Phabulous Phishes

Inspiration

The inspiration behind Phabulous Phishes comes from the increasing prevalence of phishing attacks in today’s digital world. While many people are aware of phishing scams, distinguishing subtle signs can still be a challenge. We wanted to create an educational platform that not only makes learning about phishing more accessible but also more engaging. By combining a fun, interactive game with practical real-world knowledge, Phabulous Phishes aims to empower users to confidently identify phishing attempts and avoid falling into traps.

What it does

Phabulous Phishes is a gamified learning experience that helps users develop the skills needed to recognize phishing content. The game is divided into categories such as emails, text messages, and websites (with ads being added in the future). Within each category, users are tasked with identifying suspicious elements, such as the sender's address, email subject, URL, or any unusual sentences in the body of the message.

The game uses a leveling system similar to popular apps like Candy Crush and Duolingo, where users progress through levels by correctly identifying phishing content. As players advance, they encounter more complex examples, pushing them to improve their skills. The system tracks users' experience in specific categories and features, ensuring they are always challenged in areas where they need the most improvement. This setup serves both as a fun, low-pressure educational tool for individuals and a more structured training platform for enterprises to help employees recognize phishing threats.

How we built it

The frontend of the game was built using Next.js and Tailwind to create a modern, responsive UI. We chose PostgreSQL and Node.js for the backend, with Sequelize as the ORM to handle database interactions smoothly. The game is deployed with AWS EC2 for the backend, Vercel for the frontend, and AWS RDS for the database.

A key feature of Phabulous Phishes is how we use OpenAI to generate realistic phishing content. The content is structured in a JSON format that splits the phishing message into parts (such as sender, subject, body, and URL). Each part is labeled as suspicious or not, and the system checks the player's answers against the correct responses. The game’s difficulty is dynamically adjusted based on the player’s performance, ensuring they are always learning and progressing.

Challenges we ran into

One of the biggest challenges was fine-tuning the OpenAI model to generate realistic phishing content that also fits our educational goals. We needed to refine the prompts to produce not only convincing content but also content that highlights specific phishing features that are important for learning.

Another challenge was balancing the game’s difficulty curve. We wanted to make sure the game was engaging while still being educational. The level system had to be designed in a way that introduces new phishing elements gradually, ensuring that players are never overwhelmed but always progressing. Additionally, integrating multiple modalities posed difficulties. Each modality required specific placeholders and formatting to ensure the OpenAI API generated responses correctly, and we had to carefully parse those outputs to maintain the game’s structure and flow.

Accomplishments that we're proud of

We are particularly proud of the leveling system, which is a key feature that makes the game both fun and educational. Players start with basic phishing content and gradually progress to more difficult challenges. This system is similar to the way apps like Duolingo and Candy Crush structure their gameplay, offering a rewarding sense of progression.

The fish-themed UI is another feature we're proud of. The playful concept of you, as a fish, trying to escape the hook mirrors the process of learning to identify phishing attempts. The more you learn, the more you "escape" the phishing dangers. The cute, dark-themed design adds personality to the game while reinforcing its educational purpose.

We’re also proud of our ability to structure data using OpenAI. This is something that hasn’t been done much in this context—generating phishing content with a specific structure that’s broken down and labeled for educational purposes. It’s a unique approach that allows players to receive immediate feedback and track their progress.

What we learned

Throughout the development of Phabulous Phishes, we learned a lot about AI-driven content generation and how to fine-tune it for specific tasks. We also learned a lot about gamification in education and how to make the learning process enjoyable while still being effective. Structuring the game with levels and challenges helped us understand how to keep users engaged over time.

Additionally, we gained experience in cloud deployment and ensuring that the infrastructure can scale with the needs of the game. Whether it’s serving millions of users or generating thousands of pieces of phishing content, we learned how to optimize for both performance and user experience.

What's next for Phabulous Phishes

In the future, we plan to expand the game by introducing new categories like social media posts, ads, and more to keep the content fresh and challenging. We will continue to improve the AI model, specifically training it for phishing content generation, to make the learning experience even more realistic and accurate.

We also hope to add a multiplayer mode, where users can challenge each other to identify phishing content the fastest or cooperate to solve more complex scenarios. Another exciting feature we’re considering is integrating the game into enterprise training modules, so businesses can use it to train employees on cybersecurity.