Top 9 Phishing Simulators
- You do not have permission to view the full content of this post.
Log in or register now.
First things first: with any of the aforementioned solutions, no matter how easy they may be to install and configure, it is still your responsibility. The first of the many benefits of SecurityIQ PhishSim developed by InfoSec Institute is that after filling out a short online form, you are getting access to all benefits of SaaS without paying for any of them. Nothing to install, no scripts to modify, no servers to configure. Just sign up for a free account and start phishing. And educating. There are, of course, limitations, including limited number of learners, branding and other customization options. However, the key elements, such as using multiple templates (with over 100 templates to choose from) in one campaign, campaign scheduling options, report delivery and exporting features, and an interactive phishing awareness education module, are included in the free account, allowing you to run several highly effective phishing campaigns.
Security IQ
- You do not have permission to view the full content of this post.
Log in or register now.
As an open-source phishing platform, Gophish gets it right. It is supported by most operating systems, installation is as simple as downloading and extracting a ZIP folder, the interface is simple and intuitive, and the features, while limited, are thoughtfully implemented. Users are easily added, either manually or via bulk CSV importing. Email templates are easy to create (there aren’t any included though, with a community-supported repository initiated) and modify (using variables allows for easy personalization), creating campaigns is a straightforward process, and reports are pleasant to look at and can be exported to CSV format with various levels of detail. Major drawbacks: no awareness education components and no campaign scheduling options.
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
The first commercial product on our list, LUCY provides a hassle-free download of the free (community) version of the platform. All you need is your email address and name, and you can download LUCY as a virtual appliance or a Debian install script. The web interface is attractive (if a bit confusing), and there are lots of features to explore: LUCY is designed as a social engineering platform that goes beyond phishing. The awareness element is there as well with interactive modules and quizzes. So, why didn’t we place LUCY higher up the list? Because we are talking about free phishing simulators, and the community version of LUCY has too many limitations to be effectively used in an enterprise environment. Some important features are not available under community license, such as exporting campaign stats, performing file (attachment) attacks, and, most importantly, campaign scheduling options. With that, the free version of LUCY gives you a taste of what the ρáíd version is capable of, but doesn’t go much farther than that.
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
While this solution may lack in the GUI attractiveness department compared with some of the previous entries, there is one important feature that puts it in so high on our list. Simple Phishing Toolkit provides an opportunity to combine phishing tests with security awareness education, with a feature that (optionally) directs phished users to a landing page with an awareness education video. Moreover, there is a tracking feature for users who completed the training. Unfortunately, the sptoolkit project has been abandoned back in 2013. A new team is trying to give it a new life, but as of now, the documentation is scarce and scattered all over the internet, making realistic implementation in an enterprise environment a difficult task.
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
While this open-source Ruby on Rails application is designed as a penetration testing tool, it has many features that could make it an effective solution for internal phishing campaigns. Perhaps the most important feature is the ability to view detailed campaign stats and easily save the information to a PDF or an XML file. You can probably guess the “however” part that’s coming up: Phishing Frenzy is a Linux-based application, with installation not to be handled by a rookie.
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
With this open-source solution from SecureState, we are entering the category of more sophisticated products. King Phisher’s features are plentiful, including the ability to run multiple campaigns simultaneously, geo location of phished users, web cloning capabilities, etc. A separate template repository contains templates for both messages and server pages. User interface is clean and simple. What is not that simple, however, is installation and configuration. King Fisher server is only supported on Linux, with additional installation and configuration steps required depending on flavor and existing configuration.
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
Another Python tool created by Adam Compton. SPF includes many features that allow you to quickly configure and perform effective phishing attacks, including data entry attack vector (3 website templates are included, with possibility of using custom templates as well). While a tech-savvy security professional can have a lot of fun with SPF and will be able to run phishing campaigns against multiple targets, it is still mainly a pentesting tool, with many great features (such as email address gathering) being of little importance for someone performing
You do not have permission to view the full content of this post.
Log in or register now..
You do not have permission to view the full content of this post.
Log in or register now.
- You do not have permission to view the full content of this post.
Log in or register now.
Another tool from TrustedSec, which, as the name suggests, was designed for performing various social engineering attacks. For phishing, SET allows for sending spear-phishing emails as well as running mass mailer campaigns, as well as some more advanced options, such as flagging your message with high importance and adding list of target emails from a file. SET is Python based, with no GUI. As a penetration testing tool, it is very effective. As a phishing simulation solution, it is very limited and does not include any reporting or campaign management features.
You do not have permission to view the full content of this post.
Log in or register now.
9.
You do not have permission to view the full content of this post.
Log in or register now.
This tool isn’t trying to deceive anyone (other than its phishing targets). Developed by TrustedSec, SpearPhisher says it all right in the description: “A Simple Phishing Email Generation Tool.” With an emphasis on ‘simple.’ Designed for non-technical users, SpearPhisher is a Windows-based program with a straightforward GUI. It allows you to quickly craft a phishing email with customized From Email, From Name, and Subject fields and includes a WYSIWYG HTML editor and an option to include one attachment. You can send the crafted email to several recipients via adding email addresses to To, CC, and BCC fields. The program has been in Beta since 2013, so it’s not likely to see any updates in the near future.
