Gophish Reviews

My main use case for Gophish is for employee awareness within the company, and I use it for phishing campaigns.

I create emails to raise employee awareness and send them to see if employees end up clicking. If they click, I reach out to them after finishing the campaign and conduct awareness work so they do not fall for phishing.

I configure Gophish within our Office 365 and proceed with the campaigns, sending emails similar to Microsoft's, emails similar to service providers', and I analyze the results. If someone falls for it, I then handle awareness together with that person.

The main point of Gophish is the automated sending, as I can send to several email addresses at once by uploading a list of emails.

I also consider the SMTP configuration of the server from which I send the emails to be a differentiator because it is very simple to do.

With Gophish, I am able to work in a more appropriate way on phishing awareness, and I am also able to make employees aware in an easy and appropriate way because they see how a phishing attack works in a real way. This allows them to become aware in a more practical way.

I did notice a measurable change as employees are more aware of phishing and the number of incidents has decreased because they now know how phishing works.

Gophish can be improved by adding more languages and maybe a web version for it, a SaaS platform.

I rate it a seven because of the improvements I mentioned. I think if it were a SaaS platform and had more languages, including Brazilian Portuguese, it might be a ten.

I have been using Gophish for around three years.

Gophish is stable.

Gophish's scalability is good today and does not cause problems, and I can work with it.

I have never needed to use Gophish's customer support.

I did not use another solution and only use Gophish.

My experience with pricing, setup costs, and licensing has been great. There are no costs since Gophish is publicly licensed software, and it was easy to implement because there are no costs.

We do not have any business relationship with this vendor besides being a customer.

I have gotten a return on investment.

There are no costs since Gophish is publicly licensed software, and it was easy to implement because there are no costs.

I evaluated some options on the market before choosing Gophish, but the cost was very high. I chose Gophish because it has a relatively low cost and features that are more appropriate for what I need on a daily basis.

My advice to others who are thinking about using Gophish is to use it because it is a very practical tool for running phishing tests, it is very easy to configure, and it is free. I would rate this product a seven out of ten.

My main use case for Gophish is internal assessment for my small company and for low budget clients.

The best features Gophish offers are that it is free and it can detect if the user reads the email, clicks the email, and submits the info in your attachment. The best aspect is that it can save your data, but it needs to be configured manually. It is a little bit tricky, but eventually you will get through it. You can refer to many resources on the internet such as any community or GitHub.

Out of those features, I find most valuable the ability to use a campaign multiple times. I can copy the campaign and change just a little bit, so I can eventually have less hard work, such as just changing the recipient and domain for my other clients or other targets.

For Gophish's impact, particularly for my company, I am not sure. However, from a technical perspective, I understand many things. From the company's side, they see it as a good tool for internal phishing.

Regarding how Gophish can be improved, the latest update is from 2022. I am not sure if the creator is still updating it or if other contributors want to improve it. What I can say is that currently you should make sure all the features are usable and update the documentation. There are some features that are there but not usable, so just double-check all the current features and fix them.

There is a feature in the dashboard where you can see if the user is reporting the email or not. I found out that the function is not working well because I have followed the documentation and the Reddit community and other communities that I found on the internet to make sure that the reporting indication is working well. I tried it myself to report and it did not show that I have reported it in Gophish. Other than that, the rest is working well.

I have been using Gophish for one year.

Gophish is stable. It depends on your hosting and your configuration settings.

The scalability of Gophish also depends on your hosting. If your hosting has basic features, you can handle a basic amount of employee emails. If you are targeting many more targets, you have to upgrade.

There is no customer support for Gophish.

I have no previous solution, but after using Gophish, I know another solution such as KnowBe4.

Since Gophish is a framework that is free or open source, I need to set up many things manually, such as hosting. I am using public hosts such as AWS. I need an email delivery service. I use Mailgun, and I can also use other frameworks for phishing assessment such as Evilginx. I can sometimes do it with Evilginx and sometimes I am not using Evilginx. That is basically the part that needs a basic setup for Gophish. If one of these is not there, then eventually you cannot do Gophish.

What I learned from using Gophish is to set up hosting for Gophish, set up an email delivery service, set up a domain into AWS, and learn more technical things in AWS and Amazon.

It needs really few employees, which is very money saving. Time saving is something where you need to invest some time, especially if you are newly into the niche. So far for return on investment, for me, it is really return on investment. For project-based investment, it is also a return, but there are more capable and better paid frameworks that can do better than Gophish.

For pricing for the domain, it is cheap in Malaysian currency. For hosting, you need to really target how long you want to do it or the cost will be high. The pricing is very affordable; I can say less than ten dollars. Since Gophish is free, it has no licensing.

I did not purchase Gophish. I just purchased hosting services.

Before choosing Gophish, I found that Gophish is a good framework, better than others.

I am not sure what else to add about how I use Gophish for these assessments, but that is all I do with hosting using public hosts. My advice to others looking into using Gophish is to use it and good luck. You can do it. I think all works perfectly with Gophish. I would rate this product eight out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use case for Gophish is sending phishing emails. The main benefit of using Gophish in phishing campaigns is the monitoring panel because sending emails by other methods already exists through other tools. The ease of configuration and the visual feedback in the tool is what makes me want to use Gophish.

In my opinion, the best features that Gophish offers are the customized dashboard.

The customized dashboard makes my work easier and brings benefits to the monitoring of campaigns because quick access and the information laid out in a user-friendly way allow me to monitor all campaigns in a single place.

Gophish has had a positive impact on my organization by using a tool that has an open-source version. We can start phishing campaigns that until a short time ago were not carried out. In addition, it is a tool with good features and a good dashboard but free, so it got everyone here excited.

I notice it in the team; people are a little more excited to configure, parameterize, and send new campaigns from within Gophish.

I believe that Gophish can be improved by increasing the number of possible integrations. However, the main point would be to make Gophish modular in relation to the campaigns that are carried out in order to allow it to be used not only in pentests or phishing pentests but also in Red Team Operations. For that, there is a need to make it more targeted and to configure stealth features.

I have been using Gophish for around six months.

Gophish is stable.

I cannot answer that question with certainty because I have not had the need to scale.

At my current company, I do not use another solution.

Gophish is deployed in my organization on a local server.

My experience with pricing, setup costs, and licensing is very pleasant as I have only tested the open-source version.

I did not evaluate others before choosing Gophish because I had already taken a course on Gophish and I liked the tool, so I went straight to it.

I would say not to think twice and to use Gophish; it is a good tool with excellent features and a good dashboard, so there is no reason to keep looking elsewhere. I would rate this product 8 out of 10.

On-premises

Other

Gophish is used in my current company and in my previous one for anti-phishing campaigns, awareness campaigns, and training in the company.

In our last campaign, for example, we created a fake iFood ad where the user had to click on the link. This link would take them to a login screen for our corporate email. After entering their information, they received an alert saying they had fallen for a phishing attempt, with a link for them to join a training campaign. All of this with analysis was created within Gophish.

Gophish, despite being a free tool, fits very well because it has all the features we need, from creating landing pages and creating the email to tracking the click traffic and the ingestion of information. We stopped spending on a paid tool and can redirect that budget to other needs. All thanks to Gophish, which is a complete and free tool.

All features are useful, from uploading recipients in bulk to creating landing pages, creating emails, and having tracking of the entire email trail. I can track sending, receiving, clicking on the link, managing information, and whether the person then joined the training campaign. All these items in Gophish are absolutely valuable.

With the tracking of the email trail, I can truly know the campaign's adherence, if it was received, if it was read, and if data was input. After the data was input, I can see what the user did. I have a complete mapping of the phishing campaign to know whether it was really accurate and met our expectations.

I don't see anything that Gophish needs to improve within the scope of a free tool. An integration with Active Directory and Azure AD for login would be interesting.

Gophish is a great tool; for what it proposes, it delivers. I would also suggest an improvement regarding recipients. When I send to more than 300 recipients, I am forced to split it into several sends because the tool doesn't behave effectively and freezes.

I have been in my field for 8 years.

From the first moment I looked for a good, robust, and free phishing campaign solution, Gophish was the first and only one I used. I have never had problems with it.

It scales effectively. The only problem is the issue with recipients. If I have a list with more than 300 recipients, I am forced to split it into several blocks.

I have never needed support.

I didn't have any problems because the setup has a lot of documentation, there is support, and I didn't have any licensing because we use the free version.

It made it possible for us to direct financial and human resources toward training, hiring training tools, hiring support to improve the security of the environment.

Since it is a free tool, I had no costs. However, it brought me several strategic advantages for directing resources.

I don't remember specifically which alternatives were evaluated, but others were considered and we did not proceed with them.

Go for it. Gophish is a good, complete tool that delivers everything it promises and is efficient. This review receives a rating of 10.

On-premises

Other

My primary use case for Gophish is using it extensively for anti-phishing campaigns and awareness campaigns with employees. I believe it is an excellent tool to train users against phishing emails and awareness in general, as well as to understand how users are behaving when they receive a phishing email, if they end up clicking on that email, if they click on the links in that email, and if they end up entering information. I am able to have that level of granularity with Gophish.

The best features that Gophish offers are the ability to track these metrics in a detailed way. This includes the number of emails sent, the number of emails opened, the number of emails that were opened and had the link accessed, the number that had information entered, and the users who reported that email as phishing. The ability to customize this email as well, making it more professional-looking and less like a phishing email, is valuable. You can parameterize it using HTML, CSS, and some basic JavaScript, and you can do some cool things such as pointing to a link. In my case, I used a staging infrastructure and I was able to deploy what I needed, which was an authentication screen. I basically made a form with username, password, and a login button, actually simulating logging into the corporate system. You can format this entire email and much more. With this tracking, you can also send various campaigns in a targeted way. If you want to target, say, the sales team, support, development, the board of directors, HR, and human resources, and so on, you have that capability. I think Gophish is a fantastic tool that, at least for my use case, worked perfectly.

Gophish had a positive impact on my organization because I was able to run awareness campaigns, measure and present the data to the board, and also do more targeted work with users who were, let's say, more careless with entering sensitive information. Gophish itself gives us these metrics directly. The number of emails sent, opened, links clicked, information entered, and emails reported are all available directly through Gophish. Based on these metrics, I processed them and put them into an executive report, which I presented to the board so that we could also move forward with other layers of security and improvements, mainly focused on users.

Gophish can be improved in that it is an open-source solution and there is a bottleneck issue related to sending emails. You basically have to provide an external service and set up a connection to actually send the emails. You need a third-party service to make this connection so that you can actually use the full capabilities of Gophish. This part specifically is really complex and difficult. I think there could be options within Gophish itself that allow you to handle this in a more streamlined way. Of course, Gophish is a tool more obviously geared toward the IT team that will do all the configurations and create all the pages and contexts. However, the email-sending part, where I needed to use an external service, is a bottleneck that the development team could look into regarding how it might be improved.

I think Gophish could natively include templates for use in campaigns because you currently have to develop the whole campaign yourself. If you also had some pre-built email templates, maybe with the ability to integrate some AI agent, that would be an interesting feature as well. I believe the main improvement would be the inclusion of templates that you can use as pre-built models so you can get started faster with Gophish and also address the email-sending issue.

I have been using Gophish for about two years.

Gophish is stable.

The scalability of Gophish is very good, and I was impressed with it.

Gophish's customer support is not something I investigated deeply since it is an open-source solution. Of course, you have the community on GitHub and many ways to research. There is also Gophish documentation, which I saw exists. However, Gophish is a very intuitive tool, so it does not raise major questions. I did not need any support from their team.

There is no licensing cost, and because Gophish is open source, it gives you the flexibility to customize the tool itself the way you want. I do not give it a 10 because it is missing some refinements. For example, having some templates already available so you can get started faster would be helpful. Sometimes having ways to integrate email sending directly with some of the more popular services would also be useful, or enabling you to do everything you need directly on the platform without needing, as I did in my case, a third-party service for mass email sending.

Gophish is deployed in my organization in a public cloud. I use AWS as my cloud provider. I did not acquire Gophish through the AWS Marketplace.

I have seen a return on investment with Gophish because I was able to run a phishing-awareness campaign in a cost-effective way. That is, I did not need to spend money on licenses or invest time in developing a technology or solution for this. The benefits were practically immediate. I configured and customized everything in about two days. Obviously, it was not two full days; it was part of one day and part of the next to configure and customize everything I needed. The return was very high. I was able to generate an executive report, present it to the board with an action plan, and then execute that action plan, which was to guide employees, especially focusing on those who fell for the phishing.

My experience with Gophish regarding pricing, setup costs, and licensing is that because it is an open-source tool, I did not have any costs related to licensing with it.

Before choosing Gophish, I did look at SaaS solutions on the market and ready-made solutions. However, since the nature of the solution is phishing awareness campaigns, it is understood that I am not going to be doing this every month because otherwise users will say they already know this is phishing. When a real phishing attack comes, they might actually be more likely to fall for it. I believe it has to be targeted; you have to catch users by surprise. I do it periodically, but not on fixed intervals, that is, not exactly every two months or every three months, but every certain period of time I end up using Gophish.

My advice to others who are thinking about using Gophish is that, especially in my context, which is a small company with about 50-plus employees, you should take into account the users' skill level and maybe run awareness campaigns even beforehand, informing users in advance, and then after some time, plan the execution and how you will actually use Gophish. I believe it will meet many of the scenarios that exist in the market today, at least for small companies. For small companies with about 10 to 50 employees, it works perfectly. Below that, you can still use it, but if you have very few employees, perhaps direct interaction or even creating an email yourself and sending it to the user to see if they will click on it or not, might even be faster. If you think about a very small team, you may not have any IT person at all. If it is a very large company, maybe a commercial solution will deliver more features that might be interesting for large enterprises. You have to analyze each situation based on your objectives and what you expect from the solution and what your goals are. If you want to run an awareness campaign, as in my case, and know your users' level of whether they are likely to click on the link, report it to the IT team, enter information, and especially what you do after completing the campaign, I think that is essential. You can get these metrics and deliver everything that is needed. I would rate my overall experience with Gophish as a 9 out of 10.

Public Cloud

My main use case for Gophish is for penetration testing on cybersecurity with phishing links and others. We used Gophish to test the mindset of different users in the company. We used Gophish to send intrusion links and links by email, for example, links supposedly from sites they visit or related to their Facebook or Instagram account.

We determined the number of people who clicked on the link, those who reported it before clicking on the link, and those who did not click on the link. It was a survey campaign that we conducted after an awareness session that we carried out with the different users of the company.

The best features offered by Gophish stand out to me as most valuable because we can design virtual sites for intrusions, especially with cybercrime testing with phishing awareness. We have a backlog where we can monitor the number of links clicked and the number of links not clicked.

These elements are useful to me with Gophish because we actually understand the mindset of users after the awareness session, whether they have already absorbed the advice that was given to them. Through the phishing and penetration testing we conducted, Gophish has had a major positive impact on my organization, especially in my department, because we were able to find out whether the different users already understood the concept of phishing.

For the moment, I have nothing to suggest about Gophish; the application works very well and it offers many features. As you progress, you discover more and more options. I chose a rating of eight because there are always options to add and there are always upgrades that will be made.

I have been using Gophish for a month.

One piece of advice I give to those who need to use Gophish is to be patient and read extensively. If necessary, even follow user manuals to better grasp Gophish's functionality.

Gophish is a good structure and a good technological innovation that deserves to be studied and much better known by the world because not everyone knows Gophish. Gophish is good and the structure is solid. I gave this product a rating of eight out of ten.

On-premises

Other

My main use case for Gophish is to create phishing campaigns and to test, mostly for phishing simulation across organizations. I create custom templates when I set up those phishing campaigns, and I also set up the campaign according to the departments.

One of the best features I like in Gophish is the site importation feature that allows you to import sites by simply pasting the URL of any existing landing page in order to automatically get the HTML and CSS content, a clone of it.

Another feature I find valuable is the built-in credential harvesting feature which allows you to harvest credentials when it comes to your phishing simulations.

Gophish has really improved security awareness in my organization. As we conduct phishing simulations, we also make sure we conduct awareness training alongside them. After the phishing simulation that we do, with the results that we get, we make sure we do the necessary remediations and take the necessary actions. For instance, if we realize that a particular person is a victim to the phish test that we conducted, what we do is educate the person and train the person so that the person becomes aware of phishing and aware of their security, and also helps them have some form of knowledge when it comes to their security.

I cannot give exact numbers, but what I can say is there has been a reduction in phishing. There has been a reduction in interaction with phishing emails, so most people have become aware now. Whenever they see a phishing email, they really know that it is a phishing email based on certain features that we have taken them through in order for them to identify whether an email is phishing or not. We have made them aware and also utilized the tool in order to help them have a feel of how it works in the real world. We taught them features such as typo-squatting and many other techniques.

I wish you could add AI features to Gophish, because since AI is a new thing, I think leveraging it in the tool is going to help a lot. It is going to make work easier and faster, for instance, when it comes to setting up the phish.

An improvement that could be done would be expanding the tool beyond phishing, adding other multi-channel attacks such as deepfake voice scams, vishing, or smishing. Adding other features when it comes to social engineering would be beneficial.

Although the tool is very good, I think there could be some improvements, especially when it comes to leveraging AI for testing and also when it comes to the expansion beyond email phishing.

I have been using Gophish for about two years now.

Gophish is very stable and highly stable.

Gophish is highly scalable and very scalable.

I have never reached out to customer support before. What I normally do is research, sometimes read the documentation, or sometimes go through some YouTube videos to find my way around things instead of contacting support directly. If I do everything that I have already said and it does not work out, the next thing I tend to do is contact customer support. As of now, I have never contacted customer support before.

Another tool that I have used was Evilginx, but I did not switch. I think I like using Gophish because it is a lot simpler, simple to use, and simple to set up.

For others looking into Gophish, my advice to them is for them to really start using it. They should not be wasting time on planning. As long as they have the mentality that they are going for Gophish, they should just start using the tool and stop planning. This is because the tool is very great. When it comes to scalability, when it comes to setting up phishlets, everything has been made simple. I think, especially for those who are now starting with phishing, this would be a great start because you can clone other websites easily and do many other actions easily. Setting up a campaign is also very simple. Gophish has made the user experience very easy for its users, and that is a good thing. I rate this product a nine out of ten.

On-premises

I am using Gophish for awareness training for my employees in my company. My main use case for Gophish is because it is easy to set up, easy to use, and very user-friendly.

I really appreciate using Gophish. I was offered many platforms, but I chose Gophish because it is open-source. With open-source software, there are modifications you can add so you can use it in your own way. Gophish is open-source and non-paid, which provides cost savings for the company. According to the summary, 3% of my employees are aware and the other 97% are not aware. This has made it easier for me to create a report on how the users in my organization use the internet in terms of security.

Gophish has a management model that displays a good dashboard. You can see the number of employees who received the link, those who opened it, those who clicked it, and more. I really appreciate this feature.

Gophish is very easy to use and user-friendly. I deployed it in less than 30 minutes. It is a platform that is one of the best because you can deploy it in less than 30 minutes. You can find appliances on the internet that are ready to use.

The improvement I want to be made to Gophish is at the DNS level. When a user receives the link and clicks on it, I want to get feedback to confirm exactly whether the user clicked on the link or not. That is one point on which I want Gophish to be improved.

I have been using Gophish for 4 months.

I recommend that others use Gophish because it is a tool that is very easy to set up and open-source. I have no suggestions about Gophish, as it is satisfactory for my needs.

I have been using Gophish for a year. My main use case for Gophish is awareness campaigns for staff. A specific example of how I use Gophish in a campaign for staff is that I create fake internal-use pages and send them to collaborators' emails to see if they fall for the tests.

The best features that Gophish offers are that it has an easy-to-use platform and that it also has documentation to guide you through the implementation.

The ease of use and the documentation have helped me in my daily work with Gophish because, having zero experience with this platform, by looking up the documentation and having an easy-to-use interface, it was much easier for me to learn and implement it in the organization.

Gophish has positively impacted my organization by finding security gaps among our collaborators, and we found people who did not know or did not understand security. This platform helped us to be able to train collaborators about phishing after the tests.

I think that Gophish could be improved, but currently, all the functionalities it has and all the types of platforms that can be implemented are very interesting. For my part, I would not see any improvement. I would like to add nothing else about possible improvements, even if they are minor details or suggestions for the future.

I have been working in my current field for two years.

I consider Gophish to be stable.

I consider the scalability of Gophish interesting; it is a platform on which you can increase the number of staff and the number of platforms to run tests on, as well as the number of independent tests I can perform.

I have not needed customer support for Gophish so far.

I did not use any other solution before implementing Gophish; it was the first time it was implemented, so this platform was used.

Before choosing Gophish, I did not evaluate other options; it was an idea that came up after finding this platform.

I have seen a return on investment with Gophish, as indicated by the savings in implementation time and the responses we had to measure the awareness of the collaborators.

My experience with the price, implementation cost, and licensing of Gophish is that personally, I have used the open platform, so we have not had to pay anything yet.

My advice to other professionals who are considering using Gophish is that it is a platform for people who are just starting out and do not have the resources and also do not have knowledge. It is an excellent platform to start with and learn about the world of awareness campaigns for collaborators. It is an easy-to-use, stable platform; it can be set up on different platforms, whether Windows or Linux, and it is easy to use since it has an integrated interface that is very easy to use and it has no cost. Gophish would be an interesting platform to start testing awareness platforms for phishing campaigns. I would give this platform a rating of 10.

On-premises

I use Gophish to run fake awareness campaigns with our clients. Everything is framed and I use the product to send emails, get reporting, and then present the results afterward.

The objective of the campaign I carried out with Gophish was to determine the level of maturity of employees and staff. So the goal is to send an email to everyone and see the percentage of people who fall into the trap.

We analyze the results of these campaigns by going back with the same data but for different companies to see whether the alerts are being followed.

The best features that Gophish offers include importing an Excel CSV file to import all the users and creating a web page directly from the feature in the product.

Importing users was made much easier for me with Gophish, and the same applies for web pages, as it was very convenient.

Gophish has had a positive impact on my organization because it is open source, so it is free. The product is easy to get started with, and likewise the campaigns are very quick to prepare.

The time savings I noticed thanks to Gophish are exceptional. You can create templates.

I think Gophish could be improved with a user-level function, meaning if the person is strong or weak, we send more or fewer awareness emails, and rely on real attacks in order to be able to create a template by itself.

I have covered everything regarding the necessary improvements or points that could make Gophish even more effective in my view.

It has been six years since I began working in my current field.

I would say Gophish is stable based on the only campaigns I have been able to run a few months ago.

In my context, Gophish is scalable enough to handle an increasing number of users or campaigns because I have not had any slowdown when adding user groups.

There is no support for Gophish because it is open source, so I have not needed to contact assistance or technical support for this tool.

We have no contact with Gophish aside from being a customer.

I was not using another product before Gophish.

I have noted time savings in the preparation of campaigns since I started using Gophish.

I did not evaluate any competing solution because Gophish was the product that was already there when I arrived.

The time savings I noticed thanks to Gophish are exceptional.

I find Gophish advantageous since it is open source, so there is no price or installation costs.

I did not evaluate any competing solution because Gophish was the product that was already there when I arrived.

I do not know what advice to give to a company that is considering using Gophish regarding points to watch out for or anticipate. My overall rating for this product is 8 out of 10.

Public Cloud

Other