Fake Residence Permit Detection: Spotting Forged eVisas
How UK banks, letting agents and employers detect fake residence permit records and forged eVisa share codes across KYC, tenant and right-to-work checks.

Summarize this article with
The UK no longer issues a physical card that a bank clerk, letting agent or hiring manager can hold up to the light. Since the Biometric Residence Permit (BRP) stopped being accepted as proof of status on 31 December 2024, immigration status lives as a digital eVisa record in a UKVI account, proved to a third party through a one-time share code. That shift closed one fraud vector โ cloned holograms and laminate cards โ and opened another: screenshots, doctored share-code confirmation pages and fabricated "immigration status" PDFs that never touch the Home Office system at all.
This article is provided for informational purposes and does not constitute legal or regulatory advice.
Banks running KYC onboarding, letting agents running right-to-rent checks and employers running right-to-work checks are all now verifying the same underlying thing โ a live Home Office record โ through the same narrow channel: a nine-character share code and a date of birth entered on a gov.uk page. That channel is genuinely hard to fake when used correctly. The fraud, in practice, happens around it: applicants who never generate a real code, present an edited screenshot of someone else's result, or exploit staff who skip the live lookup because the process feels new and unfamiliar.
Why fake residence permit fraud shifted from cards to screenshots
Forged BRP cards have not disappeared, but they are no longer the primary threat, because the card itself stopped being valid evidence of status over a year and a half ago. BRPs formally expired as proof of immigration status on 31 December 2024, and anyone who still needed to create or access a UKVI account using an expired card had until 30 June 2026 to do so โ a deadline covered by Home Office eVisa transition guidance that has now passed for most affected applicants. Firms still accepting a BRP photograph as sufficient proof in mid-2026 are relying on a document the Home Office itself no longer treats as authoritative.
The fraud has moved to the layer that replaced the card. An eVisa is not a downloadable certificate; it is a database record. What a bank, landlord or employer actually sees is either a live share-code result displayed on a gov.uk page, or whatever the applicant chooses to send them โ a screenshot, a PDF export, a photo of a phone screen. Every one of those static formats can be edited in a general-purpose image or PDF editor in minutes, because none of them carry a cryptographic signature the way an eVisa's own chip-linked biometric record does. The security has not weakened; the point of failure has simply moved from the document to the process discipline of the person checking it.
How the current eVisa and share-code system actually works
A share code is a temporary, single-use authorisation, not a document, and treating it like a document is the single most common process failure firms report. The applicant logs into their UKVI account, generates a code tied to the specific purpose of the check (an "R" code for right to rent, distinct codes for right to work and other purposes), and gives that code plus their date of birth to the checking party. Right-to-work and right-to-rent share codes expire after 90 days and are valid for a single use, so a code presented as a static screenshot from a previous check โ rather than generated fresh for this specific check โ should never be accepted as sufficient.
The checking party enters the code and date of birth directly into the relevant government service โ gov.uk/view-right-to-work for employers, gov.uk/check-tenant-right-to-rent for landlords and letting agents โ and the system returns a live result naming the individual, their photo and any conditions on their stay. Under the Identity Documents Act 2010, s.7, an eVisa is treated as acceptable evidence of identity, which is also why UK banks now run the same style of live status check under Home Office guidance for banks and building societies issued under the Immigration Act 2014, which requires status checks on all new current-account applicants.
| Sector | What is checked | Government service used | Legal basis |
|---|---|---|---|
| Banking (account opening) | Immigration status for new current-account applicants | Bank-facing status check integrated with UKVI | Immigration Act 2014, s.40; guidance for banks and building societies |
| Tenant screening (letting) | Right to rent, share code beginning with "R" | gov.uk check-tenant-right-to-rent-documents | Immigration Act 2014, Part 3 |
| Hiring (right to work) | Right to work, employer-facing share code | gov.uk/view-right-to-work | Immigration, Asylum and Nationality Act 2006, s.15 |
What users on immigration and landlord forums actually ask
Users on specialised immigration and landlord forums often ask which share code is the right one to request, because the codes look interchangeable to someone unfamiliar with the system. The practical answer: a right-to-rent code always begins with "R"; a code beginning with "W" or another prefix was generated for a different purpose (work, general status proof) and should be rejected with a request to regenerate the correct one โ accepting the wrong code type does not provide a statutory excuse if the tenancy or hire is later challenged.
A second recurring question on those forums concerns applicants who claim their BRP card is "still valid" well into 2026 and ask why a landlord or employer will not accept it as proof. Since the card ceased to be accepted evidence of status at the end of 2024, and the extended window for using an expired BRP to access a UKVI account closed on 30 June 2026 for most cohorts, a physical card presented on its own in the second half of 2026 is not a substitute for a live share-code check, regardless of the expiry date printed on it. Firms that still accept the card as a stand-alone document are the ones most exposed to this specific fraud pattern.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotForensic signals that expose a fabricated status record
A screenshot or PDF claiming to show a gov.uk share-code result carries no cryptographic signature and can be edited in any general image tool, whereas the live lookup on gov.uk always returns the check in real time from the Home Office record. Any file presented as "proof" of a completed check โ rather than a fresh code the checking party enters themselves โ should be treated as unverified until re-run live.
Metadata inconsistency is the fastest automated tell. A document exported from a genuine gov.uk session carries a distinct rendering fingerprint; a fabricated version produced in Canva, a PDF editor or an AI image generator carries a different one, often alongside a creation timestamp that does not match the claimed check date. Layout drift is the second: gov.uk's own service pages follow the GOV.UK Design System precisely, and fabricated versions frequently get spacing, typography or button placement subtly wrong in ways a rushed reviewer misses but automated template comparison catches immediately.
Cross-document inconsistency closes the gap the other two miss. Cross-validating the claimed immigration status against the identity document, the applicant's stated date of birth and any supporting payslip or tenancy history reduces false positives compared with reviewing a single submitted file in isolation, because a fabricated status record built without access to the real UKVI account cannot be made consistent with every other data point in the file. For a closer look at how this cross-checking approach applies to identity documents more broadly, see our guide on identity verification methods and technologies.
Regulatory exposure for firms that get this wrong
Firms face civil and criminal exposure that scales sharply with the sector and the number of affected individuals, and the 2024 fee increases mean the numbers involved are no longer trivial. Employers found to have hired someone without the right to work face a civil penalty of up to ยฃ45,000 per illegal worker for a first breach and up to ยฃ60,000 per worker for a repeat breach within three years, under the Code of Practice on Preventing Illegal Working, effective 13 February 2024. A correctly performed, retained share-code check is the statutory excuse against that penalty โ which is precisely why skipping the live lookup in favour of a stored screenshot is the costliest shortcut a hiring team can take.
Landlords carry parallel exposure under the right-to-rent scheme. A landlord who fails to run a compliant check faces a civil penalty of up to ยฃ10,000 per occupier for a first breach and up to ยฃ20,000 for a repeat breach, under the Immigration Act 2014, Part 3, with the current code of practice for landlords in force from 1 October 2026. For applicants who fabricate the record in the first place, possessing or using a false identity document with improper intention carries up to 10 years' imprisonment under the Identity Documents Act 2010, s.4.
Recommended verification protocol
Automated, first-tier screening should run on every file, not just ones that look suspicious, because the failure mode this article describes is precisely the file that looks fine at a glance. Metadata analysis on any submitted screenshot or PDF, layout comparison against the genuine gov.uk service template, and consistency checks against the rest of the applicant's file can run in seconds and flag anything that needs a live re-check.
Live re-verification should be mandatory whenever a static file is offered in place of a fresh share code, never treated as optional. Escalation to manual investigation, and where warranted a report through the firm's existing suspicious activity reporting channel, should follow whenever the automated and live checks disagree with the file the applicant originally submitted.
CheckFile's AI-generation and forensic document detection applies this methodology โ metadata analysis, template comparison and cross-document validation โ within banking KYC onboarding workflows, and is designed as a complement to existing controls, including the mandatory live share-code lookup, rather than a claim to catch every forgery on its own. Firms extending these checks into equipment or asset financing workflows can also review our guide to financing and leasing compliance and our overview of platform security; pricing details are available on our plans page.
Landlords weighing this alongside broader tenant-screening controls may find our article on rental application fraud and tenant document verification useful, and employers handling the wider right-to-work file should see our work visa verification guide for employers. Both sit within our broader industry verification guide covering sector-specific obligations across banking, real estate and HR.
Frequently Asked Questions
Can a BRP card still be used to prove immigration status in the UK in 2026?
No. BRPs stopped being accepted as evidence of immigration status on 31 December 2024. The extended window that let some holders use an expired BRP to access their UKVI account closed on 30 June 2026 for most cohorts, so a physical card alone is no longer a valid check for banking, tenancy or right-to-work purposes.
What is the difference between a right-to-work and a right-to-rent share code?
Both are single-use, time-limited codes generated from a UKVI account, but they are tied to different purposes and checked through different government services. A right-to-rent code begins with "R"; presenting a code generated for a different purpose does not satisfy either check.
Does a screenshot of a gov.uk share-code result count as proof?
No, not on its own. A screenshot or PDF can be edited and carries no verification of its own. The checking party should always enter the share code and date of birth directly into the live government service rather than accepting a static image of a previous result.
What penalty do employers face for hiring someone without checking their right to work?
Employers who fail to complete a correct check and hire someone without the right to work face a civil penalty of up to ยฃ45,000 per worker for a first breach and up to ยฃ60,000 per worker for a repeat breach within three years, under the Home Office's Code of Practice on Preventing Illegal Working.
Is automated verification of immigration status documents compatible with UK GDPR?
Yes, subject to conditions. Processing this data typically relies on Article 6(1)(c) UK GDPR, compliance with a legal obligation under the Immigration Act 2014 or the Immigration, Asylum and Nationality Act 2006. Firms must inform applicants of the processing and limit retention to what the relevant statutory scheme requires.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.