A candidate submits a resume with an impressive certification. You're two rounds into interviews and it's looking like a strong hire. Then someone asks: "Has anyone actually checked this certificate?"
Certificate fraud is more common than most hiring managers expect. A 2023 study from HireRight found that nearly 85% of employers uncovered a lie or misrepresentation on a resume or job application during background screening. Educational credentials, including certificates, diplomas, and training completions, are among the most commonly falsified.
The problem has gotten worse as digital credentials have proliferated. Anyone with basic image editing skills can alter a PDF certificate in under ten minutes. And most organizations never check.
Here's how to tell a real certificate from a fake one, and what to look for regardless of who issued it.
Why Certificate Fraud Is Easier Than You Think
According to SHRM, credential fraud has increased significantly in recent years — making verification a necessary step in any hiring process.
Before the verification process, it helps to understand the threat model.
A sophisticated fake isn't the problem. Most fraudulent certificates are trivially easy to create: download a legitimate certificate template, open it in Photoshop, change the name, re-export as PDF. Done in five minutes.
The reason this works is that most organizations have no verification system. They issue a PDF. It looks professional. When an employer looks at it, there's no mechanism to check, no QR code, no URL, no verification page. They either trust it or contact the organization manually.
"Contacting the organization manually" is where the scheme usually succeeds. It requires the employer to find the right contact, send an email, and wait for a response. Most don't bother. Even more rarely do they get a quick answer.
This is the gap that certificate fraud exploits. And the only way to close it is a verification system that makes checking instant.
The 5-Second Check: Look for a Verification Link or QR Code
Any professionally issued digital certificate should have one of these two things:
A QR code somewhere on the certificate face. Scan it with your phone camera. It should open a webpage showing the credential details, recipient name, credential title, issuer, date, current status (valid/revoked).
A verification URL either printed on the certificate or included in the delivery email. Navigate to it in your browser. You should see the same credential details.
If either of these are missing, the certificate cannot be independently verified. That doesn't automatically mean it's fake, some older or lower-quality credential systems don't include verification, but it does mean you can't confirm it's real without contacting the issuer directly.
For a certificate issued through Creadefy, the verification page looks like this: `creadefy.com/verify/[credential-id]`, it shows the full credential details, the issuer's name, the recipient's name, and the current validity status. Takes three seconds to check.
How to Verify Different Types of Certificates
Digital certificates with QR codes
The easiest to verify. Scan the QR code, don't type the URL manually, because QR codes contain the exact credential ID. The verification page should load immediately and show:
- Recipient name (confirm it matches the candidate's name)
- Credential or program title
- Issuer organization
- Date of issuance
- Current status (valid, expired, or revoked)
Check the recipient name carefully. A certificate issued to "John Smith" being presented by "Jonathan Smith" needs clarification. It might be a nickname, or it might be a credential belonging to a different person entirely.
PDF certificates without verification links
This is the gray zone. You have a PDF, it looks professional, but there's no way to verify it independently. Your options:
- Ask for the original issuance email. Legitimate certificate recipients usually received an email with their credential. If they can forward you the original delivery email from the issuing organization, that's a reasonable secondary signal.
- Check if the issuing organization has a verification system. Search for the organization's name + "certificate verification" or "credential lookup." Some organizations maintain a lookup portal even if the credential itself doesn't link to it.
- Contact the issuing organization directly. Find official contact information for the organization (not what the candidate provides, look it up independently). Email or call and ask them to confirm the credential. Be specific: provide the recipient name, the credential title, and the date.
- Assess the certificate design. This is a secondary check, not a primary one, but obvious red flags exist: generic templates, misaligned text, inconsistent fonts, logos that look pixelated or low-resolution, dates that don't match the claimed timeline.
For a deeper look at what makes a credential look professionally designed, the design cues that signal authenticity are well worth understanding.
Credentials with a public credential page
Some platforms (including Creadefy) create a permanent public page for each issued credential. This page is separate from the PDF, it's a live web page showing the credential details and current status.
Navigate to the URL. Check that:
- The page loads (not a 404 or expired link)
- The recipient name matches exactly
- The issuer name is the organization you expected
- The status shows as valid, not revoked or expired
- The issue date matches what's on the resume
If all five match, the credential is almost certainly real. A fraudster would need to compromise the issuing platform's database to fake a live verification page, that's a fundamentally different threat than editing a PDF.
Blockchain-verified credentials
Some credential platforms (especially those built on the Open Badges 3.0 standard or W3C Verifiable Credentials specification) use cryptographic signing. Each credential has a hash, a unique fingerprint calculated from the credential's contents.
When you verify a cryptographically signed credential, the verification process recalculates the hash from the current credential data and compares it to the signed original. If even a single character has been changed, including the recipient's name, the hashes won't match and verification will fail.
This is the highest tier of credential security. It means you don't need to trust the platform or the issuer's server to be honest, the math does the work. Any alteration, anywhere in the credential, is detectable.
You don't need to understand the cryptography to benefit from it. The verification page will simply show "valid" or "invalid." Invalid with a cryptographic signature means someone tampered with the credential.
Red Flags: When to Be Suspicious
Beyond the verification check, certain patterns warrant closer scrutiny.
The verification link is broken or goes to a generic homepage. A real credential has a permanent, stable URL. If the link goes nowhere, the platform may have shut down, or the URL was never real. Ask the candidate for alternate verification methods.
The credential was issued by an organization you can't find. Search the issuing organization independently. If "Global Institute of Professional Excellence" issued the certificate but has no web presence, no LinkedIn page, and no verifiable history, treat the credential with skepticism.
The credential was issued suspiciously recently for a claimed long-term achievement. Someone who says they completed a certification "three years ago" but the verification page shows it was issued last month has some explaining to do.
The certificate looks different from samples on the issuer's website. If you can find examples of legitimate credentials from the same organization (their website, LinkedIn posts from other recipients), compare the design. Certificate designs don't change dramatically. Major differences in layout, typography, or logo usage are a flag.
The candidate is evasive about providing verification access. A legitimate credential holder can share verification immediately. If someone says "I don't have the email anymore" or "the platform shut down" or "I can send you the PDF but not the link," take note. These may be innocent explanations, or they may not be.
What to Do When You Suspect Fraud
If the verification check fails or the flags are serious enough to act on:
Start with a direct, neutral question. "Can you share the verification link for this certificate?" doesn't accuse anyone of anything. It's a reasonable professional request. How they respond tells you a lot.
Document what you found and when. If you proceed further in the hiring process, you'll want a record of what you checked and what the results were.
Contact the issuing organization directly. Find contact information through independent means, their official website, not anything the candidate provides. Ask them to confirm whether the certificate is genuine. Most credential issuers take fraud seriously and will respond quickly.
Apply your organization's standard adverse action process. If fraud is confirmed, handle it through your standard HR process, the same way you'd handle any other misrepresentation on a job application. Depending on the role and jurisdiction, there may be documentation requirements.
For ongoing hiring, consider requiring verifiable digital credentials (with QR codes or live verification pages) for any certification that will be a factor in your hiring decision. This shifts the burden of proof to the candidate and the issuer, where it belongs.
If your organization is responsible for issuing verifiable digital certificates, setting up a verification system is the first step to protecting your credential's value.
For Organizations Issuing Certificates: What Good Verification Looks Like
If you're on the issuing side, the employer's verification experience is a direct reflection of your credibility.
Every credential you issue should have:
- A permanent, publicly accessible verification URL
- A QR code on the certificate face that links directly to that URL
- A verification page that shows recipient name, credential title, issuer, date, and current status
- The ability to mark credentials as revoked (so verifiers know if a credential was retracted)
Credentials that can't be verified are increasingly treated as unverifiable, because they are. An employer who can't confirm your credential in under 30 seconds will default to "uncertain" and move on.
The investment in verification infrastructure isn't about fraud prevention from your end, it's about giving your credentials institutional credibility that makes recipients' lives easier and your organization's reputation stronger.
Creadefy builds verification into every credential by default: QR codes, permanent verification URLs, cryptographic tamper-proof signing, and revocation support, all included on every certificate issued, free tier included.
Once you've confirmed a credential is genuine, see our guide on how to add a verified certificate to LinkedIn — the verification URL is exactly what makes the LinkedIn entry trustworthy.
For a deeper look at how verification works technically, see why certificate verification matters.
Ready to issue credentials that can be verified in seconds? see Creadefy's pricing and start building a credential program that holds up to scrutiny.
FAQ
How common is certificate fraud on job applications?
More common than most organizations expect. HireRight's employment screening benchmarking data consistently shows that a significant percentage of applicants have discrepancies in their educational and certification claims. The ease of editing PDFs has lowered the barrier to credential fraud substantially.
Can a digitally signed certificate be faked?
Not without access to the private key used to sign it, which is held by the issuing platform, not the recipient. Cryptographically signed credentials are effectively impossible to fake without compromising the issuer's signing infrastructure. This is a qualitatively different security level from a PDF.
What should I do if a verification URL goes to a 404 page?
Two possibilities: the platform the credential was issued on has shut down, or the URL was fabricated. Either way, the credential cannot be independently verified through that link. Ask the candidate for alternate verification (original issuance email, direct contact with the issuer). Document your attempt and the result.
Is a credential ID alone enough to verify a certificate?
A credential ID is a reference number, it's only useful if there's a system you can look it up in. A credential ID without a verification system attached to it is not independently verifiable. The verification URL or QR code is what matters; the ID is just a human-readable reference.
Do I need to verify every certificate in a candidate's profile?
Not necessarily. Focus on credentials that are material to the role, certifications in specific technologies, compliance credentials, licenses, or anything the candidate has cited as a key qualification. Comprehensive background checks typically cover educational credentials formally; for professional certifications, a quick QR scan or URL check is a reasonable and proportionate step.
What's the fastest way to verify a large number of certificates at once?
For individual checks, QR code scanning is fastest, under 10 seconds per credential. For bulk verification of a cohort (checking certificates issued to multiple employees for compliance purposes), contact the issuing organization about bulk verification options. Some platforms including Creadefy support bulk credential lookups for enterprise clients.