Phishing simulators let you create fake websites. Now here we want to focus on tools that allow you to actually run a phishing campaign on your own. For example create and send at least one phishing email to a real recipient.
Top 9 Phishing Simulators
1. Gophish
Gophish is an open-source phishing platform. Most operating systems support it. Installation is as simple as downloading and extracting a ZIP folder. The interface is simple, and the features, while limited, are thoughtfully implemented. Users are easily added, either manually or via CSV importing. Email templates are easy to create. There aren’t any included though. With a community-supported repository initiated, and modify, creating campaigns is a straightforward process, and reports are pleasant to look at. And it can be exported to CSV format with various levels of detail. Major drawbacks: no awareness education components and no campaign scheduling options.
2. LUCY
LUCY, one of the phishing simulators, provides a very easy download of the free version of the platform. All you need to do is your email address and name. Then you can download LUCY as a virtual appliance or a Debian install script. The web interface is attractive.
Also there are lots of features to explore. LUCY is a social engineering platform that goes beyond phishing. The awareness element is there as well with interactive modules and quizzes. Some important features are not available under community license. Such as exporting campaign stats, performing file attacks, and, most importantly, campaign scheduling options. With that, the free version of LUCY gives you a taste of what the paid version is capable of, but doesn’t go much farther than that.
3. SecurityIQ PhishSim
SecurityIQ by InfoSec Institute includes a phishing simulation tool called PhishSim. PhishSim contains a library of 1,000+ phishing templates, attachments and data entry pages. Phishsim templates are added weekly, allowing you to educate employees on the most topical phishing scams. If you want to build your own phishing emails PhishSim has a custom template builder. Therefore you can build your phishing campaigns to your exact specification.
Signing up for a free SecurityIQ account gets you full access to the PhishSim template library. But you’ll need to speak with a SecurityIQ representative for the ability to send phishing emails.
4. King Phisher
This is an open-source solution from SecureState. With this, we are entering the category of more sophisticated products. King Phisher has many features. Its features include the ability to run multiple campaigns simultaneously, geo location of phished users, web cloning capabilities, etc. A separate template repository contains templates for both messages and server pages. User interface is clean and simple. However the installation and configuration is not as simple as its interface. Only Linux support King Fisher server, with additional installation and configuration steps required depending on flavor and existing configuration.
5. Simple Phishing Toolkit (sptoolkit)
This solution may lack in the GUI attractiveness department compared with some of the previous entries. But there is one important feature that puts it in high here on our list. Simple Phishing Toolkit provides an opportunity to combine phishing tests with security awareness education, with a feature that directs phished users to a landing page with an awareness education video. Moreover, there is a tracking feature for users who completed the training. Unfortunately, the sptoolkit project has been abandoned back in 2013. A new team is trying to give it a new life, but the documentation is scarce and scattered all over the internet. So it makes the realistic implementation in an enterprise environment a difficult task.
6. Phishing Frenzy
This is an open-source Ruby on Rails application which is useful as a penetration testing tool. But actually it has many features that could make it an effective solution for internal phishing campaigns. Perhaps the most important feature is the ability to view detailed campaign stats and easily save the information to a PDF or an XML file. You can probably guess the “however” part that’s coming up: Phishing Frenzy is a Linux-based application, with installation not to be handled by a beginner.
7. SpeedPhish Framework (SPF)
This is one of phishing simulators created by Adam Compton. SPF includes many features that allow you to quickly configure and perform effective phishing attacks, including data entry attack vector. While a tech-savvy security professional can have a lot of fun with SPF and will be able to run phishing campaigns against multiple targets, it is still mainly a pentesting tool, with many great features (such as email address gathering) being of little importance for someone performing internal phishing tests.
8. Social-Engineer Toolkit (SET)
Another phishing simulators tool from TrustedSec is Social-Engineer Toolkit. As its name suggests, it is a tool for performing various social engineering attacks. For phishing, SET allows for sending spear-phishing emails as well as running mass mailer campaigns, as well as some more advanced options, such as flagging your message with high importance and adding list of target emails from a file. SET is Python based, with no GUI. As a penetration testing tool, it is very effective. As a phishing simulation solution, it is very limit and does not include any reporting or campaign management features.
9. SpearPhisher BETA
This is one of phishing simulators which isn’t trying to deceive anyone if we forget its phishing targets. Developed by TrustedSec, SpearPhisher says it all right in the description: “A Simple Phishing Email Generation Tool.” With an emphasis on ‘simple.’ It is useful for non-technical users. SpearPhisher is a Windows-based program with a straightforward GUI. It allows you to quickly craft a phishing email with customized From Email, From Name, and Subject fields and includes a WYSIWYG HTML editor and an option to include one attachment. You can send the crafted email to several recipients via adding email addresses to To, CC, and BCC fields. The program has been in Beta since 2013, so it’s not likely to see any updates in the near future.
We hope this tutorial helps you in making your decisions and hope you choose the one which best meets your needs. Don’t hesitate to leave a comment in case of facing any problem.
