Back_to_Logs
December 23, 2025 Engineering P. Lim

When 99% Accuracy Wasn't Enough: Building VeriPhish

I thought I had it figured out. My phishing detection model hit 98.4% accuracy. The confusion matrix was clean. The ROC curve was textbook perfect. Time to ship, right?

Wrong. Dead wrong.

The User Trust Problem

When I tested VeriPhish with actual users, the feedback was brutal. Someone from HR opened an email my model flagged with 0.97 confidence. When I asked why, they shrugged:

"It said 'phishing detected' but it looked exactly like the emails we get every week. How is a number supposed to convince me?"

That's when it clicked: in cybersecurity, explainability is just as important as accuracy. A black box that says "Trust Me" works for Netflix recommendations. It doesn't work when you're asking someone to delete a potentially important email.

The Architecture

I built VeriPhish with multiple interfaces to test what works best with different users. Here's the project structure I ended up with:

├── main.py                    # Train and evaluate models
├── explainable_model.py       # Model with LIME/SHAP explanations
├── enhanced_features.py       # Custom phishing indicators
├── demo_phishing.py           # Desktop GUI application
├── explicateGUI.py            # Advanced GUI with LLM integration
├── app.py                     # Flask API
└── web_app/                   # Full web interface
    └── app.py

The model is trained on multiple phishing datasets: CEAS 2008, Enron corpus, Nigerian fraud emails, and SpamAssassin. But the real magic is in explainable_model.py:

SUSPICIOUS EMAIL
──►
BERT MODEL
L.I.M.E.
Explainer
──►
"URGENCY" + "BAD DOMAIN"
Fig 1.1: VeriPhish Explainer Pipeline
  1. Text Processing: Email text is cleaned and preprocessed
  2. Feature Extraction: TF-IDF features + custom phishing indicators
  3. Prediction: Logistic regression classification
  4. Explanation: LIME and SHAP identify influential words

The LLM Enhancement

The breakthrough came when I integrated DeepSeek into explicateGUI.py. Instead of showing raw SHAP values, the LLM translates them into plain English:

"This email was flagged because:
• 'Urgent Action Required' in subject line (high urgency indicator)
• Sender domain 'google-security-verify.com' doesn't match Google
• Multiple call-to-action phrases detected in body"

Suddenly users understood why an email was suspicious. They started trusting the system.

The Result

VeriPhish won First Place Student Paper and Second Place Order of Merit at IEEE ICCST 2025. But more importantly—users actually listen now when the system flags something.

The lesson? Build systems that explain themselves. Especially in security, where user behavior determines outcomes.

// End of Log Entry //Initialize_Contact_Protocol()