Indicator reference guide

Title: Content differences between document versions

Description: We detected changes in this document's content compared to an earlier version of the same file — something that strongly indicates fraud. You can see what was there before and what it was changed to, both in the table below and directly on the document using highlighted areas.

The Content differences between document versions indicator with version comparison detects modifications made to a document by comparing it to an earlier version of the same file. Unlike other indicators that flag inconsistencies in a single file, this group highlights what exactly was changed, such as altered names, dates, or amounts, making it particularly useful for high-assurance fraud detection and audit trails. Changes are shown both in a structured table and visually highlighted directly on the document, allowing users to quickly understand what was added, removed, or replaced.

Title: Content tampering

Description: Some characters in the image differ from the typical patterns found throughout the rest of the image.

The Content Tampering indicator identifies high-confidence signs of visual manipulation in a document, typically affecting specific characters, fields, or regions. Without interpreting the content itself, it leverages advanced image forensics and machine learning to detect strong anomalies in compression patterns, pixel consistency, copy-move artifacts, and localized edits. These findings often point to deliberate changes of critical information—such as names, dates, or amounts—and are strongly associated with document forgery. This indicator operates independently of document type or classification and is triggered only when tampering confidence is high.

Title: Suspected content tampering

Description: Some characters in the image differ from the typical patterns found throughout the rest of the image.

The Suspected Content Tampering indicator highlights potential but less certain signs of visual manipulation. It uses similar forensic techniques as the confirmed Content Tampering indicator but is based on weaker or ambiguous signals—often detected on document edges, in low-quality regions, or in areas with uneven lighting or focus. While these inconsistencies may suggest editing, they also carry a higher chance of false positives. This indicator is useful for drawing attention to questionable areas without asserting confirmed tampering, supporting a more cautious review workflow.

Title: Invalid digital signature or Document with unsigned objects

Description: variable

The Digital Signature indicators evaluate whether a PDF document includes a digital signature and whether that signature still ensures the integrity of the file. An invalid or insufficient signature indicates that the document was modified after signing—either by breaking the signature’s hash or by adding new, unsigned content such as images, annotations, or form fields. In some cases, the signature covers only part of the document, leaving other objects unprotected and potentially vulnerable to manipulation.

Title: Valid digital signature

Description: variable

The Digital Signature indicators evaluate whether a PDF document includes a digital signature and whether that signature continues to protect the document’s integrity. A valid digital signature confirms that the file has not been altered since it was signed and is often issued by a trusted provider such as DocuSign.

Title: Unusual PDF structure

Description: The document does not match any known issuer, and its structure contains irregularities. These could be the result of editing, conversion, or using poor formatting practices.

The PDF Structure Indicators group analyzes the internal construction of PDF documents—such as metadata, layout, fonts, and generation patterns—using techniques that help uncover tampering attempts and low-quality forgeries that may not be visible through visual inspection alone. This indicator highlights documents with structural irregularities that do not match any known issuer or do not follow typical formatting standards. These anomalies may result from editing, file conversion, or the use of low-quality document creation tools.

Title: Trusted document

Description: We’ve seen many documents from {{issuer}}, and this one fits the pattern perfectly. The way it’s put together—including its layout, fonts, metadata, and formatting—matches what we expect from an original, unaltered document.

The PDF Structure Indicators group analyzes the internal construction of PDF documents—such as metadata, layout, fonts, and generation patterns—using techniques that help uncover tampering attempts and forgeries that may not be visible through visual inspection alone. This indicator confirms that the document’s structure fully matches trusted examples from a known issuer, showing no signs of alteration and aligning with expected creation methods.

Title: Small difference in Trusted document

Description: This document looks very similar to trusted files from {{issuer}}, with just a small variation. While this doesn’t suggest tampering, the difference likely comes from routine changes or updates in how the document was created. We continue to monitor similar patterns for potential concerns.

The PDF Structure Indicators group analyzes the internal construction of PDF documents—such as metadata, layout, fonts, and generation patterns—using techniques that help uncover tampering attempts and forgeries that may not be visible through visual inspection alone. This indicator highlights documents that closely match trusted examples from a known issuer, but include a small structural variation likely caused by routine processing or natural updates in document creation.

Title: Known document with unexpected patterns

Description: We’ve seen many documents like this from {{issuer}}, but this one stands out—in the wrong way. Its structure, layout, and other elements don’t follow the expected pattern. These clues strongly suggest the document was modified, recreated, or generated using different software.

The PDF Structure Indicators group analyzes the internal construction of PDF documents—such as metadata, layout, fonts, and generation patterns—using techniques that help uncover tampering attempts and forgeries that may not be visible through visual inspection alone. This indicator flags documents from known issuers whose internal structure deviates significantly from expected patterns, suggesting the file may have been modified or resaved using non-standard software, such as certain browsers or operating systems. When combined with other high-risk signals—particularly those pointing to localized content manipulation—these structural anomalies may be a direct byproduct of the tampering process.

Title: AI-generated document or Shows signs of AI-generated document

Description: variable

The AI-generated document indicator detects files that show signs of being synthetically created using artificial intelligence—either in full or in specific regions, which are highlighted with bounding boxes. These documents often contain subtle but recognizable patterns, such as unnatural layout consistency, unrealistic textures, or visual artifacts that deviate from genuine documents and photographs. Powered by an ensemble of detectors trained on real-world data, this indicator works out of the box and is effective across all document types, including unknown formats and image-based files. It can trigger in two variations: a high-confidence detection (AI-generated document), and a lower-confidence signal (Shows signs of AI-generated document) where the evidence is present but less conclusive.

Title: Serial fraud or Potential serial fraud

Description: variable

The Serial fraud indicator identifies documents that are part of a broader pattern of repeated or templated submissions within a single organization’s traffic. By analyzing visual similarities, metadata traits, recurring backgrounds, and repeated structural or layout patterns—without interpreting the content itself—these indicators help uncover clusters of related documents that may otherwise appear unrelated. This technique is particularly effective in detecting fraud rings or automated forgery operations that reuse the same templates or generation tools. Serial fraud detection operates strictly within each customer’s data environment—no cross-customer clustering is performed—and helps flag coordinated attempts that unfold over time.

Title: Template-farmed document

Description: variable

The Template-farmed document indicator detects documents that originate from known fraudulent template farms—sources that mass-produce fake documents. These detections are based on threat intelligence gathered by our team and patterns observed across customer environments. Even when a template-farmed document appears for the first time in a customer’s traffic, it can be recognized and flagged based on global detection signals. This group helps identify highly scalable fraud attempts where the same forged template is reused across multiple identities, applications, or institutions.

Title: Suspected template-farmed document

Description: This image of a document resembles those typically produced by template farms or similar fraud-enabling tools.

The Suspected template‑farmed document indicator flags documents whose visual layout, structural traits, or capture characteristics resemble those commonly produced by fraudulent template farms, but without an exact match to a known template. These similarities may reflect reused design elements, repeated background patterns, or capture styles frequently seen in mass‑produced forgeries. While not a confirmed template‑farm hit, this signal highlights documents that warrant closer review due to patterns often associated with scalable or automated fraud operations.

Title: Document with fake components

Description: This document shares characteristics with documents created by known fake document generators. These tools often reuse document templates and include fabricated signatures, synthetic faces, artificial backgrounds, and other generated elements.

The Document with fake components indicator detects documents that exhibit features commonly found in forgeries created by fraud-as-a-service tools, online document generators, or organized fraud rings. These documents often reuse templates and incorporate synthetic elements such as fake signatures, AI-generated faces, or artificial backgrounds. This group is powered by a wide range of tailored detectors that are continuously updated based on live fraud patterns, customer escalations, and insights from our in-house threat intelligence team.

Title: Not the original document

Description: variable

The Not the original document indicator detects whether a document image is likely a reproduction rather than the original version. Using a range of forensic signals—including signs of re-saving, cropping, double printing, altered GPS metadata, or mismatched file formats—this indicator flags cases where the document may have been captured, edited, or repackaged before submission. While this does not always confirm fraud, it highlights that the document has undergone one or more transformations, which introduces potential risks of manipulation. This indicator triggers independently of any document classification.

Title: Screenshot

Description: This document is a screenshot, which may indicate an attempt to hide altered content. Some organizations have policies restricting the acceptance and use of screenshots.

The Screenshot indicator detects documents that appear to be screenshots or screen captures from digital devices. While users may submit screenshots for convenience, this format can also be used to obscure signs of tampering—such as editing artifacts, or metadata traces. The presence of a screenshot may introduce risk, depending on the context, and some companies choose to restrict or reject screenshots as part of their document acceptance policies. This indicator helps flag such cases so that organizations can apply the appropriate level of scrutiny based on their internal guidelines.

Title: Digital print

Description: This image appears to have been generated directly from a digital PDF. This is unusual and may suggest an attempt to conceal edits. Some organizations have policies restricting the acceptance and use of digital prints.

The Digital print indicator flags images that have been exported from a digital source, such as a PDF saved or converted into an image file. While this may seem like a harmless format change, it is often used to conceal signs of editing and strip away metadata or structural clues present in the original document. In most cases, there is no legitimate reason to convert a clean digital document into an image—unless to obscure prior manipulation. As with screenshots, the acceptability of digital prints depends on individual organizational policies, and this indicator highlights such cases for closer inspection.

Title: Document captured from a device screen

Description: This document appears to be a photo of a screen rather than the original document. This could be an attempt to hide digital edits or modifications. Some organizations have policies restricting the acceptance and use of screen photos.

The Document captured from a device screen indicator identifies documents that appear to have been photographed directly from a screen, rather than obtained in their original form. This technique is sometimes used to obscure digital edits, compression artifacts, or metadata that would otherwise reveal tampering. While it may result from user convenience, capturing a screen with a camera reduces forensic visibility and may violate document submission policies in some organizations. This indicator helps flag such cases so they can be reviewed according to internal risk and acceptance guidelines.

Title: Printed copy of a document

Description: Image analysis suggests this is a printed copy of the document, which may indicate that earlier versions exist. This could point to potential tampering or fraudulent activity. Some organizations have policies restricting the acceptance and use of document printed copies.

The Printed copy of a document indicator detects when an identity document appears to be a scanned or photographed printout, rather than an original digital or physical version. This often suggests that earlier versions of the document may exist—raising the possibility of prior edits, redactions, or manipulation before printing. While printed copies can be legitimate in some workflows, they also reduce traceability and forensic visibility. Depending on internal policies, some organizations may treat printed copies as risky or restrict their use altogether.

Title: Low quality document

Description: variable

The Low quality document indicator flags documents that suffer from poor visual quality, which can hinder analysis or conceal signs of tampering. These indicators detect issues such as motion blur, flash reflections, compression artifacts, low resolution, or visible physical damage. While some of these may result from innocent capture conditions, low-quality submissions can also be used deliberately to obscure manipulation. This group is powered by our global models and works out of the box, independently of document type or classification. Detecting low quality helps assess the reliability of the document and its suitability for downstream validation or fraud detection.

Title: Processed in {{Producer}}

Description: variable

The Processed in {{producer}} indicator identifies documents that have been modified or saved using third-party image or design software. Based on metadata and editor fingerprinting, this group detects a wide range of editing tools—from advanced applications like Photoshop, GIMP, or Photopea, to mobile and online tools such as PicsArt, FaceApp, or Canva. While some tools may be used for benign purposes like cropping or rotation, many are commonly associated with document manipulation. This indicator is triggered automatically, and is continually updated as new editors are observed in real-world fraud attempts. Detecting editing software is often a strong signal of tampering or fabrication, especially when paired with other visual anomalies or inconsistencies.

Title: Portrait photo tampering

Description: variable

The Portrait photo tampering indicator detects signs that the portrait photo in an identity document has been digitally altered, replaced, or physically manipulated. Using an ensemble of detectors, it analyzes quality inconsistencies, artefacts of ai-generation or unnatural noise patterns that suggest a face was inserted, edited, or manually placed onto the document. These indicators are tailored specifically for ID documents and are effective against a wide range of manipulation methods—from opportunistic edits by individuals to more scalable fraud-as-a-service techniques used to generate fake identities.

Title: Content validations failed

Description: variable

The Content validations failed indicator is based on OCR-extracted data and applies to selected identity documents from Czechia, Argentina, South Africa, Mexico, and India. It verifies the consistency and structure of individual fields—such as ID numbers, barcode content, expiration dates, and formatting rules—without comparing front and back sides or referencing external databases. A failed validation suggests tampering, data inconsistencies, or format violations, and may indicate the use of a forged or poorly constructed identity document. This indicator is triggered automatically and is especially valuable in detecting subtle forgeries or template misuse in standardized ID formats.

Title: Passed content validation

Description: variable

The Passed content validation indicator confirms that OCR-extracted fields in the document—such as ID numbers, barcodes, expiration dates, and formatting—are internally consistent and follow expected structural rules. It applies only to selected identity documents from Czechia, Argentina, South Africa, Mexico, and India, and does not cross-check the data against third-party databases or external sources. A passed validation supports the document’s integrity and structure, helping distinguish legitimate submissions from potentially manipulated ones.