, author fields, or software tags that don't match the claimed issue date or issuing organization.
- **Font and spacing inconsistencies.** Subtly different fonts, kerning, or baseline shifts where text was generated or pasted, especially in names, amounts, and dates.
- **Too-perfect or templated formatting.** Real organizational documents carry small quirks; flawless, generic layouts can signal a model-generated template.
- **Implausible or round numbers.** Salaries, balances, or reference IDs that are suspiciously round, sequential, or inconsistent with stated context.
- **Signature anomalies.** A signature that is a flat pasted image, mismatched resolution, or has no associated cryptographic signature in the PDF.
- **Logo and letterhead artifacts.** Slightly blurred, recolored, or wrong-aspect-ratio logos, or contact details that don't resolve to the real organization.
Any one of these warrants verification; the first one alone is disqualifying until resolved.
Why isn't visual inspection enough anymore?
Visual inspection is no longer enough because AI eliminates the very flaws that human reviewers were trained to catch. The red flags above help, but a competent forger using current tools can produce a document with consistent fonts, clean metadata, a realistic signature, and an authentic-looking letterhead — leaving nothing visible to flag. That is the structural problem: the absence of obvious tells is not evidence of authenticity. The only reliable defense is shifting from inspection to verification, meaning a check that ties the document back to a source you can confirm independently of the document itself. This is why QR-backed verification and an issuer-controlled proof page matter: a forger can fake the look of a document, but cannot fake a valid result on infrastructure they do not control. For the full method, see the pillar guide on verifying document authenticity.
How do you spot the red flags fast under time pressure?
Triage in order of signal strength rather than checking everything. First, ask whether the document can be verified independently at all — a QR code to the issuer's proof page, a validatable signature, or a reference you can confirm with the issuer directly. If yes, verify and stop; that single check outranks every cosmetic tell. If there is no verifiable path, escalate scrutiny: open the file's properties to check metadata against the claimed date, zoom in on the signature and logo for pasting artifacts, and sanity-check names, amounts, and dates against what you already know. The practical rule is to spend your limited time on the verifiable check first, because it is conclusive, and treat cosmetic inspection as a fallback that can only raise suspicion, never confirm trust.
What is a 60-second verification ritual?
Run this fixed sequence on any document you have to trust, and treat any failed step as a stop. Second 0–15: look for a verification path — a QR code, a verification URL, or a digital signature. If a QR or URL exists, scan it and confirm the destination domain genuinely belongs to the issuer, then read the proof page result. Second 15–35: for a signed PDF, open the signature panel and confirm the signature is valid and the certificate trusted. Second 35–50: check file metadata against the claimed issue date and skim the signature and logo for artifacts. Second 50–60: cross-check the substance — names, amounts, dates, reference numbers. If you complete a verifiable check, you are done; if you cannot complete one, the document is unverified, not authentic. Visual inspection alone is insufficient — verification is the deciding step.
