alexchmiel.com

← projects 2026 playable

Phishing Demo

A six-round game: rendered emails, one call each, safe or phishing. The forensic tells light up exactly where you missed them, and a letter grade waits at the end.

TypeScriptAstro

Phishing Demo

six emails. safe or phishing?

drawn from a pool of 52, so every round is different. after each call, the forensic tells light up in place.

nothing is stored · nothing is sent

Where it came from

Most phishing training is a slideshow, and slideshows do not change behavior. People pass the quiz at the end and stay just as phishable as before.

This demo is my answer to that gap. Instead of lecturing about phishing, it puts a rendered email in front of you (sender, subject, body, exactly as it would sit in an inbox) and asks for one judgment: safe or phishing? After you answer, the red flags light up inside the email itself. Numbered, annotated, in the exact spot you missed them. A lookalike domain gets circled in the sender field, right where it appeared.

How the game works

Each round deals six emails from a pool of 52: four phishing, two legitimate, order shuffled, no repeats until the deck runs dry. One call per email. At the end you get a per-message rundown and a letter grade, A+ through F. A round takes about two minutes, short enough that people actually finish.

The phishing side draws from five patterns, chosen because they account for most of what lands in a real inbox:

PatternThe tell
Credential phishingLookalike login page behind a lookalike domain
Payment fraudA “vendor” asks to switch bank details on a plausible invoice
Code / MFA scamSomeone asks you to read back a one-time code
Delivery scamA fee small enough that you hand over card details without thinking
Boss impersonationThe boss’s name on a personal Gmail, urgent gift cards, “don’t call me”

Why the clean emails matter

Two of the six emails in every round are legitimate, and they get their case made the same way the phishing does: the tells light up, except this time they argue for trust. A real sender domain. A receipt that asks for nothing. Training that teaches people to distrust every email produces a help desk full of false alarms. The lesson here is discrimination, not paranoia.

Design decisions

Teach by inspection, not instruction. The entire interaction is the same one a user performs at work: look at an email, decide. No module, no quiz about definitions, no video.

Reveal flags in place. Every red flag is annotated inline at the element that gives it away. The hover-target URL that doesn’t match the sender. The urgency clock in the first sentence. This is the part slideshows can’t do, and the part I cared most about getting right.

Store nothing. Everything renders in-app. No emails are sent, no answers are recorded, no signup exists. Close the tab and the round never happened.

Play it above.