A critical element of educating employees on phishing is teaching them how to recognise and report phishing emails. One way to achieve this is with phishing simulation software.

Paid tools

  • Cofense PhishMe - Easy to use GUI, good reporting. Email simulations only. Hosted by the vendor.
  • PhishLine - Easy to use GUI, good reporting. Email, SMS, voice and USB simulations. Hosted by the vendor.
  • SANS Phishing tools - Email simulations.
  • Office365 Attack Simulator - Microsoft has announced a public preview (as of March 2018). Available to E5 subscription customers. Hosted by the vendor.
  • PhishSim - InfoSec Institute created a membership-based platform that combines anti-phishing training with phishing simulations for a reasonable corporate rate. Hosted by the vendor.
  • Lucy - Installed on your own infrastructure or hosted in the cloud.
  • Find a phish - MediaPro's email simulator for Office 35, Exchange 2013/2016

Free tools

  • GoPhish - An opensource platform that provides a nice interface and good metrics tracking. Install on your own Windows, Mac OS or Linux server. We use this one in the Phishing Countermeasures course on a pre-configured Ubuntu virtual machine.
  • Cofense PhishMe SME - a free version of their commercial solution. Limited to 12 simulations a year. Still get access to their templates and education content.
  • Phish Insight - a free tool from TrendMicro (commercial) for max 200 recipients. More recipients = paid tool.
  • Duo Insight - commercial tool but free for use. It is a marketing tool for their other solutions. Allows minor customisations such as sender name but limited sender address options. No education customisation. Provides some simple templates to start with. Simple but nicely presented stats you can then export to JSON or CSV.

For techies

  • Phishing Frenzy - Built on Ruby on Rails. Oriented towards pen testers/red teams. Installed in your environment.
  • Morning Catch - a pre-configured virtual machine with a website, email infrastructure and client machines and loaded with some existing vulnerabilities. Oriented towards techies to learn about phishing.
  • King Phisher - An opensource solution for Linux only. Installed on your own infrastructure. Oriented towards techies.
  • SpeedPhish framework - Simple phishing simulations. Based on python. Oriented towards pen testers/red teams.
  • Social-Engineer Toolkit - Based on python. Oriented towards pen testers/red teams.
  • Mercure - Based on python, Linux based.
  • FiercePhish - supported on Ubuntu only.
  • Wi-fi phish - a bit different to all other tools listed here this one phishs via wi-fi attacks i.e. connecting to a rogue access point.
  • Tacklebox - Ruby based tool

There are other free simulator tools on GitHub however if they haven't received an update in over a year, they haven't been included here.

About Phishing Countermeasures

Phishing Countermeasures is a resources website setup for students of the Charles Sturt University IT Masters course.

If you are interested in contributing tips and content get in touch

Good reading

Favourite websites on phishing and related topics: