Thank you to everyone in the community! Today we're 67 members strong 🎉. With the OSINT 101 series coming next week, we’re just getting started. Obviously, the best is yet to come 🚀. For the past weeks, I’ve been working on the website to make sure you’ll have the best resources at your disposal, both while following the courses and during your own investigations. You can always visit: https://www.cultrodistro.com/

The OPSEC 101 course is now live inside OSINT Detective Skool. In this course you’ll learn how to: - Identify critical informationUnderstand what data can expose you, your targets, or your operation. - Define your OSINT identityDecide under which legal and operational persona you operate. - Build a sustainable and professional obscure identityCreate and maintain an identity that supports long-term investigations. - Protect sensitive informationSafeguard personal, professional, and investigative data. - Browse and investigate safelyReduce traceability, avoid common pitfalls, and minimize the risk of exploitation. If you’re serious about OSINT, or your online security in general this is where you start. 🕵️‍♂️ More coming soon.

Scam emails aren’t random. The recipient fields already tell you a lot. 📥 TO, CC & BCC Explained TO: You’re the main target Your email is openly listed. They contacted you directly. CC: Everyone can see each other If strangers are CC’d, it’s a bulk blast from a scraped or leaked list. BCC: You don’t appear anywhere You’ll receive the email, but your address won’t show in To/CC. Classic sign of mass phishing campaigns. If you see “To: (empty)” or the sender’s own address → you were BCC’d. 🔍 How to Track Where Your Email Leaked ✔ Plus Addressing Use aliases like: name+amazon@… name+instagram@… If spam arrives on that alias → you know exactly who leaked or sold it. ✔ Have I Been Pwned Check if your email appeared in a breach. Turn on notifications so you get alerts immediately. ✔ Email Headers (advanced) or click: “<> Show original” in the menu with the three dots if you use G Mail. Look at return path, server, and SPF/DKIM/DMARC. If it doesn’t match the claimed sender → scam. We’ll take a deep dive into this in an advanced E-mail course. What can you do moving forward? 🛡️ Protect Your Inbox - Use aliases or +addressing - Turn on HIBP alerts https://haveibeenpwned.com - Unique passwords + app-based MFA - Don’t click links! Open sites manually