I Built an AI That Tries to Phish Me Every Week — Here's What I Learned

晖丁 — Wed, 13 May 2026 07:03:00 +0000

The Problem

I've been in security for about 5 years. I know what a phishing email looks like. I've given the trainings. I've written the policies.

And yet, last week, I almost clicked a "Docusign invoice due" email at 4:30 PM on a Friday. In my own inbox.

That moment made me realize: knowing about phishing and actually resisting phishing are two different skills.

One is cognitive. The other is instinctual.

The Solution: PhishGuard 🦞

So I built PhishGuard — a CLI tool that sends me one AI-generated phishing email every week. No calendar reminders, no heads-up. It just arrives.

In my real inbox. Masquerading as a login alert, a package delivery notice, an HR policy update, a security warning.

How it works:

🔴 One email per week, timed unpredictably
🧠 AI-generated content, personalized per week
📬 Delivered to your real inbox (that's the point)
🚫 Click a link → instant feedback on what you missed
✅ Resist → streak continues, rewards accumulate
🔒 CLI-based, runs locally — your data stays yours

After 3 months of using it:

My click rate went from ~25% to <5%
I now spot domain mismatches before reading the sender name
The near-misses are the ones I remember longest (experiential learning works)
Friday afternoon is dangerous — I'm now aware of my own "phishable window"

Why Another Security Tool?

Most phishing training is corporate: annual slideshows, canned quizzes, fake campaigns everyone ignores. PhishGuard is personal. It tests you, in your own inbox, with content that actually changes.

Think of it like Duolingo for phishing awareness.

GitHub: github.com/hui9817hui-lgtm/phishguard
Try it: PhishGuard on Gumroad ($5/month)