SCAM: A Real-World Typographic Robustness Evaluation for Multimodal Foundation Models

This paper introduces SCAM, the largest and most diverse real-world dataset of typographic attack images, to evaluate and demonstrate the significant vulnerability of state-of-the-art multimodal foundation models to such attacks while providing empirical insights into how model architecture and training data influence robustness.

The Gist

Imagine you have a super-smart robot assistant that can "see" pictures and "read" text at the same time. You ask it, "What is this?" and it looks at a photo of a clock and says, "That's a clock!" It's great, right?

But what if someone wrote the word "TAXI" in big, messy handwriting on a sticky note and stuck it right next to the clock? Suddenly, the robot gets confused. It looks at the picture, sees the word "TAXI," and panics, shouting, "That's a taxi!" even though it's clearly a clock.

This paper is about a group of researchers who decided to test just how easily these smart robots can be tricked by this kind of "typographic magic."

The Problem: The Robot's Bad Habit

These AI models (called Vision-Language Models) are like students who are too good at reading but forget to look at the picture. When they see text in an image, they get so excited about the words that they ignore the actual object. It's like a student taking a test who sees the word "apple" written on the page and circles "apple" as the answer, even if the picture shows a banana.

The researchers found that existing tests for this problem were too small and fake. They were like practicing for a real exam using a practice test with only 10 questions. To really understand the danger, they needed a massive, real-world test.

The Solution: Introducing "SCAM"

The researchers created a new dataset called SCAM (Subtle Character Attacks on Multimodal Models). Think of this as the "Ultimate Trickster's Playground."

• The Setup: They took 1,162 photos of everyday objects (like toasters, bicycles, and cats).
• The Trick: They stuck a yellow sticky note next to each object with a completely unrelated word handwritten on it (e.g., a picture of a toaster with a sticky note saying "Pig").
• The Scale: They didn't just do this once. They did it with hundreds of different objects and hundreds of different confusing words. They even had nine different people write the notes with different pens and phones to make it look as real and messy as possible.

They also created two "control groups" for comparison:

1. NoSCAM: The same photos, but with the sticky notes removed (the "clean" version).
2. SynthSCAM: The same photos, but with the words added back in using a perfect computer font (the "fake" version).

What They Discovered

The researchers tested dozens of different AI models on this dataset, and the results were eye-opening:

1. The Robots Are Easily Fooled
When the AI saw the "SCAM" photos, its accuracy dropped like a stone. Some models that were 99% accurate on clean photos fell to 30% or 40% accuracy when a silly word was added. It proved that these models are dangerously reliant on text, often ignoring the visual reality.

2. Fake Attacks Work Just as Well as Real Ones
The researchers wanted to know if they needed to go out and take thousands of real photos with sticky notes, or if they could just use computer-generated text. They found that computer-generated text (SynthSCAM) tricked the robots just as effectively as real handwritten notes. This is great news for researchers because it means they can test safety without needing to physically stick notes on everything in the world.

3. Bigger Brains Help, But Only Sometimes
They found that simply making the "vision" part of the robot better didn't always fix the problem. However, making the "language" part (the brain that understands words) bigger and smarter did help.

• Small models were easily confused.
• Huge models (like the ones powering the most advanced chatbots) were much better at saying, "Wait, that's a clock, even though it says 'Taxi'."
• The Catch: Even the biggest models weren't 100% safe. If the "eyes" (vision encoder) were weak, the "brain" (language model) still got confused.

4. The "Patch Size" Matters
They discovered that how the AI breaks down an image into tiny squares (patches) matters. If the squares are too small, the AI gets too focused on the text and misses the big picture. It's like trying to identify a car by looking at a single pixel of its tire; you might see the word "tire" and forget it's a car.

Why Should You Care?

This isn't just a game. These AI models are starting to be used in self-driving cars and medical diagnosis.

• Imagine a self-driving car seeing a "STOP" sign, but someone has taped a piece of paper next to it that says "GO." If the car's AI is tricked by the text, it could drive right into an intersection.
• Imagine a medical AI looking at an X-ray that has a label saying "Healthy," but the image clearly shows a tumor. If the AI trusts the text over the image, it could miss a diagnosis.

The Bottom Line

The paper is a wake-up call. It says, "Hey, our smart AI models are currently too gullible. They trust text in images too much."

By releasing this massive dataset (SCAM) and the code to test it, the researchers are giving the world a tool to build better, safer, and more robust AI. They want to make sure that in the future, when a robot looks at a clock with a sticky note saying "Taxi," it will confidently say, "That's a clock," and not get tricked by the prank.

Technical Summary

Here is a detailed technical summary of the paper "SCAM: A Real-World Typographic Robustness Evaluation for Multimodal Foundation Models."

1. Problem Statement

Multimodal foundation models, including Vision-Language Models (VLMs) and Large Vision-Language Models (LVLMs), have achieved remarkable success in tasks like image classification and generative AI. However, they exhibit a critical vulnerability known as typographic attacks. These attacks exploit the models' reliance on textual cues within images, causing misclassifications when misleading, human-readable text (e.g., a handwritten word on a sticky note) is embedded in an image.

Existing research is hindered by a lack of high-quality data:

• Limited Scale and Diversity: Previous real-world datasets (e.g., PAINT, RTA-100) are small and lack variety in object categories and attack words.
• Synthetic Bias: Most studies rely on synthetic datasets where text is digitally overlaid, which may not accurately reflect the complexities of real-world conditions (lighting, handwriting, camera angles).
• Evaluation Gaps: There is a lack of structured comparison between real-world attacks, clean baselines, and synthetic variations to measure transferability and causal effects.

2. Methodology

A. The SCAM Dataset

The authors introduce SCAM (Subtle Character Attacks on Multimodal Models), the largest and most diverse real-world typographic attack dataset to date.

• Scale: 1,162 images covering 660 distinct object labels and 206 unique attack words (forming 1,147 unique combinations).
• Data Collection: Images were captured by nine contributors using various smartphones in diverse environments (indoor, outdoor, traffic, households) to ensure natural variability in lighting, camera quality, and handwriting styles.
• Attack Mechanism: Objects are photographed with a Post-it note placed next to them containing a semantically unrelated, handwritten English word (e.g., a "clock" with a note saying "taxi").
• Three Variants:
  1. SCAM: The original real-world attacked images.
  2. NoSCAM: Clean versions where the Post-it note is digitally removed/recolored to preserve the object but hide the text.
  3. SynthSCAM: The same images with the attack words digitally reintroduced using a uniform font (Roboto) to match the ink color, allowing for controlled synthetic evaluation.

B. Evaluation Framework

The paper benchmarks a wide range of models (99 VLMs and 11 LVLMs) across the three datasets.

• VLM Evaluation (Zero-Shot): Models like CLIP and SigLIP are tested by computing the cosine similarity between the image embedding and text embeddings of both the correct object label and the attack word. The label with the highest similarity is the prediction.
• LVLM Evaluation (Prompt-Based): Models like LLaVA, Gemma3, and GPT-4o are queried with a multiple-choice prompt (e.g., "What entity is depicted? (a) clock (b) taxi"). The model's ability to select the correct object over the attack word is measured.
• Comparative Analysis: The study analyzes the impact of training data (e.g., LAION vs. CommonPool), model architecture (ResNet vs. ViT, patch sizes), and model size (parameter count) on robustness.

3. Key Contributions

1. SCAM Dataset Release: A comprehensive resource containing 1,162 real-world images with aligned clean (NoSCAM) and synthetic (SynthSCAM) counterparts, enabling rigorous causal analysis of typographic vulnerabilities.
2. Empirical Validation of Synthetic Attacks: The study demonstrates that synthetic attacks (SynthSCAM) closely mimic the performance degradation caused by real-world attacks (SCAM), validating the use of synthetic data for scalable robustness testing.
3. Architectural and Training Insights:
   • Training Data: Models trained on specific datasets (e.g., LAION) are significantly more vulnerable than those trained on filtered or diverse datasets (e.g., CommonPool variants).
   • Architecture: Vision encoders using ViT architectures with smaller patch sizes are more susceptible. SigLIP generally outperforms CLIP in robustness.
   • LLM Backbone Size: While vision encoders are the primary source of vulnerability, employing larger Large Language Model (LLM) backbones in LVLMs significantly mitigates susceptibility and improves typographic understanding.
4. Comprehensive Benchmarking: Extensive evaluation of 111 models, including state-of-the-art closed-source models (GPT-4o, Claude Sonnet) and open-source variants, providing a new standard for robustness evaluation.

4. Key Results

• Significant Performance Drop: Typographic attacks cause a massive drop in accuracy. For VLMs, accuracy drops by an average of 26 percentage points on SCAM. For smaller LVLMs (e.g., LLaVA-7b, Gemma3-4b), the drop can exceed 40–60 percentage points.
• Real vs. Synthetic Alignment: Confusion matrices show high alignment between SCAM and SynthSCAM results, confirming that synthetic attacks are a reliable proxy for real-world scenarios.
• The "Vision Encoder" Bottleneck: LVLMs inherit the vulnerabilities of their underlying vision encoders. For instance, LLaVA models using the OpenAI-trained ViT-L-14-336 encoder are highly vulnerable.
• The "LLM Backbone" Mitigation: Increasing the size of the LLM backbone improves robustness.
  • Example: llava:34b-v1.6 (34B parameters) maintains ~85% accuracy under attack, whereas llava:7b-v1.6 drops to ~58%.
  • Example: gpt-4o shows minimal degradation (~3% drop), while gpt-4o-mini drops ~15%.
• Prompting Limitations: Simply adding "safety" instructions to prompts (e.g., "Do not get fooled by typographic attacks") does not significantly reduce vulnerability.
• Encoder Swapping: Replacing a vulnerable vision encoder with a more robust one in an LVLM (without retraining the whole system) does not automatically transfer robustness; in some cases, overall performance even decreases.

5. Significance and Future Implications

• Safety-Critical Applications: The findings highlight severe risks for deploying multimodal models in safety-critical domains like autonomous driving (e.g., misreading a "stop" sign due to a "go" sticker) and medical imaging.
• Research Direction: The paper shifts the focus from purely architectural changes to the importance of training data curation and LLM backbone scaling as defense mechanisms.
• Defense Strategies: The authors suggest that future defenses should not rely solely on prompt engineering or simple encoder swaps. Instead, they propose exploring alignment training, mechanistic defenses, and systematic retraining of LVLMs with robust vision backbones.
• Open Science: By releasing the dataset and code, the authors provide the community with the necessary tools to develop and test robust multimodal AI systems, moving beyond synthetic benchmarks to real-world reliability.

In conclusion, SCAM establishes that typographic attacks remain a potent threat to state-of-the-art multimodal models. While larger LLM backbones offer a path toward resilience, the fundamental vulnerability of current vision encoders requires deeper investigation and more robust training paradigms to ensure the safe deployment of these technologies.