Well, well, well. We promised a monthly update and damn if we aren’t men of our word. In this edition we’ll be diving into the titular phishing to explain how it’s evolved since we started development.

GO PHISH has two distinct but interconnected gameplay phases: the hacking card game, and the phishing dialogue. While there are smaller targets that just consist of the card game, all our major “boss” battles start with a phishing dialogue sequence. We always wanted our game to have a strong narrative component, with distinct characters and the moral ickiness that comes from doing questionable things for profit.

When we first pitched GO PHISH, phishing and hacking happened simultaneously. Two thirds of the screen was the Go Fish card game, in which you would be assembling hands, battling your opponent, and managing your turn timer. The other third of the screen was a vertical chat box in which a live conversation was taking place, and if you didn’t reply in time, your target would get annoyed and hang up, ending the hack. We had a prototype and got funding on this premise (thanks CODE!).

We had a ton of systemic interactions planned. High trust in the conversation would give you a multiplier in the card game. Data retrieved from submitting a packet of four cards would unlock an avenue of questioning in the dialogue. And phishing was a multiple choice tree with different behavioural approaches, so you’d need to work out whether to be aggressive, coercive, or obeisant depending on the target’s attitude.

Then we got people to play it, and it was immediately clear it didn’t work.

The problem was that the card game dominated the player’s attention. There was too much to do, too much to worry about, and the dialogue was… a distraction. We were crafting unique and interesting characters and conversations, and people were just clicking any button the moment it appeared, then returning attention to the cards. You couldn’t read the dialogue, you couldn’t think about what to say – you just had to act.

Our whole pitch was a loose representation of a real world phishing attack, with a phone call and live security breach. We wanted the tension of the tightrope act as you had to perform the role of a trusted caller while undermining your target. The simultaneity was built into the premise, and we thought we had the gameplay loop settled. In reality, doing a hack and phish at the same time just made both elements worse.

Okay then, BABIES – if you aren’t COOL enough to manage a complicated narrative dialogue tree WHILE ALSO playing a complicated Go Fish variant then I guess you can do it BACK TO BACK INSTEAD.

But, uh… How will that work? Our conversations were structured around the idea of weighted dialogue options – a tree of paragon/renegade choices that you’d select based on the target’s personality. We had interconnected patience systems and a hang-up fail state that ended the hack. But now… the hack would come later. Hmm.

We needed a new premise. Instead of trying to keep the caller on the line as long as possible, we pivoted to trying to socially engineer them in order to crack their password. Pleasingly, this actually brought us more in line with actual phishing, because instead of just talking about random stuff to stall for time, the player was now actively hunting for information of personal relevance to the target.

We introduced highlighted keywords in the target’s dialogue which you could click and run through a password cracker. Each decryption attempt took ten seconds, so you’d pry for information and try to crack their password before they hung up. To maintain the sense of tension, we included a timed element: patience would deteriorate through inaction as well as from bad conversation choices. Success in the phish gave bonuses in the subsequent hack, while failure might make it harder.

We patted each other on the back. ‘Ah,’ said Sean. ‘I bet you a thousand dollars, Nick, that this system works and will be beloved by anyone who plays it.’

Sean lost a thousand dollars that day, which Nick is graciously accepting in weekly payments rather than a lump sum. In February we ran a private playtest among friends, and in the subsequent survey the numbers were clear: phishing was one of the least enjoyed elements of the game. Oof.

Players were confused about what they were doing. They wanted clarity about what questions to pursue for information, and felt that the timer was rushing them from making informed choices. Some people felt really stressed. Many just felt aimless, like they were on a ride they could neither steer nor get off of. It was clear that the system still wasn’t working. We liked the direction, but it still needed refinement.

Thankfully, the other elements received positive feedback. Separating the hacking out into a standalone phase had only strengthened it. There was plenty of tension with the turn timer, and we had added a decryption minigame for something to juggle when it wasn’t your move. That part worked. Phew.

Okay, new plan.

We ditched the timer. Patience now only deteriorates when you ask a dumb question. The target still hangs up when they get annoyed, but that doesn’t end the password cracker. You can still try to obtain the password after the call with any information you were able to glean. Now players can take all the time they want to make a choice, and absorb the conversations and characters, which remains a big narrative priority.

Furthermore, to encourage the exploration of different avenues of conversation, and make choosing potentially “bad” dialogue options still feel rewarding, we tweaked the goal. Instead of trying to get the target to spill a key piece of password information, you are now profiling them. The password cracker requires you to refine the attempt with multiple keywords relevant to their lives. Currently the default is three, but we expect to make this flexible depending on the difficulty of the target.

So in a conversation you might learn the name of the target’s pet, or husband, or favourite activity. You drag these keywords into the cracker, run the decryption (which is the same arrow sequence minigame found in hacks), and then get told which, if any, of your selected keywords were correct. The catch: you only have three attempts. If you fail three times, you trigger the target computer’s security systems.

If you’re still in a conversation when this happens, the target will hang up immediately – no more snooping for keywords. A timer starts (currently 30 seconds) during which you can submit as many decryption attempts as you’d like to try and clutch victory from the jaws of defeat. Perhaps you succeed, or perhaps you never asked the right question to find that elusive final keyword. Such is life.

It’s a bit Obra Dinn, it’s a bit Golden Idol, but it’s also paired with a unique dialogue system with all the fun narrative elements we’ve been working hard on. It feels good to us, in that it feels like a game mechanic with knowable goals and player agency. Hooray!

Game development is iteration. You make a thing, you try the thing, you revise the thing. (Repeat until game is released or funds run out.) Phishing has been the area we’ve iterated most, and hopefully you now have a bit of an understanding of what it took to make something good.

The reality, of course, is that some players will invariably dislike whatever phishing system we ship. A subset of rogue-thingy players won’t want narrative and dialogue and morality questions polluting the sanctity of the card game. For those people, we do intend to ship a NG+ or endless mode where you can just skip dialogues and play those beautiful, beautiful hacks.

Speaking of which… Next month, we’re talking suits.

Goodbye.

We’re all over the internet, so if you want to follow development elsewhere than your inbox, you can find us on Bluesky, on YouTube, on Instagram, and in our community Discord. Plus, sometimes Nick streams developer playtests of GO PHISH on Twitch.

Don’t forget to WISHLIST GO PHISH, otherwise you’ll feel like a real goof.

Know someone who might be interested in our games?

Trick question. Everyone will be interested, so tell them to subscribe to this newsletter and they’ll finally respect you.