Detecting Forged Vendor Compliance Certificates in the US
How US procurement teams detect forged Certificates of Insurance, fake W-9s, and expired state Certificates of Good Standing during vendor onboarding.

Summarize this article with
A fabricated Certificate of Insurance, a doctored IRS Form W-9, or an expired state Certificate of Good Standing reused months past its issue date can all clear a five-second visual check during vendor onboarding. Catching them means checking every policy number, taxpayer ID, and license against the party that issued it โ the carrier or agent, the IRS, or the state licensing board โ rather than trusting the PDF a vendor emails over. Unlike the UK, the US has no single national compliance register: insurance, licensing, and tax identity sit with different state and federal bodies, so verification runs across several independent channels rather than one.
This article is deliberately narrow: it is not a guide to obtaining a COI, filing a W-9, or getting state-licensed โ those are covered in our guides on construction subcontractor compliance documents and vendor compliance certificate verification. This piece covers the opposite problem: how these documents get faked, and what to do the moment one looks wrong.
Why Forged Compliance Documents Are Appearing in Vendor Onboarding
Forged documents surface most where margins are thin and onboarding is fast, because fabrication is cheaper for a non-compliant subcontractor than fixing the underlying insurance, tax, or licensing gap. Construction, facilities services, and staffing/labor-supply sectors see this disproportionately, combining tight bid pricing with multi-tier subcontracting chains that dilute oversight of who is doing the work.
A Certificate of Insurance built on the standard ACORD 25 form can be produced convincingly in minutes with a freely available template and a PDF editor, because the form is only an information summary and needs no issuer-side seal to look complete (New York State Department of Financial Services, Office of General Counsel Opinion 02-12-04 on ACORD forms). That opinion also explains why a COI cannot be trusted at face value: it explicitly "confers no rights" on the holder and does not amend the coverage described. A vendor can hand over a document that looks real while the underlying policy has lapsed or never existed.
How Forgers Fabricate COIs, W-9s, Certificates of Good Standing, and Licenses
A genuine Certificate of Insurance is supposed to originate from a licensed agent, broker, or the carrier itself โ never from the vendor being vetted. Forgers exploit onboarding teams that accept a COI by email without checking who sent it: a PDF arrives from the subcontractor's own address rather than a brokerage domain, quoting a "quote number" instead of a policy number, or listing coverage dates that don't match the policy on file. Because the ACORD form is a template rather than a government-issued document, editing the named insured, policy number, or expiration date produces something visually indistinguishable from the original.
IRS Form W-9 fraud usually takes a subtler shape: the form is easy to fill out honestly, so forgers instead put a fabricated or mismatched Taxpayer Identification Number on an otherwise correctly formatted document. The IRS's TIN Matching program lets a payer check up to 25 name/TIN combinations interactively, with results returned immediately, or submit up to 100,000 combinations in bulk within 24 hours (IRS, Taxpayer Identification Number (TIN) Matching), so a mismatched TIN is detectable before the first payment, not after.
State Certificates of Good Standing get forged differently, since the underlying record is genuinely public: it's faster to edit a real certificate's date or status than to fabricate one from nothing. The trick relies on reviewers not knowing the document is time-limited โ most states only treat a certificate as current for 60 to 90 days, since it is a snapshot, not a live guarantee.
State contractor licenses follow the same logic: forgers reuse a real, valid license number issued to a different contractor rather than inventing a license design, because the goal is passing an onboarding checklist that rarely checks the number against the issuing board.
| Document | Issuing/verifying authority | What forgers typically fake | Verification channel |
|---|---|---|---|
| Certificate of Insurance | Licensed agent, broker, or carrier | Vendor-submitted PDF with an altered policy number, dates, or insured status | Call the broker/carrier at a number looked up independently, or use a COI-tracking platform |
| IRS Form W-9 | Self-certified by the vendor | A name/TIN combination that doesn't match IRS records | IRS TIN Matching before first payment |
| Certificate of Good Standing | State Secretary of State (or equivalent) | Expired certificate reused past its 60โ90 day window | State's free business entity search |
| Contractor license | State (or county) licensing board | A real license number attached to the wrong contractor | Licensing board's public license lookup |
Red Flags in Fake Certificates of Insurance
The strongest red flag is the sender, not the document: a COI arriving from the vendor's own inbox, or with no verifiable brokerage domain in the "producer" field, has skipped the channel a genuine COI travels through. A quote number where a policy number belongs, a certificate holder name that doesn't match your organization exactly, or suspiciously round coverage limits should trigger a call to the listed agent or carrier at a number you look up yourself, not one printed on the certificate.
Workers' compensation coverage deserves particular scrutiny because the exposure of accepting a fake one is direct, not theoretical. Most states impose a "statutory employer" rule under which a general contractor becomes liable for a subcontractor's workers' compensation claims if that subcontractor turns out to be uninsured โ an exposure avoided only by holding a valid certificate obtained before work begins (see, for example, Florida Statutes ยง 440.10, Liability for Compensation). A forged workers' comp COI can transfer an entire injury claim onto the hiring business once it turns out to be worthless.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotSpotting a Forged W-9 or TIN
A W-9 is self-certified, so its appearance tells a reviewer almost nothing; the only meaningful check is whether the name and TIN actually match IRS records. Run every new vendor's W-9 through TIN Matching before the first payment, since a mismatch discovered afterward becomes a backup-withholding and 1099-correction problem instead of a simple onboarding check.
A payer who accepts an incorrect TIN without verifying it can become liable for backup withholding at 24% of future payments, while a payee furnishing a false TIN faces a $500 penalty for a baseless statement and $50 for each failure to furnish a correct number (IRS Topic 307, Backup Withholding). A vendor who resists providing a matchable TIN has effectively presented a document the IRS's own systems cannot corroborate โ a stronger signal than any visual inspection of the form.
Verifying State Certificates of Good Standing and Contractor Licenses
Every state's Secretary of State (or equivalent registrar) runs a free online business entity search, and the cross-check takes under a minute: search the entity name or ID number and compare it against every field the vendor submitted. A Certificate of Good Standing reflects the entity's status only at the moment it was generated, which is why most states will not accept one older than 60 to 90 days for a new transaction (Colorado Secretary of State, Certificate of Good Standing FAQ). A certificate presented months after issue, or claiming good standing despite a lapse in the filing history, should be treated as unreliable until reconfirmed on the live register.
Contractor license checks work the same way: search the licensing board's public lookup by license number rather than trusting the card the contractor carries. California's Contractors State License Board runs a dedicated Statewide Investigative Fraud Team conducting undercover stings and job-site sweeps to catch fraudulently licensed contractors (CSLB, Consequences of Contracting Without a License) โ a reminder that rules and enforcement vary by state, so the lookup must match where the vendor is licensed.
Legal and Liability Exposure for the Hiring Business
Presenting a forged compliance document is a federal crime in its own right when used to induce a business decision across state lines. Using a forged certificate, W-9, or license to obtain a contract or payment can fall within the federal wire fraud statute, 18 U.S.C. ยง 1343, carrying a maximum sentence of 20 years' imprisonment (18 U.S.C. ยง 1343, via Cornell Law School's Legal Information Institute). Most states also criminalize a fraudulent insurance document: Florida's insurance fraud statute scales penalties from a third-degree felony under $20,000 to a first-degree felony carrying up to 30 years at $100,000 or more (Florida Statutes ยง 817.234, Insurance Fraud). California, similarly, punishes fraudulent use of a license number with a fine of up to $10,000 and up to three years in state prison (California Business and Professions Code ยง 7027.3).
The exposure is not limited to the forger. The statutory-employer rule and backup-withholding liability both shift financial risk onto the hiring business that accepted a bad document without checking it. Neither the IRS nor most licensing boards penalize the hirer directly for accepting a forged document, but a contractor who onboarded on a fabricated COI or license remains exposed to uninsured-claim, tax-withholding, contractual, and reputational risk of its own.
What to Do When You Suspect a Forged Certificate
Stop onboarding or payment immediately and do not confront the vendor before the document is independently verified, since an early warning can prompt evidence destruction or a hurried second forgery. Verify directly with the issuing source using contact details sourced independently โ the broker or carrier's main line, not a number printed on the COI โ or the IRS's TIN Matching service, the state's entity search, or the licensing board's lookup.
Preserve the original file, including its metadata, rather than a screenshot, since modification history is often the clearest evidence of tampering. Report suspected insurance fraud to your state's Department of Insurance fraud bureau, which typically runs its lookup tools through the NAIC's state-based systems (NAIC, License Lookup), and report suspected TIN or W-9 fraud to the IRS. One anomaly should trigger verification; two or more is a strong basis to pause the relationship pending confirmation.
Building Systematic Verification Into Vendor Onboarding
Manual, ad hoc checking does not scale once a team manages more than a handful of vendors, since every renewal and every new tier-two subcontractor creates another document needing verification against an issuer or registry, not a visual read. Platforms such as CheckFile apply structural, metadata and cross-document analysis to onboarding files, giving compliance teams high coverage while contextual analysis keeps false-positive rates low by distinguishing normal variation from genuine fraud signals.
Manual fraud detection methods, including routine document review, catch only around 37% of occupational fraud cases, with a median delay of 87 days before detection (ACFE, 2024 Report to the Nations). CheckFile also deploys an AI-generation signal layer, depending on client configuration, as a complement to the structural checks above, not a replacement โ a forged COI still has to be checked against the issuing broker, and a mismatched TIN against IRS records. For a broader defense against synthetic paperwork, see CheckFile's AI-generated document detection.
Teams comparing platforms can review CheckFile's security architecture and pricing, or get in touch. For the wider onboarding checklist, see our guides on know your supplier due diligence, verifying a company registration certificate, or the document compliance guide.
Frequently Asked Questions
Does a Certificate of Insurance guarantee that coverage is active?
No. A COI is an information summary, not a contract, and it explicitly "confers no rights" and does not amend the underlying policy. The only reliable confirmation is a direct check with the issuing agent, broker, or carrier, since a genuine-looking certificate can describe a policy that has already lapsed or been canceled.
How can I verify a vendor's W-9 before making a payment?
Run the name and Taxpayer Identification Number through the IRS's TIN Matching service, available interactively for up to 25 combinations with immediate results. Resolve any mismatch before the first payment, since accepting an unverified TIN can expose the payer to 24% backup withholding liability later.
How long is a state Certificate of Good Standing valid?
Most states treat a certificate as current only for 60 to 90 days from issue; it reflects status at that moment, not a live guarantee. One presented outside that window, or claiming good standing despite a lapse in the filing history, should be reconfirmed on the state's business entity search.
Is there a single national registry for verifying US vendor compliance documents?
No. Insurance is regulated state by state, licensing at the state or county level, and tax identity sits with the IRS alone. Verifying a vendor means checking at least three separate channels: the carrier or broker, the IRS, and the relevant state agency.
What penalty applies to presenting a fraudulent contractor license number?
Penalties are set state by state. California punishes fraudulent use of a license number with a fine of up to $10,000 and up to three years in state prison for a felony charge, and other states impose comparable license-fraud and insurance-fraud statutes.
This article is for informational purposes only and does not constitute legal, tax, or regulatory advice. Consult an attorney or tax adviser for guidance specific to your organization and state. Laws and guidance referenced are current as of 7 July 2026.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.