How to avoid employees from forging digital signatures

A key thing is if you are looking at the certificate and it says it was signed by someone DO NOT BELIEVE IT. You and all your staff must be trained in this most basic and important fact. To take a simple analogy: it's like getting a letter, and saying it must be from that person because it is signed, when you don't know what their signature looks like.

The certificate is like the signature. You need to share the certificate before, by a TRUSTED route, and VALIDATE the signature in the PDFs you get against the certificate you trust. Acrobat will now tell you if the signature matches, in a much more reliable and un-fakable way than a paper scribble.

In Acrobat, you have the ability to add a certificate to your list of trusted certificates. You should only do so if you trust the source of the certificate.

As an example, you could create a document that has a digital signature field. You can distribute this document to users with instructions to sign and return it to you by email. When you receive the signed document, you could confirm with the user (by phone, in person, etc) that they did indeed sign and send it to you, and you can then add it to your list of trusted certificates.

If you later received a signed document the claimed to be signed by a user, but you had not previously trusted the certificate, Acrobat/Reader would let you know when you attempt to validate the signature.

A way around all of this is to use certificates issued by a third-party, such as GlobalSign. The idea is that you trust them to ensure that they vet users properly. Acrobat includes a trusted list of such providers, so the process can be a bit more streamlined. There is usually a yearly fee for such certificates though since there is a real cost associated with managing the systems they employ.

PS. If an employee does that you should fire them. You'll see that it doesn't happen very often after that...

Anyone can create a signature profile using any name, email address, etc., they like. That's not what a signature proves (the identity of the signer).

What it does prove is that the person who claims to have signed it did indeed do that. The way that's done is you ask them to send you a certificate file or an fdf file for their profile, and then you can use it to validate that the file was indeed signed by them.

They can generate this file in Acrobat by going to Edit - Preferences - Signatures - Identities & Trusted Certificates, select their profile and then use the Export command to generate the file.

There are services that can also prove the identity of the person signing, but that's much more complicated, of course, as it requires those services to maintain a database of verified identities, against which you can validate the signature.