Lets Gophish

Matt Blackwell -

What Is Gophish?

Gophish is a powerful, open-source phishing simulation tool that helps organisations strengthen their cybersecurity by testing how users respond to realistic phishing attacks. Designed to be user-friendly and highly customisable, Gophish is perfect for security teams looking to launch targeted phishing campaigns without relying on expensive commercial platforms.

With Gophish, you can easily create email templates, build fake login pages, and run full campaigns that track user interactions—like who opened the email, clicked a link, or entered credentials. The platform provides detailed analytics so you can measure how your team performs and where awareness needs improvement.

Whether you're running a security awareness program, conducting red team exercises, or working to meet compliance requirements, Gophish gives you the tools to educate users and reduce risk—one simulated phish at a time.

How to Get Started with Gophish

Getting started with Gophish is surprisingly simple. Follow these basic steps to launch your first phishing simulation:

  1. Download and Install Gophish
    Head to the official Gophish GitHub page and download the latest release for your operating system. No complicated setup or installation process—just unzip and run.
  2. Configure the Server
    Launch Gophish and access the dashboard via your browser (typically at https://localhost:3333). Set up your admin credentials and configure sending profiles using your organisation's SMTP server or a secure third-party provider.
  3. Build Your Email Templates
    Create realistic, professional-looking phishing emails using HTML or the built-in editor. Include variables like {{.FirstName}} to personalize content and boost engagement.
  4. Create Landing Pages
    Design custom pages that mimic login portals or internal tools. These are used to capture submitted credentials or simply log click events.
  5. Set Up a Campaign
    Choose your target group, email template, landing page, and sending profile. Schedule your campaign and let it run.
  6. Monitor and Analyse Results
    Track key metrics like email opens, link clicks, and submitted data. Use this insight to identify training opportunities and improve future campaigns.

Tips for a Successful Phishing Simulation

  • Keep it Realistic: Use branding and tone similar to your company or known vendors (e.g., Microsoft, Google).
  • Start Simple: Begin with basic phishing templates before advancing to more sophisticated tactics.
  • Educate, Don’t Punish: Use results as a teaching moment. Offer training or follow-up guidance rather than disciplinary action.
  • Rotate Campaign Types: Vary your attack vectors—include file attachments, fake login portals, and suspicious requests.
  • Respect Privacy and Ethics: Inform users in advance (if required), and avoid collecting sensitive real-world data unless absolutely necessary.