Interactive security diagnostics — powered by Breach
// WHAT WILL BE SCANNED
This tool performs a live, read-only security scan of your current public
IP address from our internet vantage point. No agents or software are
installed on your device.
Checks performed:
Public IP & Geolocation — country, region, city, and ISP
Port scan — 11 commonly abused ports checked for external visibility
Reverse DNS — hostname lookup and PTR record consistency check
Blacklist check — three major DNS-based blocklists queried
// DISCLAIMER
Results reflect what is visible from a single internet vantage point only.
This is a demonstration tool — not a comprehensive security audit.
Open ports do not necessarily indicate a vulnerability; context matters.
Scan data is not stored or logged beyond this session.
> initialising scan...
This may take up to 45 seconds while ports are probed.
// IP & GEOLOCATION
// REVERSE DNS
// PORT SCAN
// BLACKLIST STATUS
// SCAN FAILED
// lesson: 1 of 4
// WHAT IS PHISHING?
Phishing is a social-engineering attack where an adversary impersonates a trusted entity — a bank, a colleague, a cloud service — to trick you into handing over credentials, money, or access.
3.4 billion phishing emails are sent every single day. It remains the most common entry point for data breaches worldwide.
Common variants:
Spear phishing — targeted attack on a specific individual using personal details.
Whaling — spear phishing aimed at executives to authorise wire transfers or expose strategic data.
Smishing — phishing delivered over SMS.
Vishing — voice phishing via phone call claiming to be IT support, a bank, or government.
// SENDER SPOOFING
The From: header can be set to anything. A display name of "PayPal Security" means nothing — what matters is the actual sending domain.
✗ PHISHINGpaypal-security@paypa1-accounts.com
✓ LEGITsecurity@paypal.com
Tricks attackers use:
Homoglyphs — replacing l with 1, or o with 0.
Adding words — paypal-security.com is not PayPal.
Subdomain abuse — paypal.com.evil.net — the real domain is evil.net.
Phishing emails create artificial pressure to short-circuit your critical thinking.
"Your account will be suspended in 24 hours" · "Immediate action required" · "Unauthorised login detected — verify now"
URL tricks:
Subdomain abuse:paypal.com.verify-account.ru/login — real domain is verify-account.ru.
Path confusion:evil.com/paypal.com/login — path means nothing.
URL shorteners: hide the real destination entirely.
HTTPS ≠ safe: attackers get free TLS certificates. The padlock means encrypted, not legitimate.
// BEC & MALICIOUS ATTACHMENTS
Business Email Compromise (BEC) is a sophisticated attack where criminals impersonate a CEO, CFO, or trusted vendor to authorise wire transfers or expose data. BEC caused $2.9 billion in losses in the US in 2023 alone (FBI IC3).
Red flags for BEC:
Unusual wire transfer or gift card requests — urgent, confidential.
Sender domain is slightly off — company-llc.net vs company.com.
Requests to bypass normal approval processes.
Dangerous attachment types:
.lnk — Windows shortcuts; execute arbitrary commands on double-click.
.docm / .xlsm — Office files with macros; macros can run malware.
.iso / .img — disk images that bypass email filters.
.js — JavaScript files run directly by Windows Script Host.
// question: 1 of 6
Read the email below. Is it phishing or legitimate?
// quiz complete
// HTTP SECURITY HEADERS
Enter a domain or URL to check which security headers are present.
Missing headers are common on small business sites and leave users exposed to basic attacks.