How to Spot a Fake Certificate of Insurance: 9 Red Flags (2026 Guide)

Fake or altered Certificates of Insurance are more common than property managers and general contractors realize. The Coalition Against Insurance Fraud estimates that COI fraud costs U.S. businesses $40 billion annually — much of it absorbed by property owners and GCs who accepted a fraudulent certificate, then discovered after a claim that no real coverage existed.

The fraud spectrum runs from "honest mistakes" (an agent issued a COI but never actually bound the policy) to outright forgery (a contractor downloaded an ACORD template and filled it in by hand). This guide covers the 9 red flags that distinguish a real COI from a fake or altered one, and the verification workflow that catches the cases your eye misses.

Why Fake COIs Are More Common Than You Think

Three structural factors make COI fraud common:

1. Most certificate recipients never verify. Property managers and project managers receive COIs by the hundred per month and rarely contact the issuing agent or carrier. Fraudsters know this and rely on it.
2. ACORD templates are publicly available. The ACORD 25 form (the standard COI template) is downloadable from the ACORD website. A bad actor with basic Word skills can fabricate a convincing-looking COI in 20 minutes.
3. Insurance agents face pressure to issue. Most COIs come from busy agents who issue them as a courtesy. A small fraction issue COIs that misrepresent coverage to keep a customer or close a sale, knowing the recipient is unlikely to verify deeply.

The good news: fake COIs almost always have detectable signatures. Trained eyes catch the easy 70-80%. The rest get caught with a 30-second carrier verification call.

The 9 Red Flags

1. The Carrier Name Is Misspelled or Slightly Off

Real insurance carrier names are precise. "Liberty Mutual Insurance" is a real company; "Liberty Mutual Insurance Co." is also real. But "Liberty Mutual Insurance Group LLC" with an LLC suffix where there shouldn't be one is a red flag — fraudsters often add or alter corporate suffixes to mask similar-but-fake names.

What to do: Cross-check the carrier name against the NAIC Company Search at naic.org. Every legitimate insurance carrier has a NAIC code. If the name on the COI doesn't appear in the NAIC database, the COI is suspect.

2. The Producer (Agent) Address Is a UPS Store or Virtual Office

Legitimate insurance agencies typically operate from physical offices. A producer address that resolves to a UPS Store mailbox, a virtual office service (Regus, WeWork, Premier Workspaces), or a residential address is a red flag.

What to do: Google the producer address. If the search returns "The UPS Store" or a virtual-office brand as the first result, treat the COI as high-suspicion. Real agencies have real offices.

3. The Policy Numbers Don't Match the Carrier's Format

Each carrier uses a consistent policy number format. Liberty Mutual's commercial liability policies typically start with "TB7-" or similar. State Farm uses different prefixes. Travelers, Hartford, Chubb — each has identifiable patterns.

What to do: If you're not familiar with the carrier's typical format, search "[carrier name] policy number format" to verify. Policy numbers that look like random strings, are unusually short or long, or contain spaces in unusual places are red flags.

4. The Certificate Holder Field Is Inconsistent or Generic

The certificate holder field should name your specific entity — your property management company, your GC, your specific job site address. A COI made out to "To Whom It May Concern" or to a generic certificate holder is unusual and a possible red flag (though sometimes legitimate for portfolios).

What to do: Require certificates be issued specifically to your entity name. If the contractor refuses or cannot get this, treat it as a high-suspicion situation.

5. The Coverage Limits Are Implausibly High for the Premium Implied

A solo subcontractor claiming $2M general liability + $5M umbrella + $1M workers' comp would typically pay $8,000-$15,000/year in premium. If the contractor on the phone is balking at a $50/month dues increase, the implied premium-to-revenue ratio doesn't compute. Coverage they claim to carry may not exist.

What to do: Review coverage limits against the size of the contractor's operation. Outsized coverage relative to firm size is a soft red flag worth verifying with the carrier directly.

6. The Endorsement Schedule Page Is Missing or Generic

A real COI for a vendor with additional insured status should reference the specific endorsement form numbers (CG 20 10, CG 20 26, CG 20 37, etc.) by version. A COI that references "additional insured per the certificate" without naming the specific form, or includes only an unsigned generic endorsement statement, is a red flag.

What to do: Require the actual endorsement forms be attached to the COI, not just the certificate page. A real agent will provide the endorsement form within an hour. A fake COI typically cannot produce a real endorsement form.

7. The Signature Block Is Missing or Doesn't Match the Producer Name

The lower-right "Authorized Representative" signature block should contain a real signature from a real person at the producer agency. Fake COIs often have copy-pasted images of signatures, signatures that don't match the producer name on file with the state insurance department, or signature blocks that are blank or generated.

What to do: Check the signature visually for cut-and-paste artifacts (sharp edges, JPEG compression). Verify the named signer is a licensed agent with the state insurance department's online lookup tool.

8. The Issue Date Is Recent But the Document Looks "Aged"

Forgers often start with a real COI (their own from a prior policy, or one obtained via a previous job) and modify the dates and certificate holder. Telltale signs: the issue date is recent but the document has font-rendering inconsistencies (mixed font weights), pixelated edits over original text, or page elements that don't align cleanly.

What to do: Open the COI PDF in a tool like Adobe Acrobat or pdfinfo and check the document creation date metadata. A real recently-issued COI has metadata that matches the issue date. A modified document often has older metadata or evidence of multiple revisions.

9. The COI Was Sent From the Vendor's Email, Not the Agent's Email

A legitimate COI is typically issued by the agent and sent directly from the agency to the certificate holder. When a vendor sends you the COI from their own email — especially as an attachment they "received from their agent" — it's a red flag. The vendor has had the document in their possession, which is when modifications happen.

What to do: Require the COI be emailed directly from the producer agency's email domain (@arthurjgallagher.com, @marshmma.com, @hubinternational.com, etc.). If it's only available via the vendor, ask the vendor for the agent's contact info and request a fresh copy directly.

The 60-Second Verification Workflow

Even with the 9 red flags, the highest-confidence verification is a direct call to the carrier:

1. Find the carrier's COI verification phone number (most major carriers have one, usually published on their website under "Insurance Agents" or "Producers").
2. Call the carrier with the policy number and named insured. Ask whether the policy is active and whether your entity is listed as an additional insured (if applicable).
3. Confirm the coverage limits match what's on the COI. Carriers will confirm coverage limits to certificate holders without sharing other policy details.
4. Note the call: who you spoke with, what they confirmed, the date. This documentation is critical if you need to later prove you exercised reasonable care.

The whole call typically takes 90 seconds. It's the single highest-leverage thing you can do for any vendor handling significant work or carrying meaningful risk to your property or project.

When Automated Tools Help

For property managers tracking 50+ vendors or GCs working with hundreds of subs, manual verification of every COI doesn't scale. Automated COI tracking platforms (COIPulse, TrustLayer alternatives, myCOI alternatives) handle the volume layer:

• Automated parsing of COI fields with red-flag scoring
• Cross-reference against NAIC carrier database
• Endorsement form verification (does the document include CG 20 10 with the actual form attached?)
• Automatic re-verification on expiration

COIPulse's free COI Grader runs the 9-point red-flag check on any uploaded certificate in 30 seconds. It won't replace a carrier verification call for high-risk vendors, but it catches the easy 70-80% of fakes and tells you which COIs deserve the deeper call.

What Happens If You Accept a Fake COI

The legal exposure for accepting a fake COI without verification is meaningful:

• Property damage claims that should have been covered by the contractor's liability policy land on the property owner instead.
• Workers' comp injuries to a contractor's employee — if the contractor's WC policy doesn't actually exist — fall on the property owner under most state employer-of-record statutes.
• Insurance subrogation rights are lost; your own insurer may decline to defend a claim if you can't show evidence of the contractor's coverage at the time of the incident.

The case law is consistent: courts expect "reasonable diligence" in verifying contractor insurance. Accepting a COI without any verification typically does not meet that bar. Documenting that you ran the 9-point check and verified at least the carrier and policy by phone usually does.

The Bottom Line

Fake COIs are common because most certificate holders don't verify. The 9 red flags catch the easy 70-80%; a 60-second carrier verification call catches the rest. For any vendor doing meaningful work — anything where a single claim could exceed your insurance deductible — both checks are worth the time.

For volume operations (50+ vendors, hundreds of subs), automate the red-flag checks with COIPulse or similar; reserve the manual carrier-verification calls for the high-risk-exposure vendors. The combination catches the fakes before they cost you a claim.