HailBytes SAT - Enterprise Phishing Simulation Platform

The main use I make of Gophish  is to carry out phishing campaigns for clients. In this case, I work for external companies that ask their employees to participate in awareness campaigns so that their company does not fall for scams and, of course, so their data does not end up compromised on the Dark Web, for example.

One campaign I carried out was for Embutidos Martínez, in which the timing was based on the fact that it was around November, so it was about Black Friday, and many people fell for it because Black Friday is all about offers before Christmas. From there, many people fell for the phishing since we were advertising all kinds of products, especially technology products which at that time of year are the ones most commonly bought for Christmas.

I focus on doing phishing campaigns, although not just traditional phishing of sending an email and then leading to another email, but also smishing and quishing. I have carried out these campaigns, in which I used Gophish  in parallel because it generates a token and from that token you can then create quishing and smishing.

I used it for various types, not just traditional phishing but also quishing and smishing.

The best features are that it is free software and that you can put in your own templates and from there you make customized templates to your liking. It does not give you everything pre-made like other platforms such as Proofpoint, but it is quite good because you learn and it is more traditional to use Gophish.

The solutions it provides are that you can use it at whatever level you want. It is super free and has no limitation. I have used it in many areas: traditional email phishing, smishing or quishing, and it allows you to create whatever templates you want. It is more than free enough and you set up the configuration as you prefer. It is free, unlike others such as KnowBe4  or Proofpoint, where everything comes already pre-made, whereas with Gophish you can do it freely to your liking with DNS configuration, the email settings such as SPF, DKIM, DMARC, whatever it may be.

Gophish's features are that it is free, you can do whatever you want, and it is super basic. If you know IT, HTML, CSS, JavaScript, it is useful for making templates to your liking and tailored to you, not some pre-cooked templates like the ones you get from KnowBe4  or Proofpoint.

The impact it has had is that we have been able to sell it to clients who, for example, do not have the money to pay for a platform because they are small startups, and so with Gophish we create a solution that is cheaper for them. Paying for Proofpoint or KnowBe4 is too expensive, and with Gophish being free software and open source, anyone can run campaigns.

It has been thanks to the people who have fallen for the phishing. When they fall for a phishing, for example, we take them to an educational page, where thanks to that educational content they know that they have fallen for that phishing and from there we raise their awareness so they do not fall for phishing again.

I think Gophish could be improved with more automation, for instance. It is great that you can create templates, schedule them, and do everything you want in Gophish, but it would be nice to have a small integrated AI model with which you could create email templates and phishing templates. It would be nice if Gophish implemented artificial intelligence.

I wish Gophish could provide more support and be more advanced and that they continue developing it because it seems that Gophish does not get many updates, and I think they need to implement more features. It is great because it is free, but it needs more features. It would be cool if there was an artificial intelligence model that could create phishing campaigns or templates or email templates for you integrated within Gophish.

I would rate it a seven. It is quite good and free software, but it needs more substance. It also depends on the number of clients a company has; it may be necessary to launch Gophish in a staggered way, which I also think is a drawback Gophish has. The issue is that if there are many people being targeted, for example, 5,000 employees in a company and you send 5,000, it may be that sending so many messages gets blocked by the security systems companies have. I think that Gophish could also improve the message sending flows.

I gave it a seven because there are things to improve and it is not perfect. As I said before, it would be nice if templates could be created with AI, integrated into Gophish using an API with Gemini  or ChatGPT or whichever, but the point is that it would be nice if the sending flows at large scale were better managed. When you send a phishing campaign to 5,000 people, you have to send it in sections in a staggered way, for example: to these 5,000 people it is going to be sent between eight in the morning and four in the afternoon. If you send them all at once, the phishing may get blocked and then the campaign has no effect.

I would like it if Gophish implemented more improvements because they are needed, as it is kind of a bit stagnant. I hope that in the future they add more improvements including creating personalized templates with artificial intelligence and improving the message sending flows.

I have been using Gophish for two years.

I consider Gophish to be stable, but it needs improvements.

Gophish's scalability is very simple. You make a full copy of the database you have with Gophish and you can move it from one VPS to another. That is wonderful.

I have never contacted Gophish customer support because it is free software. At the beginning I never had any problems with Gophish.

I did not use any other option. I have always used Gophish because it is free software. I could have also used KnowBe4 or Proofpoint, but those platforms are paid.

I did not evaluate other options. With Gophish being free there is no other option.

Above all, patience and having a lot of information about IT topics are required, being clear on what DNS is, what a VPS is, and knowing what SPF, DKIM, DMARC are, which are checks that emails have to verify that they come from that sender, for example the email. Knowing all that information and knowing how to configure it is essential. Especially if you like making email templates, it is very good. From an email you receive, for example, that you want to phish with, you can import it directly into Gophish. That is wonderful.

We are resellers because, as I mentioned before with the VPS, we run phishing campaigns with Gophish.

The return on investment is obvious. In terms of saving on staff, you save yourself from spending hundreds of thousands of euros on buying platforms like Proofpoint or KnowBe4. Those platforms are paid and are more professional, intended for doing this at large scale, and Gophish is quite good because it also serves to run phishing campaigns. The thing is that you save money because all you need for Gophish to work is a VPS and a domain on which you are going to run the phishing campaign, and that is it, because Gophish itself is free software and is free of charge.

It is free software. Gophish does not cost a single penny and that is very good. Proofpoint or KnowBe4 do cost money and, of course, since we charge the client, a small startup cannot afford it and so we use the Gophish solution.

I hope that Gophish continues as a project and includes improvements. It is quite good and a simple, straightforward platform that anyone can use. Of course, you need some IT knowledge because someone who does not know about IT cannot use it. Proofpoint or KnowBe4 is more pre-made for doing phishing campaigns because it is just clicks, but of course, as Gophish is very customizable, you can create your templates and create your campaigns. I gave this review a rating of seven out of ten.

My main use case for Gophish  is to create phishing campaigns and to test, mostly for phishing simulation across organizations. I create custom templates when I set up those phishing campaigns, and I also set up the campaign according to the departments.

One of the best features I like in Gophish is the site importation feature that allows you to import sites by simply pasting the URL of any existing landing page in order to automatically get the HTML and CSS content, a clone of it.

Another feature I find valuable is the built-in credential harvesting feature which allows you to harvest credentials when it comes to your phishing simulations.

Gophish has really improved security awareness in my organization. As we conduct phishing simulations, we also make sure we conduct awareness training alongside them. After the phishing simulation that we do, with the results that we get, we make sure we do the necessary remediations and take the necessary actions. For instance, if we realize that a particular person is a victim to the phish test that we conducted, what we do is educate the person and train the person so that the person becomes aware of phishing and aware of their security, and also helps them have some form of knowledge when it comes to their security.

I cannot give exact numbers, but what I can say is there has been a reduction in phishing. There has been a reduction in interaction with phishing emails, so most people have become aware now. Whenever they see a phishing email, they really know that it is a phishing email based on certain features that we have taken them through in order for them to identify whether an email is phishing or not. We have made them aware and also utilized the tool in order to help them have a feel of how it works in the real world. We taught them features such as typo-squatting and many other techniques.

I wish you could add AI features to Gophish, because since AI is a new thing, I think leveraging it in the tool is going to help a lot. It is going to make work easier and faster, for instance, when it comes to setting up the phish.

An improvement that could be done would be expanding the tool beyond phishing, adding other multi-channel attacks such as deepfake voice scams, vishing, or smishing. Adding other features when it comes to social engineering would be beneficial.

Although the tool is very good, I think there could be some improvements, especially when it comes to leveraging AI for testing and also when it comes to the expansion beyond email phishing.

I have been using Gophish  for about two years now.

Gophish is very stable and highly stable.

Gophish is highly scalable and very scalable.

I have never reached out to customer support before. What I normally do is research, sometimes read the documentation, or sometimes go through some YouTube videos to find my way around things instead of contacting support directly. If I do everything that I have already said and it does not work out, the next thing I tend to do is contact customer support. As of now, I have never contacted customer support before.

Another tool that I have used was Evilginx, but I did not switch. I think I like using Gophish because it is a lot simpler, simple to use, and simple to set up.

For others looking into Gophish, my advice to them is for them to really start using it. They should not be wasting time on planning. As long as they have the mentality that they are going for Gophish, they should just start using the tool and stop planning. This is because the tool is very great. When it comes to scalability, when it comes to setting up phishlets, everything has been made simple. I think, especially for those who are now starting with phishing, this would be a great start because you can clone other websites easily and do many other actions easily. Setting up a campaign is also very simple. Gophish has made the user experience very easy for its users, and that is a good thing. I rate this product a nine out of ten.

Gophish  is used in my current company and in my previous one for anti-phishing campaigns, awareness campaigns, and training in the company.

In our last campaign, for example, we created a fake iFood ad where the user had to click on the link. This link would take them to a login screen for our corporate email. After entering their information, they received an alert saying they had fallen for a phishing attempt, with a link for them to join a training campaign. All of this with analysis was created within Gophish .

Gophish, despite being a free tool, fits very well because it has all the features we need, from creating landing pages and creating the email to tracking the click traffic and the ingestion of information. We stopped spending on a paid tool and can redirect that budget to other needs. All thanks to Gophish, which is a complete and free tool.

All features are useful, from uploading recipients in bulk to creating landing pages, creating emails, and having tracking of the entire email trail. I can track sending, receiving, clicking on the link, managing information, and whether the person then joined the training campaign. All these items in Gophish are absolutely valuable.

With the tracking of the email trail, I can truly know the campaign's adherence, if it was received, if it was read, and if data was input. After the data was input, I can see what the user did. I have a complete mapping of the phishing campaign to know whether it was really accurate and met our expectations.

I don't see anything that Gophish needs to improve within the scope of a free tool. An integration with Active Directory and Azure AD  for login would be interesting.

Gophish is a great tool; for what it proposes, it delivers. I would also suggest an improvement regarding recipients. When I send to more than 300 recipients, I am forced to split it into several sends because the tool doesn't behave effectively and freezes.

I have been in my field for 8 years.

From the first moment I looked for a good, robust, and free phishing campaign solution, Gophish was the first and only one I used. I have never had problems with it.

It scales effectively. The only problem is the issue with recipients. If I have a list with more than 300 recipients, I am forced to split it into several blocks.

I have never needed support.

I didn't have any problems because the setup has a lot of documentation, there is support, and I didn't have any licensing because we use the free version.

It made it possible for us to direct financial and human resources toward training, hiring training tools, hiring support to improve the security of the environment.

Since it is a free tool, I had no costs. However, it brought me several strategic advantages for directing resources.

I don't remember specifically which alternatives were evaluated, but others were considered and we did not proceed with them.

Go for it. Gophish is a good, complete tool that delivers everything it promises and is efficient. This review receives a rating of 10.

My main use case for Gophish  is for penetration testing on cybersecurity with phishing links and others. We used Gophish  to test the mindset of different users in the company. We used Gophish to send intrusion links and links by email, for example, links supposedly from sites they visit or related to their Facebook or Instagram account.

We determined the number of people who clicked on the link, those who reported it before clicking on the link, and those who did not click on the link. It was a survey campaign that we conducted after an awareness session that we carried out with the different users of the company.

The best features offered by Gophish stand out to me as most valuable because we can design virtual sites for intrusions, especially with cybercrime testing with phishing awareness. We have a backlog where we can monitor the number of links clicked and the number of links not clicked.

These elements are useful to me with Gophish because we actually understand the mindset of users after the awareness session, whether they have already absorbed the advice that was given to them. Through the phishing and penetration testing we conducted, Gophish has had a major positive impact on my organization, especially in my department, because we were able to find out whether the different users already understood the concept of phishing.

For the moment, I have nothing to suggest about Gophish; the application works very well and it offers many features. As you progress, you discover more and more options. I chose a rating of eight because there are always options to add and there are always upgrades that will be made.

I have been using Gophish for a month.

One piece of advice I give to those who need to use Gophish is to be patient and read extensively. If necessary, even follow user manuals to better grasp Gophish's functionality.

Gophish is a good structure and a good technological innovation that deserves to be studied and much better known by the world because not everyone knows Gophish. Gophish is good and the structure is solid. I gave this product a rating of eight out of ten.

I have been using Gophish  for a year. My main use case for Gophish  is awareness campaigns for staff. A specific example of how I use Gophish in a campaign for staff is that I create fake internal-use pages and send them to collaborators' emails to see if they fall for the tests.

The best features that Gophish offers are that it has an easy-to-use platform and that it also has documentation to guide you through the implementation.

The ease of use and the documentation have helped me in my daily work with Gophish because, having zero experience with this platform, by looking up the documentation and having an easy-to-use interface, it was much easier for me to learn and implement it in the organization.

Gophish has positively impacted my organization by finding security gaps among our collaborators, and we found people who did not know or did not understand security. This platform helped us to be able to train collaborators about phishing after the tests.

I think that Gophish could be improved, but currently, all the functionalities it has and all the types of platforms that can be implemented are very interesting. For my part, I would not see any improvement. I would like to add nothing else about possible improvements, even if they are minor details or suggestions for the future.

I have been working in my current field for two years.

I consider Gophish to be stable.

I consider the scalability of Gophish interesting; it is a platform on which you can increase the number of staff and the number of platforms to run tests on, as well as the number of independent tests I can perform.

I have not needed customer support for Gophish so far.

I did not use any other solution before implementing Gophish; it was the first time it was implemented, so this platform was used.

Before choosing Gophish, I did not evaluate other options; it was an idea that came up after finding this platform.

I have seen a return on investment with Gophish, as indicated by the savings in implementation time and the responses we had to measure the awareness of the collaborators.

My experience with the price, implementation cost, and licensing of Gophish is that personally, I have used the open platform, so we have not had to pay anything yet.

My advice to other professionals who are considering using Gophish is that it is a platform for people who are just starting out and do not have the resources and also do not have knowledge. It is an excellent platform to start with and learn about the world of awareness campaigns for collaborators. It is an easy-to-use, stable platform; it can be set up on different platforms, whether Windows or Linux, and it is easy to use since it has an integrated interface that is very easy to use and it has no cost. Gophish would be an interesting platform to start testing awareness platforms for phishing campaigns. I would give this platform a rating of 10.