Security Blog
Practical guides, scam alerts, and tips to help you stay safe online.
Online threats are getting more sophisticated every year. Phishing emails that look identical to real bank messages, fake shopping sites that steal credit card details, text message scams that create false urgency. The list keeps growing. The people most affected are often those with the least technical knowledge: parents, students, small business owners, and everyday internet users.
That's why we created this resource library. Every guide below is written in plain language, with practical steps you can take right now to protect yourself and the people you care about. No jargon, no upselling, no fluff, just clear, actionable security advice from the team behind ScanTotal's free scanning tools.
Whether you're dealing with a suspicious text message, trying to figure out if a website is legitimate, or want to understand how phishing actually works, start with the guides below. They're organized by topic to help you find what you need quickly.
Founder's Notes
The story and the thinking behind ScanTotal, in the founder's own words.
Practical How-To Guides
Step-by-step instructions for responding to threats, reporting scams, and protecting the people around you.
What 30 Days of Real Scans Revealed: 730 Submissions, 9 Threats, 3 Surprises (June 2026)
The unedited 30-day data from ScanTotal's scanners, the 0% file-scanner mystery, threats arriving in waves, and the global geography of who actually scans.
The Three Layers of URL Safety: Reputation, Heuristics, and Live Probing
How modern URL safety combines reputation databases, URL structure heuristics, and live behavioural probing into a layered defence, and how ScanTotal applies all three to every scan.
How to Read a Security Scan Report (Without Panicking)
What "1/70 detections" actually means, how to read urlscan-style URL reports, and why zero detections isn't the same as "safe." A plain-language guide to scan reports.
Understanding False Positives: When Security Tools Get It Wrong
Why legitimate files and sites sometimes get flagged, four ways to verify a detection is genuinely a false positive, and when "it's a false positive" is wishful thinking.
Which File Types Are Safe to Download (and Which Aren't)
A practical, file-type-by-file-type guide: which downloads are genuinely dangerous, which just look scary, and how to handle the awkward middle, PDFs, Office documents, archives.
Punycode and Homograph Attacks: When аpple.com Isn't apple.com
How attackers use Cyrillic and other lookalike characters to register domains indistinguishable from real ones, why browsers can't always save you, and three checks that catch them.
Why Did My Browser Say "Deceptive Site Ahead"?
A plain-language reference for every common browser security warning, "Deceptive site ahead", SmartScreen blocks, NET::ERR_CERT_*, and when it's safe to bypass versus when the browser is genuinely saving you.
Are PDFs Safe? How PDF Malware Actually Works in 2026
Deep-dive into JavaScript-in-PDF, embedded files, /Launch actions, and phishing-via-PDF. Which viewers reduce the risk and when a "clean" PDF is still worth a second look.
Scan of the Week #1: Dissecting a Real Fake-Login URL
A real phishing URL our scanners caught, walked through layer by layer, what reputation saw, what heuristics scored, what live probing revealed, and why the verdict came out the way it did.
How ScanTotal Detects Malware URLs That Other Scanners Miss
Inside our proprietary three-engine detection system: heuristic analysis, real-time deep probing, and combined threat scoring that catches URLs missed by traditional blocklists.
What to Do If You Clicked a Suspicious Link
Step-by-step response for every scenario, from just clicking to entering passwords or downloading a file. Includes device cleanup, account recovery, and when to involve your bank.
How to Check If Your Email Has Been in a Data Breach
Use free breach databases to find out whether your email, passwords, or phone number have been exposed, and the exact steps to take if they have.
How to Report a Scam Website
Where to report scam sites so they get blocked, taken down, and investigated. Includes links to Google Safe Browsing, APWG, ACCC Scamwatch, Action Fraud, and the FBI IC3.
How to Protect Your Parents from Online Scams
Practical protections you can set up in an afternoon, the red flags older relatives miss most often, and how to have the conversation without sounding condescending.
Safe Browsing Tips for Students
Essential security habits for teens and college students: account security, campus WiFi risks, scholarship scams, social-engineering attacks, and protecting your digital footprint.
How to Scan a QR Code Safely on Your Phone
QR code scams are rising fast. How to scan QR codes safely on iPhone and Android, spot tampered codes, and check QR links for threats before visiting.
Is This File Safe? How to Check Downloads for Malware
How to check if a downloaded file is safe using hash scanning, which file types to watch for, and a free malware scanner tool.
How to Spot a Phishing Email: 8 Warning Signs
Eight proven warning signs of phishing emails with real examples from banks, Apple, Amazon, and more, plus a free email scanner.
How to Check If a Link Is Safe
Six ways to check if a URL is safe, spot phishing links, and use our free link checker to scan any URL instantly.
Scam Awareness
Recognize the most common scams circulating right now, from fake shopping sites to WhatsApp tricks, so you can spot them before they cost you.
Top 10 Online Scams in 2026 and How to Avoid Them
The most common scams targeting people right now, from AI voice cloning and investment fraud to package-delivery texts, and the concrete habits that keep you safe from each one.
How to Tell If an Online Shopping Site Is Fake
Ten warning signs of fraudulent stores plus practical verification methods: domain age checks, reverse image search, return-policy red flags, and trust-seal lookups.
WhatsApp Scams: Common Tricks and How to Stay Safe
Verification-code theft, "Mum, I've lost my phone" impersonation, fake giveaways, and crypto investment groups, plus the security settings every WhatsApp user should turn on.
How to Spot Fake Job Offers Online
Red flags in job postings, common recruitment scam types (equipment fee, cheque-cashing, crypto payroll), and the verification steps to take before handing over any personal details.
Social Media Scams: What to Watch Out For
Scam ads, account takeovers, fake giveaways, romance fraud, and crypto pumps across Facebook, Instagram, TikTok, and X, and the privacy settings that reduce your exposure.
Is That Text Message a Scam? How to Tell
How to identify smishing attacks: fake delivery notices, bank alerts, toll-road fines, and Centrelink/MyGov impersonation, with examples of real scam texts side by side.
UPI Payment Scams in India, How to Stay Safe in 2026
Real scam patterns targeting GPay, PhonePe, and Paytm users, collect-request tricks, fake KYC expiry, QR swap fraud, with NPCI complaint process and bank escalation steps.
Aadhaar Phishing in 2026: How the Scams Work
Fake-UIDAI deactivation SMS, mAadhaar clone apps, and OTP-relay calls, the four shapes Aadhaar phishing actually takes, with three checks that catch all of them.
KYC Update Scam SMS in India: Real Examples and the Three Tells
"Your KYC will expire" SMS, fake bank pages, and the AnyDesk variant, redacted real examples and the three tells that distinguish a genuine bank notice.
How Fake Apps Steal OTPs: Accessibility Service Abuse Explained
Android malware in India quietly reads your OTP from notifications. How Accessibility Service abuse works, why loan apps are the dominant vector, and the four defences that work.
Instant Loan App Scams in India: The Harassment Cycle and How to Escape It
How unregistered loan apps in India turn a small loan into a harassment campaign, the six-stage cycle, the RBI Sachet check, and the five steps to escape it.
"Your Parcel Is Held by Customs": Why This Scam Keeps Working in India
Fake India Post / DHL / FedEx customs-duty SMS, real examples, what genuine Indian Customs procedures look like, and three signals that catch every variant.
Income Tax Refund Scam in India: What Real IT Department Communications Look Like
Fake IT refund SMS, "outstanding demand" threats, GST-officer impersonation, and the four checks that catch every variant before money or credentials move.
Fake IT Job Offer Scams in India 2026: TCS, Infosys, Accenture Impersonation
Telegram recruiter contact, registration fees, fake offer letters, the four signals that catch every variant of the IT-services job-offer scam.
Telegram Crypto Trader Scams in India 2026: Signal-Channel & Exit-Scam Pattern
The four-stage Telegram crypto-trader scam cycle, free signals, paid VIP, fake exchange, exit scam, plus what SEBI and RBI say about it.
IRCTC Refund Scam 2026: Fake Indian Railways Cancellation SMS and Agent Calls
Fake "ticket cancelled" SMS, AnyDesk remote-access calls, and how real IRCTC refunds actually work, three signals that catch every variant.
PhonePe Collect Request Scam in India 2026: The "Wrong Transfer" UPI Refund Trick
The fake-incoming-payment scam that tricks you into authorising an outgoing UPI transfer, PhonePe / Google Pay / Paytm mechanics and 3 signals.
Electricity Disconnect SMS Scam 2026: Fake BSES, Adani, Tata Power Notices in India
The "power off in 90 minutes" fake DISCOM SMS. Real DLT sender headers for BSES / Adani / Tata / MSEDCL / BESCOM / TNEB and the 3 signals.
EPFO PF Withdrawal Scam in India 2026: Fake "Your Pension Is Pending" Calls
The highest-loss-per-incident India scam targeting retirees, how real EPFO claims work via UAN, the AnyDesk variant, and four signals.
Amazon Delivery OTP Scam in India 2026: Why You Never Read an OTP Over the Phone
Fake delivery agents, "cancel your order" calls, and COD parcels you never ordered, how the real delivery OTP works and the 3 signals that catch every variant.
LIC Policy Lapse Scam in India 2026: Fake Premium-Due Calls and "Bonus Release" Fraud
Fake premium-due SMS, advance-fee "bonus release" calls impersonating IRDAI, and fake agents, how real LIC payments work and four checks.
Swiggy / Zomato Refund Scam in India 2026: Fake Refund Calls and Planted Helplines
Planted customer-care numbers, the QR-code refund trick, and the AnyDesk escalation, why real refunds are automatic and 3 signals.
Common Centrelink Scam Texts in Australia, 2026 Update
Real examples of Centrelink and myGov scam texts circulating in Australia in 2026, how to spot them, and how to report them to Scamwatch.
Linkt, myGov and AusPost Scam Texts, 2026 Australian Guide
Real 2026 examples of Linkt toll, myGov and AusPost redelivery scam texts, the pattern behind all three, and how to check any link before you tap.
QR Code Scams: How to Spot Fake QR Codes
How scammers use fake QR codes on parking meters, flyers, and menus to steal your data, plus a free QR scanner to check codes first.
Quishing: How QR Code Phishing Bypasses Email Filters
Three dominant QR-phishing patterns in 2026, corporate email attacks, sticker overlays on parking meters and EV chargers, and payment-redirect QRs, and how to defend against each.
Info-Stealer Malware: RedLine, Raccoon, Lumma, and What They Do
The quietest, most common malware in 2026, info-stealers silently lift saved passwords, cookies, and crypto wallets. A guide to the biggest families, how they spread, and what to do if you've been hit.
Beginner Security Guides
New to cybersecurity? Start here. These guides explain fundamental concepts like phishing, malware, passwords, and VPNs in plain language anyone can understand.
What Is Phishing and How Does It Work?
Understand how phishing attacks are designed, the psychology, the infrastructure, the lookalike domains, so you can spot them in the wild before you click.
What Is Malware? A Simple Guide for Beginners
Viruses, trojans, ransomware, spyware, worms, and rootkits explained in plain language, how each spreads, what it does, and the simple habits that keep most malware off your devices.
How to Create Strong Passwords You Can Actually Remember
Practical techniques for building strong, memorable passwords, passphrases, password manager workflows, and a simple rule for what to do when a site gets breached.
What Is Two-Factor Authentication and Why You Need It
How 2FA actually works, the five common types compared (SMS, app, push, hardware key, biometric), and step-by-step setup for email, banking, and social media.
What Is a VPN and Do You Need One?
An honest guide to what VPNs actually do (and what they don't), when they're genuinely useful, and when the "privacy" marketing is overselling a basic proxy.
What Is Threat Intelligence and Why Should You Care?
Threat intelligence explained in plain English, what IOCs are, how threat data protects you, and how to search threat databases yourself.
Check Threats Instantly
Scan URLs, files, messages, and QR codes for security threats, free and private.
Open Scanner