The Problem
I've been in security for about 5 years. I know what a phishing email looks like. I've given the trainings. I've written the policies.
And yet, last week, I almost clicked a "Docusign invoice due" email at 4:30 PM on a Friday. In my own inbox.
That moment made me realize: knowing about phishing and actually resisting phishing are two different skills.
One is cognitive. The other is instinctual.
The Solution: PhishGuard 🦞
So I built PhishGuard — a CLI tool that sends me one AI-generated phishing email every week. No calendar reminders, no heads-up. It just arrives.
In my real inbox. Masquerading as a login alert, a package delivery notice, an HR policy update, a security warning.
How it works:
- 🔴 One email per week, timed unpredictably
- 🧠 AI-generated content, personalized per week
- 📬 Delivered to your real inbox (that's the point)
- 🚫 Click a link → instant feedback on what you missed
- ✅ Resist → streak continues, rewards accumulate
- 🔒 CLI-based, runs locally — your data stays yours
After 3 months of using it:
- My click rate went from ~25% to <5%
- I now spot domain mismatches before reading the sender name
- The near-misses are the ones I remember longest (experiential learning works)
- Friday afternoon is dangerous — I'm now aware of my own "phishable window"
Why Another Security Tool?
Most phishing training is corporate: annual slideshows, canned quizzes, fake campaigns everyone ignores. PhishGuard is personal. It tests you, in your own inbox, with content that actually changes.
Think of it like Duolingo for phishing awareness.
GitHub: github.com/hui9817hui-lgtm/phishguard
Try it: PhishGuard on Gumroad ($5/month)
Built with Python, GPT-powered email generation, and a lot of self-embarrassment. Feedback welcome.
Top comments (0)