PhishQuest

PhishQuest is an application that trains students, staff, employees, and the general population on phishing-awareness. Users are sent on quests to correctly identify phishing strategies in emails.

Comment

Inspiration

Having both interned at companies that made us do mandatory phishing training, we realized that a large portion of keeping company data safe is through phishing awareness campaigns. By keeping employees more aware of phishing scams, the attack surface of a company is significantly lowered, as there are less endpoints a company has to worry about. PhishQuest addresses the critical problem of rising phishing attacks that bypass traditional security measures and target employees directly. Companies lack scalable, realistic training tools to prepare their workforce for increasingly sophisticated phishing campaigns. PhishQuest solves this by providing a customizable, gamified platform to simulate attacks, measure team readiness, and deliver targeted training, empowering organizations to proactively defend against phishing threats and reduce their risk exposure.

What it does

Our application is a gamified platform that sends users on a quest of a set number of emails to solve. In these set of emails they must solve, they must read the email, and figure out if it is a real or fake email. If they believe it is a fake email, they must choose the sections of the emails that exhibit properties of phishing scams. The user then gets immediate feedback on how well they did through metrics displayed after completing an email. The app gives an explanation of the answers, allowing the user to learn after each exercise. After going through a set number of emails, the app gives a report on how well the user is equip to solve phishing emails by using precision and recall metrics based on their answers.

How we built it

We used Next.js + Reach to style the frontend with Tailwind CSS. Additionally, we used custom UI components with a FastAPI backend served by Uvicorn. This hosted endpoints, such as /generate. The backend loads secrets through python-dotenv, calling Gemini to generate and parse phshing examples that are structured in JSON.

Challenges we ran into

The biggest challenge that we ran into was figuring out the logic of the game and how we should access a user on how well they can analyze phishing signs in an email.

Accomplishments that we're proud of

We are most proud about caching prompts in the background so we do not hold up the user interface when they finish an email exercise. Additionally, we are proud about the variation of emails our application was able to produce, being able to create emails of different levels of difficulty and categories of work.

What we learned

We learned a lot about web-development and integrating an LLM wrapper. Additionally, both of us learned how to use FastAPI, which we believe will be very useful in the long-term.

What's next for PhishQuest

Our biggest next step for PhishQuest is managing access using a database so it will remember users' accounts and scores. Then, we could create an admin dashboard so they can see the progress and general security status of their employees. We were also hoping to add custom prompts, to expand the amount of emails the LLM can make.

Built With

Share this project:

Updates