FAQ & Troubleshooting
Common questions and fixes. If your issue isn't here, reach the team from the Contact section.
Account & sign-in
I signed up but never chose a password. That's expected. ScamShield AI emails a temporary password; you set your own on first login. Check spam/promotions if you don't see the email.
I can't get past the "set up two-factor authentication" screen. MFA is mandatory and enforced on the server — you can't skip it. Scan the QR code into a TOTP app (Google Authenticator, Authy), then enter the 6-digit code. If the code is rejected, check that your phone's clock is set to automatic (TOTP is time-based).
I lost my authenticator device. Use one of the one-time recovery codes shown when you first set up MFA. If you've used them all or never saved them, contact support to recover access. You can regenerate a fresh set from Settings once you're in.
Too many wrong codes and now I'm locked out. Repeated failed codes trigger a temporary lockout. Wait for the window to pass and try again with a fresh code.
Integrations
Gmail says it needs re-authorisation. This happens when Google invalidates the stored token (for example, after a password change). Reconnect Gmail from the portal to issue a fresh token.
Does ScamShield AI read my emails? No email body is ever downloaded or stored. The Gmail integration uses metadata-only access (headers) plus Google's short snippet. See Integrations and DPDP Compliance.
The Chrome extension isn't showing badges. Confirm you've pasted a valid token in the popup (it should show "Connected" with your plan and usage). The extension runs only on mail.google.com and scores an email when you open it — badges appear above the message body, not in the popup.
My webhook isn't receiving events. Check that the endpoint is active and subscribed to the event (an empty event list receives all events), returns a 2xx within 10 seconds, and that you're verifying the X-ScamShield-Signature correctly. Failed deliveries retry up to 3 times (60s/300s/900s) before being abandoned; review the delivery log for the response code and error.
When is WhatsApp available? It's marked "Coming Soon," pending MCA verification and Meta Business Verification. It is not live yet.
Scanning
I got HTTP 429 / "you've used all your scans." You've hit your monthly quota (Free 50, Starter 500, Professional 5,000). The counter resets at the start of each month, or you can upgrade your plan. A warning email is sent at 80% usage.
Why did my screenshot scan miss Hindi/Gujarati text? The scanner runs a fast English OCR pass first and only loads the Hindi + Gujarati reader when the English result is low-confidence or very short. Very small or stylised vernacular text may still be missed — try a clearer, higher-resolution screenshot.
A legitimate email was flagged (false positive). Report it as a false positive from the threat (see Threat Inbox). This updates the item and feeds a nightly retrain of the classical classifier. For an immediate fix, add the sender to your trusted-sender/vendor settings where available.
Voice analysis
How reliable is voice deepfake detection? It's a rule-based heuristic (version rule-based-v1.1), not a trained ML model — a helpful signal, not proof. Always verify a suspicious voice note through a second channel (call back on a known number). See Voice Analysis for its limitations.
Dark web
I registered assets but see no dark-web alerts. By default only the psbdmp (Pastebin) source is active; IntelX and Dehashed require API credentials to be configured. Scheduled scans run once daily at 02:00 IST — or trigger an on-demand scan. No alerts simply means no matches were found in the active source.
Data & privacy
What does ScamShield AI store about my messages? Email/Gmail/voice pipelines store metadata only (hashes, lengths, verdicts). The Universal Scanner is the exception — it stores the text/URL/UPI you submit and, for screenshots, the image and its OCR text. Full details in DPDP Compliance.
Can I export a compliance report or delete my data? Professional/active companies can export a DPDP compliance PDF for a date range, and you can raise a data-deletion request (processed after a grace period). See DPDP Compliance.