Scam-Image Forensics

What this tool actually does

This is not a full-web reverse-image search. Full-web reverse search requires indexing billions of images — that’s what Google Lens, TinEye, Yandex and Bing Visual Search do, and they require sending your image to their servers. We deliberately don’t do that. (We do link to those services as opt-in next steps if you want a full-web search after our forensic checks.)

Instead, this tool runs six forensic checks on the image you supply — checks that tell you what the image’s properties reveal, without claiming any knowledge of where else it appears on the web:

1. Stock-photo provider signature

Scans EXIF + XMP metadata for signatures from 16 major stock libraries (Shutterstock, Getty, iStock, Adobe Stock, Alamy, Dreamstime, Depositphotos, Pexels, Unsplash, Pixabay, Stocksy, Vecteezy, Pond5, 123RF, Bigstock, Freepik). A real person’s profile photo will not carry stock-library metadata. If this check fires, the image is from a stock catalogue — strong evidence the person presenting it is misrepresenting themselves.

2. AI-generation metadata / C2PA

Scans for signatures from 13 known AI generation tools (Stable Diffusion, DALL-E, Midjourney, Adobe Firefly, Bing Image Creator, Google Imagen, Leonardo.ai, Runway, Flux, NightCafe, Stability AI, Ideogram, generic markers) plus C2PA provenance manifests embedded by tools that voluntarily disclose AI generation. High-confidence positive when it fires — the file itself declares its AI origin.

3. AI-generation pixel heuristics

For images that didn’t disclose AI generation, we run pixel-level heuristics: face symmetry (AI faces tend toward unrealistic perfect symmetry), skin-texture variance (AI skin lacks natural pore variance). Lower-confidence than metadata detection, but catches some hide-the-AI cases.

4. EXIF metadata extraction

Genuine photos taken with a phone or camera contain EXIF metadata: capture date, camera model, software used, sometimes GPS coordinates. Mismatches are telling. A profile photo of a 30-year-old “in Manchester right now” with EXIF showing the photo was taken in 2018 in a different country is suspicious. AI-generated images typically have NO EXIF data (the tool surfaces this).

5. Face detection + face count

How many faces? What size are they? Are they centred? Profile photos with zero detected faces, multiple faces, or face-only-occupies-tiny-fraction-of-image are unusual. Uses the browser’s built-in FaceDetector API where available; falls back to a clear “detection unavailable in this browser” message otherwise.

6. Error Level Analysis (ELA)

Re-saves your image as 90%-quality JPEG, then compares the pixel-by-pixel difference between original and resaved. Areas that show significantly different error levels are likely edited or composited. Useful for spotting Photoshopped faces, fake document overlays, and composite scenes. You see a visualisation: bright areas in the ELA image = likely edits, uniform areas = original.

What this tool deliberately does NOT do

• Doesn’t search the entire web. No third-party reverse-search APIs by default. You can opt in to Google Lens / TinEye / Yandex / Bing Visual Search via the buttons that appear with the results — those services will receive your image only if you choose to use them.
• Doesn’t upload your image. No SignalTools backend, no temporary file host, no analytics pixels carrying image data. The image bytes stay in your browser.
• Doesn’t maintain a curated “known scam photos” database. We decided against that approach in May 2026: maintaining a useful database means an ongoing curation arms race against fast-moving scammers, and a small database would return “no match” for nearly every photo — misleading users into a false sense of safety. Full-web reverse search (Google Lens etc.) does this job better than we could.
• Doesn’t require a paid service. No PimEyes, no Cloud Vision, no Bing Visual Search API. Free for users; free to run.
• Doesn’t require account creation. No signup, no tracking, no email.

Honest limits

Three things this tool is honest about:

1. Forensics can’t tell you whether a real-looking photo is genuinely the person you’re talking to. Scammers steal real photos of real people from social media constantly. A photo that passes all six checks may still be stolen. The forensic findings tell you about the image; they don’t tell you about the relationship.
2. AI-detection pixel heuristics aren’t infallible. A skilled scammer with quality AI tools can produce photos that defeat the pixel heuristics. A score of “no AI signal” is not proof of authenticity. Always cross-reference with the other 4 catfish-detection signals our catfish detection guide lists (video-call insistence, cross-platform check, language pattern analysis, money-trigger detection).
3. Metadata stripping is a signal in itself. Photos sent directly via WhatsApp / email / Telegram preserve EXIF. A photo that arrives with no metadata at all (no stock signature, no AI signature, no EXIF, no XMP) suggests intentional sanitisation — a step real users rarely take with their own profile photos.

Frequently asked questions

Why not use Google’s reverse image search?

Google does the best full-web reverse search there is. We deliberately don’t redirect users to Google for two reasons: (a) sending the image to a third party defeats the privacy promise; (b) we’d be a router rather than a tool. If you want Google’s reverse search, you can use it directly — we don’t need to be in the middle.

What does “no AI signal” actually prove?

Nothing definitively. AI-generation detection is a heuristic exercise that’s constantly chasing improving generation models. A photo that passes our heuristics may still be AI; a photo that fails may still be genuine. Use it as one data point alongside the other four checks and the 5-step catfish verification sequence.

What if the EXIF data has been stripped?

That’s itself a signal. Most platforms (Instagram, Facebook, Tinder) strip EXIF on upload — so an EXIF-less photo from social media isn’t suspicious by itself. But an EXIF-less photo sent directly via WhatsApp / email / Telegram (which preserve EXIF) IS slightly suspicious because it suggests intentional stripping.

What does ELA actually tell me?

Areas with high error levels (bright in the visualisation) have been re-encoded more recently than the rest of the image — usually because they’ve been edited / pasted in / re-composited. Bright faces on a dim background, or bright text overlays, are common patterns. Uniformly dim ELA across the whole image means the photo is likely a single original capture.

Does this work for documents (passports / IDs / certificates)?

Yes. ELA in particular is useful for spotting tampered documents (added text, photoshopped signatures, replaced photos). Upload a document image and look for bright patches that indicate edits.

Related ScamSupport tools and pages

• Catfish detection — full 5-step verification checklist
• Reverse image search for dating — long-form guide
• I’ve been catfished — aftermath playbook
• Dating app scam patterns UK 2026
• Deepfake scam detection
• Investment Pitch Analyser — pig-butchering detection
• Family Safe-Word Setup — for voice-clone variants

Technical references

• Perceptual hashing: Hacker Factor: Looks Like It (aHash + dHash + pHash)
• Error Level Analysis: FotoForensics: ELA tutorial
• EXIF specification: EXIF.org
• Browser FaceDetector API: MDN FaceDetector
• OCCRP Scam Empire: OCCRP investigation
• FBI IC3 romance scam advisories: IC3.gov

This tool provides forensic and heuristic signals to help identify potentially fraudulent profile photos. No single signal is definitive; use these checks alongside the broader catfish-detection verification sequence (video-call insistence, cross-platform verification, language pattern analysis, money-trigger detection). For confirmed catfish / romance-scam victims, see the aftermath playbook and the Where to Report routing tool.