How To Do A Free Phishing Test For Your Organization

How To Do A Free Phishing Test For Your Organization

So, you want to assess your organization’s vulnerabilities with a phishing test, but you don’t want to pay for phishing simulation software that will run the bill up?

If this is true for you, then keep reading.

This article covers ways that a technical security engineer or a non-technical security analyst can set up and run a phishing simulation for free or next to no cost.

Why Do I Need To Run A Phishing Test?

According to the Verizon 2022 Data Breach Investigations Report of over 23,000 incidents and 5,200 confirmed breaches from around the world, phishing is one of the four key paths to compromise in an organization, and no organization is safe without a plan to handle phishing.

phishing is a key path to account compromise

Phishing simulations are the second line of defense and an extension of phishing awareness. It is a way to reinforce employee training and help you understand your own risk and improve workforce resiliency. Experience is the best teacher of all, and a phishing test is the most effective way to re-enforce cyber security training and awareness.

How Do I Run A Phishing Campaign In My Organization?

Running a phishing simulation in an organization can set off alarms (in a bad way) if not done properly.

You want to make sure that you have a plan for technical implementation as well as organizational communication.

  • Plan your communication strategy (Plan how to sell this to executives and how to set the tone with employees. Remember: catching someone in your organization that falls for your phishing test shouldn’t be about punishment, it should be about training.)
  • Understand how to analyze your results (Having a 100% success rate doesn’t translate to success. Having a 0% success rate doesn’t either.)
  • Start with a baseline test (this will give you a number to measure against)
  • Send on a monthly basis (This is the recommended frequency for phishing tests)
  • Send a variety of tests (Don’t copy yourself too often. Nobody will fall for it.)
  • Send a relevant message (Use current news outside of the company or internally to get a higher open rate for your campaign)

Want to know more details about the do’s and don’ts of running a free phishing test?

>>>Check out our Ultimate Guide to Understanding Phishing HERE. <<<

Why Should I Use Free or Budget-Friendly Phishing Simulation Software?

The simple answer to this question is because you don’t have to go with expensive solutions such as KnowBe4 in order to run a good phishing campaign.

It’s also true in this case, that the more expensive software isn’t necessarily the best software to run your campaign.

What do you need for an effective phishing campaign?

Well, the truth is that you don’t really need a lot of bells and whistles to run a phishing campaign.

You also don’t need 1,000 templates to get a campaign accomplished.

After all, most phishing campaigns don’t send more than 1 phishing email per month.

Also, the best way to run a great campaign is to customize your own templates that are geared towards your organization.

So, in reality it’s best to choose phishing simulation software that is customizable and easy to use, not over complicated and stuffed with features that you’ll never use.

What is the best free phishing test software?

gophish dashboard
GoPhish stands out as the strongest open-source phish testing software on the marketplace. 

In fact, we like it so much that we prepared a copy at Hailbytes filled with the templates and landing pages our team uses. You can check out our GoPhish phishing framework on AWS.

GoPhish is a simple, fast, extendable phishing framework that is open-source and gets updated frequently.

How Do I Get Started With The GoPhish Framework?

There are two different options for how you should get started. To figure out which option you should pick, you should ask yourself a few questions.

Am I technically skilled when it comes to setting up security infrastructure?

If the answer is yes, then you’re probably okay to set up Gophish on your own. Keep in mind that setting up this type of infrastructure can be time consuming and challenging if you want to have it set up right.

If the answer is no, then you’ll want to go the easy route and use the GoPhish framework instance that’s available on the AWS marketplace. This instance allows for a free trial and charges for metered usage. It’s not free, but it’s more affordable than KnowBe4 and is a lot easier to set up.

Do I want to set up GoPhish as Cloud Infrastructure?

If the answer is yes, then you can use the ready-made version of GoPhish on AWS. The benefit to this is that you can scale up your phishing campaigns with ease from any location. You can also manage your subscription along with your other cloud infrastructure in AWS.

If not, then you may want to set up GoPhish yourself.

How to set up GoPhish with AWS (THE EASY WAY):

How to install the latest version of GoPhish on Kali Linux:

How to do Penetration Testing with GoPhish:

Ready to get started?