Terms of Service

These terms are written in plain English so you actually know what you're agreeing to.

Effective Date: May 7, 2026

What ScamDrill is

ScamDrill is an educational and training service that sends simulated phishing emails and SMS text messages to help you and your loved ones learn to recognize and avoid real scams. The service is designed for individual guardians (like parents or adult children) who want to train one or more learners, as well as organizations that want to improve their employees' scam awareness.

When you sign up, you create a guardian or organization account and invite learners (family members, friends, employees, or anyone else you want to train). Once they opt in, we send them realistic but completely safe scam simulations. When they interact with a simulation, they're directed to an educational lesson explaining the red flags. Guardians and administrators can see progress and analytics on their dashboard.

ScamDrill is strictly an educational and training platform. It is not a security product, insurance policy, or guarantee against fraud. The service is intended to supplement — not replace — existing security measures and good judgment.

What ScamDrill is not

ScamDrill is an educational tool, not a security product. Specifically:

  • We are not an antivirus, firewall, or malware protection service
  • We do not guarantee that a trained learner will never fall for a real scam
  • We are not a substitute for email security systems, password managers, or multi-factor authentication
  • We cannot prevent real scammers from targeting you or your loved ones
  • We do not provide emergency fraud recovery or financial restitution if a real scam occurs
  • Our Second Opinion email checking feature (heuristic and AI-powered analysis of forwarded emails) is an indicator only — it is not a guarantee that an email is safe, legitimate, or malicious, and it should never be used as the sole basis for clicking links, sharing information, or making financial decisions

ScamDrill trains people to be more aware. It doesn't eliminate risk. Real scams are sophisticated and evolving, and no training or automated check can guarantee immunity.

Who can use ScamDrill

Guardians: You must be at least 18 years old to create a guardian account. You're responsible for the account and any learners you invite.

Learners under 13: A parent or legal guardian must provide explicit written consent before we collect any information or send simulations. We'll ask for this consent at signup.

Learners 13 and older: The learner themselves must opt in to the service. We require their active consent before sending any simulations.

By using ScamDrill, you confirm that you have the authority to consent on behalf of any minors in your account.

Acceptable use

You agree not to use ScamDrill in any way that harms others or violates the law. Specifically:

  • Don't sign up someone without their knowledge or consent (except parents obtaining parental consent for minors under 13)
  • Don't use the service to harass, intimidate, or embarrass anyone
  • Don't use learner data for any purpose other than scam awareness training
  • Don't attempt to hack, reverse-engineer, or interfere with our systems
  • Don't resell or redistribute ScamDrill services or content
  • Don't use ScamDrill to deliver real phishing attacks or scams

If you violate these rules, we'll terminate your account and may report you to law enforcement if necessary.

Legal compliance

You are responsible for ensuring that your use of ScamDrill complies with all applicable local, state, national, and international laws and regulations, including but not limited to:

  • Anti-phishing and computer fraud laws (such as the CAN-SPAM Act, CFAA, or equivalent laws in your jurisdiction)
  • Data protection and privacy regulations (such as GDPR, CCPA, PIPEDA, or equivalent laws in your jurisdiction)
  • Employment and workplace regulations governing employee monitoring and training
  • Laws governing electronic communications and consent requirements
  • Laws governing the protection of minors online (such as COPPA or equivalent)

Organizations are responsible for obtaining any required internal approvals (such as HR, legal, or IT department sign-off) before deploying ScamDrill to employees. ScamDrill is not responsible for any legal consequences arising from your failure to comply with applicable laws or to obtain required approvals.

If you are unsure whether your use of ScamDrill complies with applicable laws, you should consult a legal professional before using the service.

About our simulations

No real harm: All simulations are completely safe. There is never any malware, data theft, or actual financial risk. If a learner clicks a link in a simulation, they're directed to a ScamDrill educational page, never to a malicious website.

Educational content: Every simulation includes a clear, warm lesson explaining what the scam was, which red flags were present, and how to spot similar attempts in the future.

Transparent: Learners always know they're being trained. Our simulations are based on real scam patterns, but we always make it clear when they're participating in a drill.

Frequency: Simulations are sent on a semi-random schedule, typically every 7 to 30 days. You can adjust the frequency from your dashboard on paid plans. Learners cannot predict exactly when one will arrive, which mirrors how real scams work.

Second Opinion email checking

The Family+ plan and the standalone Second Opinion add-on let you (or a learner) forward a suspicious email to check@scamdrill.com and receive an automated verdict — for example, "looks safe," "looks suspicious," or "looks like a scam" — together with a short explanation of what we noticed. This verdict is generated by a combination of heuristic rules (such as header checks, link and domain analysis, sender-reputation lookups, and content pattern matching) and AI / large-language-model analysis of the forwarded message.

The verdict is an indicator, not a guarantee. Heuristic checks and AI models can — and sometimes do — make mistakes. They can flag a perfectly legitimate email as suspicious (a false positive), and they can rate a real scam as safe (a false negative). They can be fooled by novel or carefully crafted attacks, by attackers who deliberately mimic legitimate senders, by emails that depend on context the model cannot see (such as whether you actually placed an order, opened an account, or know the sender), and by changes in scam tactics that postdate the model's training data. The verdict reflects only what is visible in the message you forwarded, at the moment you forwarded it, using the tools available to us at that time. It is not a substitute for your own judgment, and it is not a substitute for proper email security, anti-malware, or anti-fraud controls on your devices, your email provider, or your financial accounts.

You should treat any Second Opinion verdict as one input among several. Do not rely on a Second Opinion verdict as the sole basis for clicking links, opening attachments, replying with personal or financial information, transferring money, sharing credentials or one-time codes, or making any other consequential decision. When in doubt, verify directly with the purported sender using a phone number, app, or website you obtained independently — not from the email itself.

No warranty; you assume the risk. The Second Opinion email checking feature is provided "as is" and without warranty of any kind, whether express or implied, including warranties of accuracy, completeness, fitness for a particular purpose, or non-infringement. To the fullest extent permitted by law, ScamDrill will not be liable for any loss, damage, fraud, identity theft, financial harm, data breach, missed legitimate communication, or other harm that you, a learner, or any third party suffers as a result of relying on (or not relying on) a Second Opinion verdict — whether the verdict was a false positive, a false negative, incomplete, delayed, or otherwise inaccurate. Your use of the feature is at your own risk, and the limitations in the "Limitation of liability" section below apply in full to any Second Opinion verdict.

Email communications

Once you sign up — or once a learner accepts a guardian's invitation — ScamDrill will send email to the address on file. We group those messages into the categories below so you know exactly what to expect, who receives what, and how to turn off the optional ones.

Account and administrative emails (transactional)

These are required to operate the service. They are sent to guardians, organization administrators, and any newsletter or admin recipient with an account. You cannot opt out of these while your account is active; closing your account stops them.

  • Account verification, sign-in, and password-reset emails sent through our authentication provider when you create an account, change your email address, or request a password reset.
  • Billing emails sent in connection with paid subscriptions, including payment receipts, upcoming-renewal notices, plan-change confirmations, failed-payment notices, refund confirmations, and cancellation confirmations. Some of these are sent by Stripe on our behalf.
  • Service notices when we make material changes to these Terms, the Privacy Policy, the SMS program, or the security of your account.
  • Account-closure and data-deletion confirmations when you (or a learner) close an account or request deletion of personal information.

Emails sent to learners

Once a learner has accepted a guardian's or administrator's invitation, ScamDrill sends them the following emails. Every learner-facing email includes a one-click unsubscribe link that immediately stops all simulations and follow-ups for that learner.

  • Consent invitation — sent the first time a guardian or administrator adds the learner. The learner must actively click through and consent before any simulations are sent. A guardian or administrator can re-send this invitation if it expires or is missed.
  • Simulation emails — the realistic but harmless training drills themselves, sent on the semi-random schedule described in the "About our simulations" section above. Clicking any link in a simulation always leads to a ScamDrill educational debrief page, never to a malicious site.
  • Educational follow-up email ("Did you spot the scam?") — sent automatically a few days after a simulation if the learner did not report it and did not click any of the links. The follow-up explains what the simulation was, lists the red flags the learner could have used to spot it, and links to the learner's progress page. The purpose is to turn a missed drill into a teaching moment. Learners who correctly identify a simulation (by reporting it to spam@scamdrill.com or by clicking through to the debrief page) do not receive the follow-up — the catch is recorded directly in the dashboard.
  • Workforce security-awareness training invitations and reminders — sent only to learners whose organization has enabled annual compliance training. These include the initial training invitation and, at the administrator's discretion, periodic reminders if the training is not yet complete.

Notifications sent to guardians and account owners

Each of the following notifications can be turned on or off independently from Dashboard → Settings → Notification preferences. They are on by default for new accounts.

  • Click alert — a real-time email when one of your learners clicks a link in a simulated scam, so you can follow up with them while the moment is fresh.
  • Real-scam-caught alert — an email when something you (or a learner) forwarded to check@scamdrill.com is analyzed and flagged as a real (non-simulation) scam.
  • Monthly family digest — a once-per-month summary of your learners' activity, including reports submitted, points and streaks earned, and any new achievements.

Notifications sent to organization administrators

For organization plans, administrators receive the following emails. The digests can be toggled from the same notification-preferences screen as the family notifications above.

  • Administrator invitation — sent when an existing owner or administrator invites a new administrator to manage the organization on ScamDrill.
  • Monthly click digest — an aggregated summary of simulated-scam clicks across all learners in the organization.
  • Monthly real-scam digest — an aggregated summary of real (non-simulation) scams that learners forwarded to ScamDrill during the period.

Newsletter and other marketing emails

Marketing emails — including the ScamDrill newsletter, scam-trend roundups, and product announcements that are not tied to your account — are sent only after you explicitly opt in (for example, by submitting the newsletter form on our website). Every marketing email contains an unsubscribe link, and unsubscribing takes effect immediately. You can be a paying ScamDrill customer without ever receiving a marketing email.

How to control what you receive

  • Learners can stop simulations and follow-ups at any time by clicking the unsubscribe link at the bottom of any ScamDrill email, or by replying STOP to any ScamDrill text (see the SMS program section below).
  • Guardians and administrators can turn each optional notification on or off independently from Dashboard → Settings → Notification preferences, and can disable SMS for any individual learner by switching that learner to "Email only" from the dashboard.
  • Newsletter subscribers can unsubscribe with the link at the bottom of any newsletter email.
  • Account-related, billing, security, and consent emails are required for the service to function and cannot be turned off while the account is active. Closing the account stops them.

Where Stripe (billing), our authentication provider (sign-in and password-reset), or our deliverability provider (Resend) sends email on our behalf, those messages are governed by their own terms in addition to ours and our Privacy Policy.

SMS program terms

Program name: ScamDrill.

Program description: ScamDrill is a consent-based scam-awareness training program. The single opt-in path is a web consent form (sample at app.scamdrill.com/onboard/sample) reached via a tokenized email invitation — ScamDrill never sends SMS to a number prior to this web opt-in. After a learner explicitly opts in to SMS via the consent form, ScamDrill sends two categories of SMS messages to the phone number they provided: (1) periodic training simulations — realistic but harmless text messages modeled on real scam patterns, each prefixed with [ScamDrill Training] so the recipient can always tell the message is sanctioned training content; and (2) occasional service messages such as weekly progress summaries, opt-in confirmations, and HELP/STOP replies. Clicking a link in a simulation leads only to a ScamDrill educational debrief page. No marketing or promotional messages are sent through this program.

Message and data rates: Message and data rates may apply. ScamDrill does not charge for SMS messages, but your mobile carrier's standard messaging and data rates will apply to every message sent and received. Check with your carrier if you are unsure of your plan's rates.

Message frequency: Message frequency varies based on the learner's training plan and the guardian's configured settings. Most learners receive between 2 and 8 messages per month. Guardians can adjust the frequency, pause simulations, or switch a learner to email-only at any time from their dashboard. Learners can stop messages immediately by replying STOP to any text or using the unsubscribe link at the bottom of any simulation email.

Support contact information: For help with the SMS program, email support@scamdrill.com. You can also reach us at hello@scamdrill.com.

Opt-out and help instructions: Reply STOP to any ScamDrill text message at any time to unsubscribe from the SMS program. After you send STOP, you will receive one final confirmation message and no further texts will be sent to that number. Reply HELP to any ScamDrill text message to receive information about the program and contact details for support. Both STOP and HELP are free to send on all major US carriers. Learners can also fully unsubscribe from both email and SMS simulations by clicking the unsubscribe link at the bottom of any ScamDrill simulation email, and guardians can disable SMS for any learner by switching the learner's simulation type to "Email only" from the guardian dashboard.

Carrier disclaimer: Mobile carriers are not liable for delayed or undelivered messages.

Privacy: Information you provide to the SMS program is handled in accordance with our Privacy Policy, including the SMS Messaging section. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text-messaging originator opt-in data and consent are excluded from all categories of personal information sharing and will not be shared with any third parties. Phone numbers and consent records are processed only by service providers strictly necessary to deliver the messages (currently Twilio Inc., our A2P 10DLC carrier) under contractual confidentiality and data-protection terms.

Subscriptions and billing

Payment method: We process subscriptions through Stripe, a secure third-party payment processor. We never see or store your full credit card information.

Billing frequency: You can choose monthly or annual billing. The Family plan is $9/mo (or $84/yr) and the Family+ plan is $15/mo (or $144/yr, which includes second opinion AI email checking). Free users can add second opinion AI email checking for $2.99/mo (or $29.99/yr). Monthly subscriptions renew automatically every 30 days. Annual subscriptions renew every 365 days.

Cancellation: You can cancel your subscription at any time from your account settings. Cancellations take effect at the end of your current billing period. You won't be charged again after cancellation.

30-day money-back guarantee: We offer a full refund on any paid-plan charge if you request it within 30 days of that charge — no questions asked. Email support@scamdrill.com (or use the in-app help link) with the email on your account and we'll process the refund to your original payment method. The guarantee applies to new subscriptions, renewals, and the AI Email Checking add-on. After the 30-day window, refunds are at our discretion and we'll evaluate the circumstances on a case-by-case basis.

Price changes: We may adjust pricing in the future. If we do, we'll notify you at least 30 days before the change. If you don't agree, you can cancel before the new pricing takes effect.

Intellectual property

Our content: All scam simulation templates, educational lessons, lesson content, and branded materials are the exclusive property of ScamDrill. You can't copy, modify, or redistribute this content without permission.

Your data: You own the data you provide (like names, emails, or notes about your learners). We have a license to use this data to operate ScamDrill, but you can delete it anytime.

Limitation of liability

ScamDrill is an educational and training service only. We provide simulated scam awareness training to help individuals and organizations improve their ability to recognize fraud. However, no training program can guarantee protection against all scams, and the effectiveness of training depends on many factors outside our control.

By using ScamDrill, you acknowledge and agree that:

  • ScamDrill is not liable for any individual learner, guardian, employee, or organization falling victim to any scam, phishing attack, fraud, or social engineering attempt, whether or not the victim has completed ScamDrill training
  • ScamDrill does not guarantee that training will prevent financial losses, data breaches, identity theft, or any other harm resulting from real-world scams
  • ScamDrill is provided "as is" without any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement
  • We're not liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of money, data, revenue, profits, business opportunities, or goodwill
  • Our total aggregate liability to you for all claims arising from or related to the service is limited to the fees you actually paid to ScamDrill in the 12 months preceding the claim
  • Organizations using ScamDrill remain solely responsible for their own cybersecurity posture, policies, and incident response, and ScamDrill's training does not constitute a cybersecurity audit, assessment, or certification
  • ScamDrill is not liable for any loss, damage, fraud, identity theft, financial harm, missed legitimate communication, or other harm resulting from reliance on (or non-reliance on) a Second Opinion email checking verdict, whether that verdict was a false positive, a false negative, or otherwise inaccurate. Heuristic and AI-powered email analysis is an indicator only and is not a guarantee of email safety, legitimacy, or maliciousness

Nothing in this section limits our liability for fraud, gross negligence, or data breaches directly caused by our negligence.

Termination

You can terminate anytime: Cancel your subscription at any time, and your access ends at the end of your billing period.

We can terminate anytime: If you violate these terms, harass learners, or engage in illegal activity, we'll suspend or terminate your account immediately.

Data deletion: When you close your account, we'll delete all your personal information (name, email, billing info) within 30 days. Learner data is deleted within 30 days. We may retain aggregated, anonymized data for analytics purposes (e.g., "the average click-through rate on IRS scams").

Governing law & dispute resolution

These terms are governed by the laws of the State of New Mexico, USA, without regard to its conflict-of-law rules. The Federal Arbitration Act governs the interpretation and enforcement of the arbitration provisions in this section.

Binding arbitration: Except for the carve-outs below, you and ScamDrill agree to resolve any dispute, claim, or controversy arising out of or relating to these terms or the service through final and binding individual arbitration — not in court. Arbitration will be administered by the American Arbitration Association (AAA) under its Consumer Arbitration Rules, and will take place in Bernalillo County, New Mexico, or remotely by phone or video. The arbitrator's decision is final and may be entered as a judgment in any court of competent jurisdiction.

Class action waiver: You and ScamDrill agree that disputes will be resolved on an individual basis only. Neither party may bring or participate in a class action, class arbitration, collective action, or representative proceeding. The arbitrator may award relief only in favor of the individual party seeking relief, and only to the extent necessary to provide that relief. If this waiver is found unenforceable, the entire arbitration provision in this section is void.

Small-claims carve-out: Either party may bring an individual claim in small-claims court if the claim qualifies under that court's rules and stays in that court. Either party may also seek injunctive or equitable relief in court to protect intellectual property or stop unauthorized access to the service.

30-day opt-out: You can opt out of the arbitration agreement and class action waiver above. To opt out, send a written notice to legal@scamdrill.com with the subject line "Arbitration Opt-Out" within 30 days of first accepting these terms. Include your full name and the email address on your account. Opting out won't affect any other part of these terms, and you can still use the service normally.

Venue for non-arbitrable matters: For any claim that isn't subject to arbitration (such as small-claims actions and the equitable-relief carve-out above), you and ScamDrill agree to the exclusive jurisdiction and venue of the state and federal courts located in Bernalillo County, New Mexico, and consent to personal jurisdiction in those courts.

Contact us

Questions about these terms? Get in touch:

  • Legal questions: legal@scamdrill.com
  • General inquiries: hello@scamdrill.com