I automated screenshot verification for a real estate outreach team and found a duplicate-payment loophole
A real estate company I worked with pays outreach workers based on screenshots of their activity on Nextdoor.
Workers make community posts and send DMs to prospects, then email screenshots as proof. Previously, the owner had to open every email, inspect each screenshot, decide whether it qualified, and manually calculate payment.
That worked with a small team, but it was becoming difficult to manage as submission volume increased.
I built an n8n workflow to handle most of the process automatically:
- A worker emails their screenshots.
- The workflow checks the sender’s name and email against the active worker list.
- The screenshots are uploaded to Supabase Storage.
- An AI vision model classifies each screenshot as either a community post or a DM conversation.
- Posts are evaluated using qualification rules pulled from the company’s training document.
- DMs are compared against the company’s approved message templates.
- Payment is calculated for qualifying submissions.
- When a screenshot shows that a prospect has replied, the workflow flags it as a hot lead and immediately emails the leadership team.
The interesting problem was duplicate submissions.
A worker could theoretically reuse an approved screenshot in a new email and get paid twice. Checking the Gmail message ID would not prevent this because every new email has a different ID.
To handle exact duplicates, the workflow creates a SHA-256 hash for every image when it arrives. That hash acts as a fingerprint for the file and is checked against all previously processed submissions.
When the exact same file is submitted again, the workflow:
- marks it as a duplicate,
- sets its payment to zero,
- logs the submission,
- and continues processing the remaining files.
One limitation is that SHA-256 only detects byte-for-byte duplicates. Cropping, resizing, or recompressing the screenshot would produce a different hash. A future improvement would be adding perceptual hashing or image-similarity detection to catch visually similar images as well.
Building the automation itself was fairly straightforward. The harder part was thinking through how the payment system could be abused before putting it into production.
For people who have built similar verification workflows, how are you handling modified duplicates or AI-generated screenshots?