How to spot a fake or altered certificate of insurance — and why GCs are the last line of defense

The assumption most general contractors make is that a certificate of insurance is either valid or it isn't — and that the PDF in their inbox is telling the truth. That assumption is wrong often enough to matter. Fraudulent and altered COIs circulate in the construction industry with more regularity than most GC teams want to believe, and the consequences of accepting one land squarely on the party who accepted it without verifying.

The mechanics of how this happens are straightforward. A sub whose policy has lapsed — or who never had coverage at all — opens a previous certificate in a PDF editor, changes the expiration date, adjusts a coverage limit, or swaps in a new certificate holder name. The resulting document looks exactly like a real ACORD 25 form. It has the right layout, the right fields, the right font. It even has an agent name and agency address. The only problem is that the policy it references either doesn't exist or doesn't cover what the document claims.

When an incident occurs and that sub files a claim, the insurer pulls the policy number. It's cancelled, lapsed, or nonexistent. The sub has no coverage. The GC — who accepted the certificate and authorized the work — is now the entity with potential liability for a claim they believed was covered. Courts do not treat "I had a copy of their COI" as a defense when the COI was fraudulent and a basic verification call to the agent would have caught it.

Who does this and why

The motive is almost always economic pressure. A sub's workers' compensation premium spikes after a claim. They can't afford to renew. A new project comes up and walking away from the work isn't an option. So the certificate gets edited. It is not always calculated fraud — sometimes it starts as "I'll fix the paperwork as soon as the renewal comes through" and the renewal never does. The result is the same: a document in your files that does not represent active coverage.

The subs most likely to do this are not necessarily the ones you'd expect to flag. They may be long-standing relationships. They may have always been compliant in the past. A lapse in coverage can happen to any small sub when cash is tight, and the temptation to paper over it rather than lose a contract is real. That is why verification has to be a process, not a character judgment.

The red flags on the document itself

You do not need forensic software to catch most altered COIs. A careful read of the document against a few specific checkpoints catches the majority of fraudulent certificates in circulation.

• Font or alignment inconsistencies. The ACORD 25 form uses a consistent typeface throughout. If a date field, coverage limit, or name is in a slightly different font weight, size, or vertical alignment than the surrounding fields, it was likely edited. Look especially at the policy expiration date — that is the field most commonly changed.
• Round-number coverage limits. Real policies frequently land on non-round numbers based on the insurer's underwriting. A general liability limit of exactly $1,000,000 per occurrence is plausible. A workers' comp limit of $847,500 is suspicious — not because the number is wrong, but because it doesn't match any standard policy tier. Conversely, inflated round numbers ($5,000,000 where your contract requires $1,000,000) with no endorsement or explanation are worth questioning.
• Policy numbers that don't match insurer formats. Most major carriers use consistent policy number structures — a specific prefix, a certain number of digits, a particular delimiter format. If the policy number on the certificate doesn't match the format that carrier typically uses, that's a flag. This takes about thirty seconds to verify by calling the agent.
• Agent or agency information that doesn't check out. The certificate lists a producing agent and agency. If the agency name doesn't appear in a basic search, the phone number goes to voicemail with a generic message, or the agent's name doesn't appear on the agency's website, stop before accepting the certificate.
• Certificate holder name that doesn't match your company. If a sub submits a COI that lists a different GC as the certificate holder — or lists a generic company name instead of yours — the certificate was not issued for this project. It was recycled from a previous engagement and may or may not reflect current coverage.
• Missing additional insured endorsement. The certificate itself says "this certificate does not confer rights upon the certificate holder." The document that actually extends coverage to you is the additional insured endorsement, which should accompany the certificate. If the sub sends only the ACORD 25 form without the endorsement, you are not named on the policy regardless of what the certificate says.

The verification call: thirty seconds that eliminate most risk

The most reliable check against a fraudulent COI costs almost nothing: call the agency listed on the certificate and ask them to confirm the policy is active and that your company is listed as an additional insured. Agents issue certificates — they have the policy in their system. A confirmation call takes less than a minute if you reach someone, and the insurer's certificate verification line handles it if you don't.

The information you need from that call is simple:

1. Is policy number [X] currently active?
2. Is [Your Company Name] listed as an additional insured on this policy?
3. What are the current per-occurrence and aggregate limits?

If the agent can't confirm all three — or if the number on the certificate reaches a non-working line — do not authorize work. Have the sub contact their agent directly and get a certificate issued from the agency system. A legitimate agent can send a verified certificate within the hour.

For GC teams managing more than a handful of active subs, calling every agent for every renewal is not a scalable workflow. But for high-value subs, new relationships, and any sub whose certificate arrives in a format that looks slightly off, the call is worth making every time.

Why email-based collection makes fraud easier

The standard COI collection process — send an email, receive a PDF attachment — is the environment that makes fraudulent certificates easy to circulate. A PDF attached to an email has no provenance. You cannot tell from the file itself whether it was generated by an agency management system or edited in Adobe Acrobat fifteen minutes before it was sent. There is no chain of custody.

The collection method that makes fraud significantly harder is direct-from-agent submission. When the certificate comes directly from the producing agent — rather than from the sub who had access to a copy of their previous certificate — the document's origin is the agency system. Altered documents almost never come from agents because agents have nothing to gain from submitting a fake certificate on a client's behalf and everything to lose.

This is one of the structural advantages of the way Send The Proof handles collection. Each vendor gets a secure upload link that they share with their agent. The agent submits the certificate directly to the link — which means the document in your file was submitted by the party who issued it, not passed through the sub's hands first. That one change in the collection path eliminates the most common vector for fraudulent COI submission: the sub who edits their own copy before forwarding it.

Every submission is timestamped and logged in the vendor's audit trail. If a question ever arises about what was on file and who submitted it, the record is clear. That is not just useful for fraud prevention — it is the documentation that protects the GC when a claim is disputed and someone asks whether due diligence was exercised.

What to do when you suspect a certificate is altered

If a COI raises flags — inconsistent formatting, an agent you can't verify, a policy number that doesn't track — do not confront the sub directly before you have more information. Call the agency listed on the certificate and ask for policy confirmation. If the policy doesn't exist or the agent has no record of your company being listed, you have your answer.

At that point, the conversation with the sub is simple: their current certificate doesn't verify, work is on hold until a confirmed certificate is submitted directly from their agent, and payment is gated on that submission. Most of the time, the sub will produce a legitimate certificate quickly — either because the lapse was unintentional and they get it reinstated, or because the pressure of not being able to work resolves the situation. Either way, the work doesn't start until you have something verified.

If the sub pushes back aggressively or disappears, that tells you what you need to know. A sub with legitimate coverage has no reason to resist a verification call. The ones who resist are protecting something, and what they are protecting is the fact that the coverage doesn't exist.

Building a process that doesn't rely on individual vigilance

Checking every COI for formatting anomalies and calling every agent for policy confirmation is the right practice. It is also not realistic as a manual workflow across 20 or 30 active subs with staggered renewal dates. What makes it sustainable is building the verification steps into a structured collection process rather than leaving them to individual memory and attention.

The components of that process: require direct-from-agent submission (not sub-forwarded PDFs), verify new relationships by phone before authorizing work, track expirations so renewals trigger a fresh submission rather than relying on the original file, and maintain an audit trail of what was received and when. Send The Proof handles the collection and tracking pieces of that workflow automatically — the 30-day expiration alerts, the direct upload link, the timestamped record — for $29.95 a month with the first five vendors free.

The verification call you still make yourself. But with a structured collection process in place, you are making it at the right moments — new vendors, flagged documents, renewal submissions — rather than never making it at all because the manual overhead of the rest of the workflow has already consumed your time.

Related: the financial exposure when a lapsed COI meets an incident, the full COI collection system for GC teams, and the audit trail feature.