You'd use a utility that can MD5 or SHA against the file you downloaded, it should match the value they list for the image. I'd try to use the strongest one they offer since things like MD5 are vulnerable to collision attacks, meaning you can have two distinctly different files with the same MD5 checksum. Something like SHA256/512 is more secure in that regard, but usually they provide the hash of the file so you both can see that it hasn't been modified as well as verify that the download is bit for bit as intended (ie, not corrupted while transferring or similar).
phpBB had their latest update altered and it was on the server for three hours. If people who downloaded it and didn't verify the hash, I pity them. No, not really... they are an imbecile.
Granted if the hash on the site is alerted to match the altered download, then you are SOL. That's why you separate both. I use Virus Total for most stuff I download as well.