Fraudfinder Logo

Document Fraud Trends: April 2026

April Fraud Report

April's report goes deeper into the document categories that drive most onboarding, affordability and proof-of-address decisions, and where the risk is concentrating in a market increasingly shaped by AI-assisted edits.

Across the documents we analysed in April, the fraud isn't louder this month, it's quieter, cleaner, and harder to spot by eye.

From bank statements to payslips, utility bills to tax documents, here are the trends and signals worth watching across finance, fintech, real estate, gaming, screening and insurance.

What we analysed

Across April, the majority of documents processed fell into these top five categories:

  • Bank Statements - 61.2%

  • Payslips - 15.3%

  • Utility Bills - 9.4%

  • Tax Documents - 4.1%

  • Financial Miscellaneous - 2.1%

These are exactly the documents most businesses still rely on for affordability checks, proof of address, source of funds and onboarding decisions, and they are also the easiest to manipulate without breaking visual authenticity.

Use cases at risk: affordability checks, proof of address, source of funds, and onboarding decisions.

Chart displaying breakdown of popular documents in April

What April showed us

The shape of April's fraud was less about volume and more about how it's hiding. The cases worth flagging weren't sloppy or obvious, they were clean, internally consistent, and built to look exactly how a genuine document should.

Three patterns ran through almost everything we surfaced this month:

  • Removal beats addition. Fraudsters increasingly take data out of documents (transactions, charges, line items) rather than add false data in.

  • AI-assisted editing is now everyday. Documents created or modified with generative tooling are showing up across bank statements, payslips and certificates.

  • Submissions are arriving as photos and scans, not just native PDFs stripping the metadata trail before it ever reaches a reviewer.

In a manual-only review process, none of those signals are visible on the surface. They live in metadata, structure and forensics.

Where bank statements are coming from

The highest volume of bank statements came from:

Traditional banks

  • HSBC - 11.21%

  • Barclays - 10.79%

  • Lloyds - 10.41%

  • NatWest - 9.54%

  • Halifax - 4.68%

  • Santander - 4.15%

  • Nationwide - 2.00%

Digital-first and newer banks

  • Monzo - 2.63%

  • Revolut - 1.97%

  • Clearbank - 1.64%

  • Starling - 1.59%

New entrant into the top bank docs affected: Ireland

AIB at 4.96% and Bank of Ireland at 1.87% push Irish bank statements into a larger share than any single digital-first UK bank this month, a noticeable shift in geographic exposure compared with last month.

Distribution mostly tracks market share. But fraud doesn't follow volume.

The top five banks we saw with the highest risk flags on their bank statements in April were, in descending order:

  • Lloyds

  • HSBC

  • Barclays

  • NatWest

  • Santander

Where the risk actually is

Not every document type carries the same level of concern. When we looked at where flagged signals concentrated in April, three pockets stood out clearly:

Image-based documents

29% of all April documents arrived as photos, scans or screenshots rather than native PDFs. This is the single biggest concentration of risk this month, because the act of capturing as an image strips most of the forensic fingerprint a fraud team would normally rely on.

Bank statements build to fit

Bank statements remain the most submitted and most manipulated document type. The patterns we surfaced this month weren't crude edits, they were full reconstructions of transaction history, with balances aligned and dates adjusted to make the new figures internally consistent.

Tax and payroll documents

Annual summaries, tax statements and payslips made up a meaningful chunk of April volume, and they're a recurring vehicle for AI-assisted edits. Generative tooling watermarks (e.g. ChatGPT-created PDFs) keep showing up in this category.

Risk in April isn't evenly spread. It clusters where the document is easiest to capture as an image, easiest to rebuild from scratch, or easiest to regenerate with AI.

The risk hiding in image-based documents

Beyond the document type, one signal stood out clearly in April: 29% of all April documents were image-based, photographed, scanned or screenshot, rather than native PDFs.

A native PDF carries a digital fingerprint: creation tool, version history, font encoding, hidden annotations. The moment a fraudster prints, edits and re-photographs the file, a lot of that fingerprint disappears.

Image-based submissions are increasingly the preferred delivery mechanism for tampered documents, because they strip significant evidence points a fraud team would normally lean on.

If your current process accepts photos and scans without a layer that detects forensic anomalies in the images themselves, this is the segment quietly carrying the most risk.

Examples of document fraud caught in April '26

The clearest way to understand the shape of April's fraud is to look at specific documents that came through our pipeline. The following section walks through examples, isolated and anonymised, that illustrate the techniques in active use this month.

1. Balance changes on a HSBC Premier Statement

Trust in numbers, am I right?

Not all of the time. See the suspicious font, highlighted in Orange.

All the important balances in the account summary box and the transaction have been manipulated.

In blue, we also see 'white space' - a netural font clearly used to align transaction rows.

April Report - HSBC fraud - Example 1

This loan application was for £150,000.

2. 20 versions of a Barclays bank statement identified

Below, we see a Barclays personal account statement. We identified TWENTY different editions and deletions on this document, the most striking being the end balance.

The actual document's end balance, was £74:

Fraudulent end balance in barclays
The final 'claimed' balance: £12,800. That makes a huge difference when assessing for affordability.

April Report - Example 2 - Previous Versions on a Barclays document

The fraudster used a third-paty system, and completed their altercations 3 hours after downloading the document from Barclays online banking system.

3. Fake address on a HSBC document

Our nifty barcode decoder identified a classic case of identity theft. Submitted for a route POA check for a global gambling operator, this person claimed to live in the postcode GU14, in Farnborough.

April Report - Example 3 - Barcode identifying fake address on HSBC statement

A deeper look at the file revealed that the true postcode assigned to this statement, RG6, covers the Reading area... the other side of the country.

This was one of several key structural issues we highlighted in this case.

4. French payslip edited using ILovePDF

Fraudfinder are constantly monitoring our blacklist of tools commonly used to modify documents. ILovePDF is a common culprit.

Below we see a French payslip with previous versions. With the blue and orange highlights below, we can see manipulations to the dates and an attempt to re-align the commission paritaire number as a result.

April Report - Example 4 - French Payslip edits using ILOVEPDF

Fraudfinder will work on documents from all around the world. Document fraud is a global issue, after all.

5. Irregular fonts on a Bank of America statement

Fraudfinder is operational in several locations, not least across the pond.

Below we see suspicious font behaviour within this person's account number, account summary and balances.

April Report - Example 5 - Bank of America Fraud

The truth isn't always as it seems.

Why manual checks miss

The pattern we've seen build through Q1 has only deepened in April.

Manual review focuses on:

  • Layout

  • Logos

  • Spelling

  • Surface-level consistency

  • Plausibility of figures

But modern fraud lives in:

  • Metadata

  • Document structure

  • Font encoding

  • Hidden layers

  • Version history

  • Pixel-level forensics on photo submissions

You can't see those. And in April, with image-based submissions sitting at 29% of volume, fraudsters are increasingly delivering documents in formats specifically designed to remove the evidence trail a manual reviewer would never have seen anyway.

The shift we're seeing in April

April's flagged volume wasn't sloppy or obvious. It was clean, internally consistent, and built to look exactly how a genuine document should.

Volume is concentrated

Bank statements alone made up 61.2% of all April submissions, with payslips and utility bills taking another 24.7% between them. The bulk of fraud risk in any given month sits inside a small handful of document types, and those types are exactly the ones easiest to manipulate without breaking visual authenticity.

Geographic spread

Irish issuers (AIB, Bank of Ireland) and US-rooted banks (Chase, Bank of America) are sitting alongside the UK majors in the most affected applications this month. Cross-border friction is the new normal.

Formats are shifting

Almost a third of submissions arrived as images, not native PDFs. The forensic surface area shrinks; the manual one stays the same.

Fraud isn't trying to beat manual checks. It's designed to fit inside them, and increasingly to land in formats where checks have nothing to compare against.

Stay tuned for May's monthly document fraud report from Fraudfinder.

More blogs from us!