Conducting Phishing Simulations with GoPhish: A Practical Guide
Phishing remains one of the most effective attack vectors in cybersecurity, making phishing simulations essential for security hardening. GoPhish is a leading open-source framework for conducting these critical tests. Let's dive into phishing simulations with GoPhish.
Software Engineer
Schild Technologies
Conducting Phishing Simulations with GoPhish: A Practical Guide
Phishing remains one of the most effective attack vectors in cybersecurity, with human error being exploited far more frequently than technical vulnerabilities. GoPhish is an open-source phishing framework designed specifically for security teams to launch realistic phishing simulations in controlled environments. This guide walks through conducting a phishing campaign with GoPhish. Let's dive in.
Understanding GoPhish
GoPhish provides a complete framework for phishing campaign management:
- Campaign management: Schedule and track phishing simulations
- Email templates: Create realistic phishing emails with tracking capabilities
- Landing pages: Build convincing credential harvesting or awareness pages
- Reporting: Track user interactions, clicks, credential submissions, and generate detailed reports
- SMTP configuration: Send emails through controlled infrastructure
The platform operates through a web interface, making campaign creation and monitoring accessible without extensive command-line work.
Initial setup
GoPhish can be installed on Linux servers or run locally for testing. For production awareness campaigns, use a dedicated server.
Installing GoPhish
# Download latest GoPhish release (check GitHub for newest version)
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
# Extract the archive
unzip gophish-v0.12.1-linux-64bit.zip
# Navigate to extracted directory
cd gophish-v0.12.1-linux-64bit
# Make the binary executable
chmod +x gophish
# Run GoPhish
./gophish
Upon first launch, GoPhish generates a random admin password displayed in the console. The web interface runs on https://localhost:3333 by default.
Initial configuration
Access the web interface and change the default admin password immediately. Navigate to Settings to configure:
Admin server: Interface for campaign management (keep on localhost or internal network)
Phishing server: Public-facing server that delivers phishing emails and hosts landing pages
Building campaign components
A GoPhish campaign consists of four main components: sending profiles, email templates, landing pages, and user groups.
1. Configuring sending profiles
Sending profiles define how emails are delivered. For realistic simulations, use SMTP servers that won't be immediately flagged.
Navigate to Sending Profiles and create a new profile:
Name: Corporate Email Simulation
From: security@yourcompany.com
Host: smtp.yourcompany.com:587
Username: simulation-account@yourcompany.com
Password: [SMTP password]
Test the sending profile before launching campaigns to verify delivery.
2. Creating templates
Email templates are the actual phishing messages users receive. Effective templates balance realism with clear educational value.
Navigate to Email Templates and create a template:
Subject: Action Required: Verify Your Account
HTML:
<html>
<body>
<p>Dear {{.FirstName}},</p>
<p>Our security team has detected unusual activity on your account. To prevent unauthorized access, please verify your account credentials immediately.</p>
<p><a href="{{.URL}}">Click here to verify your account</a></p>
<p>This verification link expires in 24 hours. Failure to verify may result in account suspension.</p>
<p>Thank you,<br>
IT Security Team</p>
</body>
</html>
Key template features:
- {{.FirstName}}: Personalizes email with user's name (requires structured user import)
- {{.URL}}: GoPhish automatically replaces with unique tracking link
- {{.TrackingURL}}: Invisible tracking pixel to detect email opens
- {{.From}}: Sender email from sending profile
GoPhish supports variable injection, making emails appear personalized and legitimate.
3. Designing landing pages
Landing pages are where users land after clicking phishing links. They can harvest credentials (for realistic testing) or display awareness messages.
Navigate to Landing Pages and create a page:
Credential harvesting page (captures data for analysis):
<!DOCTYPE html>
<html>
<head>
<title>Account Verification</title>
<style>
body { font-family: Arial, sans-serif; max-width: 500px; margin: 50px auto; }
input { width: 100%; padding: 10px; margin: 10px 0; }
button { width: 100%; padding: 12px; background: #0066cc; color: white; border: none; cursor: pointer; }
</style>
</head>
<body>
<h2>Account Verification</h2>
<form method="POST">
<input type="email" name="email" placeholder="Email Address" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Verify Account</button>
</form>
</body>
</html>
Awareness redirect page (after credential submission):
<!DOCTYPE html>
<html>
<head>
<title>Security Awareness Notice</title>
<style>
body { font-family: Arial, sans-serif; max-width: 600px; margin: 50px auto; }
.warning { background: #fff3cd; border: 2px solid #ffc107; padding: 20px; border-radius: 5px; }
</style>
</head>
<body>
<div class="warning">
<h2>This Was a Phishing Simulation</h2>
<p>This was a simulated phishing attack conducted by your organization's security team.</p>
<p><strong>What happened:</strong></p>
<ul>
<li>You clicked a malicious link from an email</li>
<li>You entered credentials on an untrusted website</li>
</ul>
<p><strong>In a real attack, an attacker would now have:</strong></p>
<ul>
<li>Your username and password</li>
<li>Access to your company accounts and data</li>
</ul>
<p><strong>Best practices to mitigate risk:</strong></p>
<ul>
<li>Always verify sender email addresses before clicking links</li>
<li>Hover over links to check destination URLs before clicking</li>
<li>Never enter credentials on unexpected login pages</li>
</ul>
<p>This simulation helps improve security hardening. No real credentials were compromised. For training resources, visit our security awareness portal.</p>
</div>
</body>
</html>
Check the Capture Submitted Data option to record what users enter (credentials, form data). Check Capture Passwords only if your authorization explicitly allows credential collection.
4. Importing user groups
User groups define who receives phishing simulations. Import users via CSV file.
Create a CSV file (users.csv):
First Name,Last Name,Email,Position
John,Smith,john.smith@company.com,Engineer
Jane,Doe,jane.doe@company.com,Manager
Navigate to Users & Groups, create a new group, and import the CSV. GoPhish maps columns to user attributes for template personalization.
Launching a phishing campaign
With all components configured, create a campaign that ties everything together.
Navigate to Campaigns and create a new campaign:
Campaign configuration:
Name: Q4 Security Awareness Test
Email Template: Action Required - Verify Your Account
Landing Page: Account Verification + Awareness Notice
Sending Profile: Corporate Email Simulation
Groups: Engineering Department
URL: https://phishing-server.yourcompany.com
Launch Date: [Schedule or Immediate]
Launch options:
GoPhish provides flexible scheduling through two fields:
Launch Date: Sets when the campaign begins sending emails. Click this field to open a date/time picker and select your desired start time.
Send Emails By (Optional): Creates staggered delivery by setting an end time. When configured, GoPhish spreads emails evenly between the Launch Date and this end time.
Scheduling scenarios:
- Send immediately: Leave "Launch Date" at the current time and leave "Send Emails By" empty. Emails send when you click "Launch Campaign."
- Schedule for specific time: Set "Launch Date" to a future date/time (e.g., tomorrow at 2:00 PM) and leave "Send Emails By" empty. All emails send at that exact time.
- Stagger delivery over time: Set "Launch Date" to your start time (e.g., 9:00 AM) and "Send Emails By" to your end time (e.g., 1:00 PM). GoPhish distributes emails evenly across this 4-hour window.
After launching, GoPhish begins tracking user interactions in real-time.
Monitoring campaign results
The GoPhish dashboard provides real-time visibility into campaign effectiveness:
Email metrics:
- Sent: Total emails delivered
- Opened: Users who opened the email (via tracking pixel)
- Clicked: Users who clicked the phishing link
- Submitted Data: Users who entered credentials or form data
- Reported: Users who reported the email potentially malicious
Timeline view: Shows when each user interacted with the campaign, useful for identifying patterns.
Interpreting results
Success indicators (from security perspective):
- High report rates (users reporting potentially malicious emails)
- Low click rates (users not clicking links)
- Low submission rates (users not entering credentials)
Risk indicators:
- High click rates without data submission (users clicking but not providing credentials—partial success)
- High data submission rates (users completing the full phishing workflow)
- Fast click times (users clicking immediately without scrutiny)
Analyzing statistics
Review results to identify:
- High-risk behaviors: Clicked link and submitted credentials immediately
- Moderate-risk behaviors: Clicked link but didn't submit data (yielded at landing page)
- Low-risk behaviors: Didn't interact with email or reported it
Post-campaign actions
Communicating results
After the campaign, communicate findings appropriately:
- Overall campaign statistics without identifying individuals
- Common red flags that were missed
- Best practices for identifying phishing attempts
- Resources for training
- Encouragement to improve without punitive tone
Security improvements
Use campaign data to improve organizational security:
Email security: If simulation emails bypassed spam filters easily, real phishing attempts likely will too. Review email security controls.
User training: Develop targeted training for departments or roles with high failure rates. Some user groups may need role-specific training (finance teams targeted by BEC attacks, executives targeted by whaling).
Baseline measurement: Initial campaign establishes baseline awareness levels. Run periodic campaigns (quarterly or semi-annually) to track improvement.
Data cleanup
After analysis and reporting:
# Export campaign data for records
# From GoPhish dashboard: Campaigns > [Your Campaign] > Export CSV
# Delete sensitive data from GoPhish database
# Via web interface: Campaigns > [Your Campaign] > Complete & Delete
Best practices
Vary the realism: Make the campaigns exhibit a realism normal distribution. This ensures you gain valuable insights, and implement effective defensive measures.
Avoid traumatic scenarios: Don't use simulations involving personal emergencies, layoffs, or health crises. These create unnecessary stress and erode trust in security teams.
Provide immediate feedback: Landing pages should immediately inform users they've been tested and explain what red flags were missed. Delayed feedback reduces learning effectiveness.
Measure improvement over time: Single campaigns provide limited value. Regular testing (every 3-6 months) tracks change and identifies persistent risk areas.
Combine with training: Phishing simulations complement but don't replace security awareness training. Use simulations to reinforce training content.
Respect privacy: Only collect data necessary for assessment. Avoid data collection practices that violate user privacy.
Pitfalls to avoid
Punitive approaches: Punishing users who engage simulation emails creates resentment and discourages reporting real phishing attempts. Keep campaigns constructive.
Inappropriate communication: Surprise campaigns without organizational context can damage trust. Leadership should communicate that awareness testing occurs, even without revealing specific timing.
Inadequate authorization: Ambiguous approval can create legal and HR complications.
Ignoring results: Collecting data without acting on findings wastes effort. Use campaign results to drive tangible security improvements and targeted training.
Conclusion
GoPhish provides security teams with powerful capabilities for assessing and improving organizational phishing awareness. The platform's flexibility supports simulations ranging from basic awareness tests to sophisticated social engineering scenarios that mirror real-world threats.
Technical controls alone cannot prevent all phishing attempts from reaching users. Human awareness remains a critical defense layer. GoPhish, properly deployed, develops employees into informed defenders who can independently assess and navigate potential threats.
Organizations implementing regular, well-designed phishing awareness campaigns typically see substantial reductions in risk. Establish baseline measurements, provide constructive feedback, track improvement over time, and recognize progress. This approach builds genuine security awareness that strengthens organizational resilience against one of cybersecurity's most persistent threats.