Inspiration
Many companies have internal phishing campaigns to make sure employees are trained on what kind of emails are phishing scams to avoid. In the age of gen-AI, it is harder than ever to identify scams. Many of us have grandparents or others family members or friends who have struggled with cyber phishing attacks. We had the idea to make a personalized phishing campaign service powered by gen-AI to help users practice and get educated on avoiding phishing scams.
What it does
PhishNet stores a list of user emails with (optionally) some associated context example emails to allow the AI to create a more realistic phishing attack email (not so obviously fake). We as the hosts then define templates for phishing campaigns. We can update and add new campaigns to stay up to date with the most current phishing scam formats. Then we can periodically send out the fake scams to users.
How we built it
Our app is written in Python. We use the Gemini API to write the personalized emails and the Gmail API to send out the emails. Our front end is made with Snowflake's Streamlit library so that we could keep working entirely in Python. We originally were going to have our database as a Flask backend but for time reasons and for the sake of the demo, we just have our list of users and campaigns in a binary file in our repo.
Challenges we ran into
Actual scam protection makes it hard to spoof email addresses. So unfortunately we are only able to send emails from our team email. In a full release, this would need to be addressed to create less of a dead giveaway. Additionally, as mentioned we did not scale our database to a "real" backend: just a simple SQLite .db binary file.
Accomplishments that we're proud of
Seeing the custom phishing emails pop up in our real Gmail inboxes for the first time was really exciting. We had fun sending each other scam emails overnight pretending to scam each other. Combining the Gemini and Gmail APIs with our phishing campaign idea into an app that could actually perform the functionality we were going for in such a short time made us proud.
What we learned
We learned a lot about how to integrate components of projects together as we work on a team. Most of us have solo-hacking experience, so it was a change to have to work simultaneously. Working on the back end was like making an API for the front end person to use. This separation actually helped us write cleaner code and interface effectively with our internal methods and external APIs like Gmail and Gemini.
What's next for PhishNet
Scaling is our main next step. We would actually need to host the website and create a real back end. Then, as mentioned above, making a way for us to modify the sender of the emails to make it less of a giveaway would be good.
Log in or sign up for Devpost to join the conversation.