Phishing everywhere

Phishing is one of the most universal and persistent digital security threats out there. We all face it on a daily basis, and so do our relatives, friends, and coworkers. 

For most of us, falling for a phishing attack can lead to identity theft or stolen money. But for those on the frontlines of the fight for freer and more just societies–human rights defenders, journalists, activists–the implications of falling for a phishing attack are much greater, threatening not just their data and money but also their lives and the safety of their loved ones.

Yet, we know how hard it is to find the right resources to learn how to protect ourselves from phishing. In some of Horizontal's own digital security training, we’ve struggled to find the tools to train participants on phishing in a way that was pedagogical, interactive, and effective.

This is why we built Shira. The app is now available for anyone to use at https://shira.app

Customizable simulation

Shira is a simple web app that allows users to take a quiz and learn to identify phishing attacks. Each quiz question presents the user with an email or a message and asks: does this look like phishing? Shira then points the user to the specific elements in the email or message that can help assess whether it looks like a phishing attack. 

A screenshot of the Shira homepage
The Shira homepage

Shira isn't the first app that allows users to take a phishing quiz. But we built it to provide phishing simulations that are as close as possible to what users will be facing in real life: the phishing attacks are not displayed just in emails, but also in SMS and instant messages; the quizzes can be taken on mobile or desktop; and users can select areas of work that are specifically relevant to them (journalism, human rights, marketing, etc). 

As often as possible, we’ve used real-life phishing attacks that partners and advisors shared with us. 

Screenshot of a phishing quiz question in Shira, showing text messages in a mobile phones and the options "looks like phishing", "I don't know", and "looks legitimate".
An example of a phishing question in Shira
Screenshot of a phishing quiz question in Shira, showing an email in Gmail and the options "looks like phishing", "I don't know", and "looks legitimate".
An example of a phishing question in Shira

At the end of each question, Shira points the user to the elements of the email or message that suggests that it may be a phishing attack, or conversely that it seems legitimate: a suspicious link, a typo, or a too-good-to-be-true money-making scheme. We hope that by pointing out these specific elements, users will learn to know where to look and what to pay attention to when they receive a potentially suspicious message in their inbox. 

A screenshot of Shira showing a message in WhatsApp desktop and an explanation on why a link may be a phishing link.
An example of an explanation on why a WhatsApp message may be a phishing attempt

Join the adventure

Shira and the entire phishing quizzes are now available in English, Mandarin, and Spanish–and in just a few days, in French. 

But we hope that this marks just the beginning of the adventure. In the coming months, we will be localizing the app in more languages: Arabic, Persian, Swahili, Bahasa, Russian, and Hindi. 

We are also starting to think about what’s next and how we can make Shira even more useful and more effective at preparing users against phishing. We’ve already heard from users and advisors that we should make the app available offline or let digital security trainers create their own quizzes. We also want to hear from you–let us know what you think we should prioritize!

And if you want to support Shira, help us spread the word on Facebook, Linkedin, Twitter (never X!), Mastodon, Instagram, or just forwarding this newsletter to whoever you think will be interested 🙏