Your firewall is configured. Your WAF is running. Your IDS is watching traffic. None of that stops an employee from clicking a link in a convincing email that says their password is about to expire.
Phishing remains the #1 initial attack vector in data breaches — not because defenders are lazy, but because humans are the hardest thing to patch. Industry data consistently shows 20–30% of employees click simulated phishing links on their first test. Running internal simulations with GoPhish lets you measure exactly where your team stands, then build training around real numbers instead of assumptions.
We’ll cover installing GoPhish on a Linux VPS, running your first campaign end-to-end, and turning the results into targeted training for the right people.
Approach Comparison: How to Run Phishing Simulations
Three main approaches exist for running phishing simulations internally. Understanding the tradeoffs helps you pick the right one.
1. Paid SaaS Platforms (KnowBe4, Proofpoint, Cofense)
Full-featured platforms with pre-built phishing templates, automated training enrollment, and detailed compliance dashboards. They work well for large enterprises with audit requirements. The downside: pricing runs $15–$40+ per user per year. You also hand over control of the infrastructure that’s sending your test emails.
2. Manual Red Team Exercises
Security teams craft custom phishing emails and track clicks manually. Maximum realism, but the labor cost is significant. Testing 500 employees quarterly this way isn’t realistic for most teams.
3. Self-Hosted Open Source (GoPhish)
GoPhish is a free, open-source phishing simulation framework written in Go. You run it on your own server, own your sending domain, and have full visibility into every part of the campaign. For teams of 50–500 employees, it gets you professional-grade simulation capability at essentially zero software cost.
Pros and Cons of GoPhish
What GoPhish Does Well
- Free and open source — no per-seat licensing. One VPS, unlimited campaigns.
- Full infrastructure control — you own the sending domain, the landing page server, and the collected data. Nothing reaches a third party.
- REST API — automate campaign creation and pipe results into your SIEM or internal dashboards.
- Clean web UI — campaign setup, tracking, and results are all browser-based. No CLI knowledge required for day-to-day use.
- Granular tracking — logs email opens, link clicks, credential submissions, and form data per individual user.
Limitations to Know Upfront
- Deliverability is your problem — SPF, DKIM, and DMARC on your sending domain are entirely your responsibility. Skip these and your test emails land in spam. Meaningless data.
- No built-in training content — GoPhish tells you who clicked. It won’t auto-enroll them in a training module. You’ll link out to external training or build your own post-click redirect.
- Thin template library — the built-in phishing templates are minimal. Expect to write most of your own.
- No compliance reporting — SOC 2 or ISO 27001 evidence means exporting CSVs and formatting reports yourself.
Recommended Setup
A simulation that actually reaches inboxes needs three things beyond the GoPhish binary: a dedicated sending domain, proper email authentication records, and TLS on your landing page server.
Here’s the recommended infrastructure layout:
- A VPS (2 vCPU, 2GB RAM is plenty) running Ubuntu 22.04 or Debian 12
- A secondary domain bought specifically for phishing tests — something plausible like
it-helpdesk-portal.comor a subdomain pattern that mirrors your internal tools - MX and SMTP records pointing to your VPS
- SPF, DKIM, DMARC configured on the sending domain
- A TLS cert via Let’s Encrypt for the landing page
Never use your production company domain for phishing tests. If your sending reputation takes a hit, it should affect a throwaway domain — not the infrastructure your real email depends on.
For the GoPhish admin password and server credentials, I use the password generator at toolcraft.app/en/tools/security/password-generator. It runs entirely in the browser — no data is transmitted. That matters here, since you’re generating credentials for a server that’s actively hosting phishing infrastructure.
Implementation Guide
Step 1: Install GoPhish on Your VPS
SSH into your VPS and download the latest GoPhish release from GitHub. Check the releases page for the current version number — the example below uses v0.12.1:
# Download and extract GoPhish
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip -d /opt/gophish
cd /opt/gophish
chmod +x gophishBefore starting it, edit config.json to bind the admin panel to localhost only — you’ll reach it through an SSH tunnel — and set the phishing server to listen on port 80:
{
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:80",
"use_tls": false
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"logging": {
"filename": "",
"level": ""
}
}Start GoPhish and grab the temporary admin password it prints on first run:
./gophish
# Output includes: Please login with the username admin and the password [GENERATED_PASSWORD]Step 2: Configure Your Sending Domain
Add these DNS records to your phishing domain. Swap in your actual server IP and test domain:
# A record
yourdomain.com. 300 IN A YOUR_VPS_IP
# MX record
yourdomain.com. 300 IN MX 10 mail.yourdomain.com.
# SPF
yourdomain.com. 300 IN TXT "v=spf1 ip4:YOUR_VPS_IP ~all"
# DMARC
_dmarc.yourdomain.com. 300 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"DKIM requires generating a key pair on the server itself. Install opendkim and run:
apt install opendkim opendkim-tools -y
opendkim-genkey -t -s mail -d yourdomain.com
# Creates mail.private and mail.txt
cat mail.txt # Copy this TXT record value into your DNSStep 3: Create Your First Campaign in GoPhish
Open an SSH tunnel to reach the admin panel:
ssh -L 3333:127.0.0.1:3333 user@YOUR_VPS_IPThen open https://localhost:3333 in your browser. GoPhish organizes campaigns around four objects you configure once and reuse:
- Sending Profile — your SMTP server details: host, port, credentials, and the From address recipients will see.
- Email Template — the phishing email HTML. Effective starting points: an IT password reset notice, a shared document notification from a familiar tool like SharePoint, or an HR benefits update.
- Landing Page — the page users hit after clicking. Import your company’s real login page HTML, then drop in GoPhish’s tracking pixel. Add a redirect to a real training page after form submission.
- Users & Groups — import your target list as a CSV with four columns.
# Example users.csv format
First Name,Last Name,Email,Position
John,Smith,[email protected],Developer
Sarah,Lee,[email protected],Accountant
Mike,Jones,[email protected],HR ManagerStep 4: Interpret Results and Build Training
After your campaign window closes — 72 hours works well for most teams — GoPhish gives you a per-user breakdown: email opened, link clicked, credentials submitted. Export the CSV immediately for your records.
Segment your follow-up by risk level:
- Submitted credentials — highest risk. These users need a direct conversation, not just a training video link.
- Clicked but didn’t submit — medium risk. A focused module on spotting fake login pages addresses the specific gap.
- Opened but didn’t click — low risk. Acknowledge it. People who hover over links and check URLs are doing exactly what you want.
- Didn’t open — check spam folders first. If emails delivered correctly, this group is either very cautious or has tuned out email entirely, which creates a different kind of exposure.
Run the identical campaign template again 90 days later against the same group. The drop in click rate is your measurable outcome. That number is what you bring to management when the security budget conversation comes up.
Step 5: Automate Recurring Campaigns via the API
GoPhish’s REST API makes it straightforward to schedule campaigns programmatically. A minimal Python example using requests:
import requests
import json
API_KEY = "your-gophish-api-key"
BASE_URL = "https://localhost:3333/api"
headers = {
"Authorization": f"Bearer {API_KEY}",
"Content-Type": "application/json"
}
# Get all campaigns
response = requests.get(
f"{BASE_URL}/campaigns/",
headers=headers,
verify=False # self-signed cert on admin panel
)
campaigns = response.json()
for c in campaigns:
print(f"Campaign: {c['name']} | Status: {c['status']}")From there, it’s a short step to a quarterly cron job that auto-creates campaigns, pulls the latest employee list from your HR system, and fires a Slack notification when the campaign window closes.
Running Simulations Responsibly
Get written authorization from leadership and HR before a single test email goes out. Document the scope explicitly: which employees, which departments, the exact timeframe. Keep that document somewhere you can pull up in under 30 seconds. Because at some point, an executive will call the IT helpdesk to report a suspicious email — and it’ll be yours. Having paperwork ready turns that moment from awkward to routine.
Set the right tone before launch. The goal isn’t to catch people and embarrass them — it’s to find gaps and close them. People who understand why the program exists take follow-up training seriously. Those who feel ambushed get defensive and stop reporting suspicious emails altogether, which is the opposite of what you’re trying to build.
GoPhish gives you the measurement layer. The actual behavior change comes from how you communicate results, who designs the training, and how consistently you run the program. The click rate is just a number. What you do with it is the program.
