GoPhish: Free phishing toolkit for training your employees

Too many system and network breaches today start with a well-designed, persuasive phishing email, and organizations and businesses would do well to continually train their staff to spot bogus and potentially malicious emails.

If spending money on it is a problem, there are always free options like GoPhish.

It is an open source phishing framework aimed at making phishing training available to everyone, and it’s supposedly extremely easy to use.

“To install GoPhish, all you have to do is download the zip file, extract the contents, and run the binary,” the team behind the project (headed by security researcher Jordan Wright) explains.

“By doing this, you just started two webservers, populated a database, and setup a background worker to handle sending the mails. Now, your time can be spent making campaigns.”

It has a lovely admin user interface, but was built from the ground-up with a JSON API that makes it easy for developers and sysadmins to automate simulated phishing campaigns.

GoPhish differs from most similar commercial offerings in the fact that it’s hosted in-house, so any business data that is handled with it will remain where it should be.

It is available for Windows, Linux and OS X.

It can be downloaded from this GitHub repository (the latest version is 0.1.2, released in March), and more details and documentation (including a thorough user guide) can be picked up from the official site.

Judging by the contents of the GitHub repository, default payloads to attach to emails and a collection of email and landing page templates for use with GoPhish will also be made available at some later date.