Login Apply
Login Apply

A New App Asks: Would You Click on a Phishing Email?

Shira, a new digital security app, provides a streamlined user experience with real-world phishing examples to help activists, human rights defenders, and journalists develop the skills to detect and defeat these attacks. Built in consultation with community leaders from the Global South, the app seeks to fill a gap by providing a localized and accessible training tool.

If you use an email application, you've probably seen a system warning that an incoming message looks suspicious. Warnings like these are good reminders about the increasing threat of fake messages, scams, and phishing attacks. But these warnings don't exactly teach you what to look for (and a lot of the time they're not even accurate—that suspicious attachment may just be baby pictures your cousin saved in a big PDF file).

To help human rights defenders, NGOs, and all technology users keep their data secure, digital rights experts deliver manuals, workshops, and other training tools, but in the end, Raphael Mimoun of Horizontal says, "It's up to you to decide, do you click on that link?" in a suspicious text message or email. Horizontal's newly released app Shira seeks to help users to train themselves what to do in that moment, "when you receive an actual phishing email and it's just you, by yourself, with that email," says Mimoun.

Making Digital Security Accessible

As more consumer data sits in the cloud, controlled by private companies, and as government surveillance accelerates faster than new regulations or security tools, the need for human rights defenders, journalists, and activists to learn self-protection is more pressing than ever.

Although there are a wealth of resources that teach good security practices and "digital hygiene," the communities who most need digital security skills face the same obstacles that they have always faced with technical assistance: Many groups work in remote areas with lower connectivity, which makes training harder to deliver; people learn in very different ways and at very different paces, which makes it hard to create a reusable suite of materials, activities, or formats; and Western trainers cannot always offer the context, the examples—or even the best languages—for an effective local training.

These perennial digital security training challenges—geography, connectivity, simplicity, relatability—all informed the one-year design process that resulted in Shira. Based on simple quiz screens, the app challenges users with real examples of phishing emails and disguised attacks, to help prepare people for that decision whether to click or not to click.


Each question in Shira presents the user with a message and asks: Does this look like phishing? After the user guesses, Shira points out specific elements in the message that could indicate an attack.

The principles of user empowerment and partnership between technologists and users are central to the mission of Horizontal, a group that supports frontline defenders, activists, and journalists through digital security and tool development. Mimoun, who founded Horizontal, says these non-hierarchical principles guide Horizontal's product decisions as well as the creation of their diverse international team of developers and designers. "If we're going to build technology for these communities," he says, "then we, as an organization, need to come from these communities."

Building with Local Users In Mind

The Shira app grew out of a recognition that digital security training materials often rely on examples more familiar to urban users in North American or European settings. As a trainer, Mimoun said he looked for materials well-suited to users in Africa, for example, and he found a big gap. "Some resources existed," he says, but the scenarios they used were "U.S.-centric," focused on phishing attacks "only on email, or only on Gmail. People in Tanzania—or Belarus or Myanmar—don't find what they need there, because they may be mostly on mobile, or using different services and providers. It doesn't look like what they actually experience on a daily basis."

For the development of the app, a key resource outside Horizontal's technology team has been an advisory board of 11 experts, most of whom are from the Global South. Mimoun says that during the yearlong design process, "we tried to get feedback as often as possible from these leaders or leaders in the community. Because they know what people in their communities need."

Happy Ongi, an advisor for the Shira app and a Ugandan digital security consultant and facilitator, says the advisory board pushed to make the app more "accessible, appealing, and unique" for users working at the grassroots level. This translated into changes in the visual designs, a revised list of messaging apps used in the phishing examples, and a name change for the tool itself—from the original English-centric pun "NoPhish" to Shira (“shiira” is the Japanese word for mahi-mahi, a fish that Mimoun calls “notoriously hard to catch.”)

Ongi says the advisors also insisted that three different languages be included even in the first version of Shira, "having in mind that not everyone is an English speaker."

As digital security trainers work to overcome the particular challenges of teaching security practices to NGOs across different global contexts, they continue to face the challenges common to most technology trainings in the NGO sector. Drawing on her own experience, Ongi warns about an over-reliance on "terminologies which may be too complicated" for staff members and a shortage of "lasting strategies to deepen trainee knowledge" in the weeks and months that follow "one-off" training events.

With Shira, the Horizontal team sought to reduce some of these longstanding training barriers, by asking, "How do we trim it down to the simplest possible experience, reducing the number of clicks down to the least amount of work to actually get to each phishing question?" says Mimoun. The streamlined UX works like a quiz he explains, rather than using dense explainers or presentations. "Hopefully, things are self explanatory, so that you can just go in, take your quiz, and learn from it."

When it comes to making people safe, we need to start with the most vulnerable and the ones who have been the most ignored. If we're going to be building liberatory tech, it's going to have to come from the people who need that liberation."

Raphael Mimoun
Founder of Horizontal

And while Shira is designed to allow autonomous learning, Mimoun emphasizes that Shira was also envisioned to provide an easy-to-use tool for trainers running workshops. One of the priority features for upcoming versions of the app will be a way for trainers to create their own quizzes and locally-relevant examples in the system.

Launching to Continue Learning

After a security audit by OTF’s Red Team Lab, the first version of the app is now available in Spanish, English, and Mandarin. Mimoun says a French version is expected soon. Other planned features include more languages, the ability for trainers to add new scenarios and quizzes, and offline support that allows training for users and locations with no internet connection.

In the spirit of community-led design, the Horizontal team is actively seeking feedback and suggestions. Users are encouraged to share their feedback within the app, or to contact Horizontal directly: [email protected].

Amidst debates over generative AI and rising concerns over technology and accountability, Mimoun says he also sees "a lot more recognition that we need to center the voices of people from the Global South. When it comes to making people safe, we need to start with the most vulnerable and the ones who have been the most ignored. If we're going to be building liberatory tech, it's going to have to come from the people who need that liberation."

Your cookie settings

This website deploys cookies for basic functionality and to keep it secure. These cookies are strictly necessary. Optional analysis cookies which provide us with statistical information about the use of the website may also be deployed, but only with your consent. Please review our Privacy & Data Policy for more information.