How To Do A Free Phishing Test For Your Organization


So, you want to assess your organization’s vulnerabilities with a phishing test, but you don’t want to pay for phishing simulation software that will run the bill up?

If this is true for you, then keep reading.

This article covers ways that a technical security engineer or a non-technical security analyst can set up and run a phishing simulation for free or next to no cost.

Why Should I Go With Free or Budget-Friendly Phishing Simulation Software?

The simple answer to this question is because you don’t have to go with expensive solutions such as KnowBe4 in order to run a good phishing campaign.

It’s also true in this case, that the more expensive software isn’t necessarily the best software to run your campaign.

Why would I say that?

Well, the truth is that you don’t really need a lot of bells and whistles to run a phishing campaign.

You also don’t need 1,000 templates to get a campaign accomplished.

After all, most phishing campaigns don’t send more than 1 phishing email per month.

Also, the best way to run a great campaign is to customize your own templates that are geared towards your organization.

So, in reality it’s best to choose phishing simulation software that is customizable and easy to use, not over complicated and stuffed with features that you’ll never use.

What is the best free phishing test software???

Our answer at Hailbytes is the GoPhish phishing framework.

Gophish is a simple phishing framework that is open-source and gets updated frequently.

How Do I Get Started With The GoPhish Framework?

There are two different options for how you should get started. To figure out which option you should pick, you should ask yourself a few questions.

Am I technically skilled when it comes to setting up security infrastructure?

If the answer is yes, then you’re probably okay to set up Gophish on your own. Keep in mind that setting up this type of infrastructure can be time consuming and challenging if you want to have it set up right.

If the answer is no, then you’ll want to go the easy route and use the GoPhish framework instance that’s available on the AWS marketplace. This instance allows for a free trial and charges for metered usage. It’s not free, but it’s more affordable than KnowBe4 and is a lot easier to set up.

Do I want to set up GoPhish as Cloud Infrastructure?

If the answer is yes, then you can use the ready-made version of GoPhish on AWS. The benefit to this is that you can scale up your phishing campaigns with ease from any location. You can also manage your subscription along with your other cloud infrastructure in AWS.

If not, then you may want to set up GoPhish yourself.

If I am setting up GoPhish on my own, what resources can I use to get started?

How to set up GoPhish with AWS (THE EASY WAY):

A video on how to install the latest version of GoPhish on Kali Linux:

A video on how to do Penetration Testing with GoPhish:

How Do I Run A Phishing Campaign In My Organization?

Running a phishing simulation in an organization can set off alarms (in a bad way) if not done properly.

You want to make sure that you have a plan for technical implementation as well as organizational communication.

  • Plan your communication strategy (Plan how to sell this to executives and how to set the tone with employees. Remember: catching someone in your organization that falls for your phishing test shouldn’t be about punishment, it should be about training.)
  • Understand how to analyze your results (Having a 100% success rate doesn’t translate to success. Having a 0% success rate doesn’t either.)
  • Start with a baseline test (this will give you a number to measure against)
  • Send on a monthly basis (This is the recommended frequency for phishing tests)
  • Send a variety of tests (Don’t copy yourself too often. Nobody will fall for it.)
  • Send a relevant message (Use current news outside of the company or internally to get a higher open rate for your campaign)

Want to know more details about the do’s and don’ts of running a free phishing test?

>>>Check out our Ultimate Guide to Understanding Phishing HERE. <<<



WHOIS vs RDAP What is WHOIS? Most website owners include a means to contact them on their website. It could be an email, an address,

Read More »
API Load Testing With Locust

API Load Testing With Locust

API Load Testing With Locust API Load Testing With Locust: Intro You’ve probably been in this situation before: you write code that does something, an

Read More »

Application Security Training Platform | Security Sherpa