DATE
March 27, 2026
Every organization invests heavily in firewalls, endpoint detection, and SIEM platforms. But the most exploited attack surface in enterprise security is not a misconfigured server or an unpatched CVE. It is the human sitting behind the keyboard. Phishing remains the number one initial access vector in data breaches year after year, and the only reliable way to know whether your employees will fall for it is to test them first.
That is where Gophish comes in.
Gophish is an open-source phishing simulation framework that allows security teams to design, deploy, and measure phishing campaigns with the precision of a real attacker. In this guide, we walk through the full Gophish workflow, including installation, campaign setup, template crafting, and result analysis, so you can understand what a professional phishing simulation actually looks like from the inside.
If your organization needs a managed, expert-led simulation rather than a DIY setup, the team at Redfox Cybersecurity delivers end-to-end phishing assessments as part of a broader red team and penetration testing engagement.
Gophish is a purpose-built phishing simulation platform written in Go. Unlike manual phishing setups that require stitching together SMTP servers, tracking pixels, and credential harvesters by hand, Gophish bundles all of these components into a clean web-based dashboard. Security practitioners use it to:
The platform is commonly deployed in two contexts: internal red team exercises where the security team tests their own employees, and third-party engagements where an external penetration testing firm like Redfox Cybersecurity runs the simulation on behalf of the client.
Gophish runs on Linux, Windows, and macOS. For operational phishing simulations, a Linux VPS with a dedicated domain is the standard setup. Here is how to get started on a Debian-based system.
Step 1: Download Gophish
wget https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip -d gophish
cd gophish
chmod +x gophish
Step 2: Configure the config.json file
Before launching, edit the default config file to bind Gophish to your server's interfaces:
nano config.json
Set your admin panel to listen only on localhost for security, and configure your phishing server to listen on port 80 or 443:
{
"admin_server": {
"listen_url": "127.0.0.1:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
},
"phish_server": {
"listen_url": "0.0.0.0:80",
"use_tls": false,
"cert_path": "example.crt",
"key_path": "example.key"
},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": {
"filename": "",
"level": ""
}
}
Step 3: Launch the Gophish server
sudo ./gophish
On first run, Gophish prints a randomly generated admin password to the terminal. Copy it immediately, as it will not be shown again:
time="2025-01-15T10:23:11Z" level=info msg="Please login with the username admin and the password 4r7Xk2mP9qLw"
Access the admin dashboard via your browser at https://127.0.0.1:3333 using an SSH tunnel if working remotely:
ssh -L 3333:127.0.0.1:3333 user@your-vps-ip
The sending profile defines the SMTP server and the "From" address that recipients will see. For realistic simulations, use a domain that closely resembles the target's own domain or a trusted vendor they interact with.
In the dashboard, navigate to Sending Profiles and fill in:
<support@corp-helpdesk.com>Test the sending profile by clicking "Send Test Email" and verifying delivery and headers. Use a tool like mail-tester.com to check spam score before launching the campaign.
A poorly configured sending profile will land every email in spam and produce zero useful data. This is one reason why organizations working with Redfox Cybersecurity for phishing assessments get more accurate results, because their team handles domain aging, DKIM/SPF/DMARC configuration, and deliverability tuning as part of the engagement.
The quality of your email template determines whether your campaign produces actionable data or gets ignored. Effective phishing templates share a few characteristics: they create urgency, they impersonate a trusted sender, and they contain a plausible call to action.
Here is an example of a credential harvesting template targeting an IT helpdesk password reset scenario:
Subject: Immediate Action Required: Your Account Will Be Locked in 24 Hours
Body:
Dear {{.FirstName}},
Our security systems have flagged unusual login activity on your account associated with
{{.Email}}. To protect your account, we are requiring all users to verify their credentials
before 5:00 PM today.
Failure to verify will result in temporary account suspension until our IT security
team can manually review your case.
Please verify your account here: {{.URL}}
If you believe this message was sent in error, contact IT Support at
support@corp-helpdesk.com.
Regards,
IT Security Team
Notice the use of Gophish's template variables: {{.FirstName}}, {{.Email}}, and {{.URL}}. These are automatically populated per recipient using the data in your target group, making each email appear personalized.
The landing page is what recipients see after clicking the phishing link. Gophish allows you to import any existing webpage directly into the landing page editor:
Site to Clone: https://login.microsoft.com
After importing, Gophish strips non-essential scripts and rewrites form actions to post credentials back to your Gophish server. Enable "Capture Submitted Data" and optionally enable "Capture Passwords" if the rules of engagement permit it.
For post-submission behavior, configure a redirect to the legitimate login page so users assume they simply entered their password incorrectly. This avoids tipping off the target that a simulation is underway.
Target groups in Gophish are populated via CSV upload. The required format is:
First Name,Last Name,Email,Position
Sarah,Johnson,s.johnson@targetcorp.com,Finance Manager
David,Chen,d.chen@targetcorp.com,HR Coordinator
Michael,Patel,m.patel@targetcorp.com,IT Administrator
Upload this file under Users and Groups to create a named group. You can segment groups by department, seniority level, or access privilege to compare phishing susceptibility across the organization.
Once your sending profile, email template, landing page, and target group are ready, navigate to Campaigns and create a new campaign:
Name: Q1 2025 Password Reset Simulation
Email Template: IT Helpdesk - Account Lock
Landing Page: Microsoft Login Clone
URL: http://your-phishing-domain.com
Launch Date: 2025-03-10 08:00 AM
Send Emails By: 2025-03-10 11:00 AM
Sending Profile: IT Helpdesk SMTP
Groups: Finance Department
The "Send Emails By" field staggers delivery across the time window, preventing all emails from arriving simultaneously, which could trigger alert correlation in a mature SOC environment.
Click Launch Campaign to begin.
As the campaign runs, Gophish populates a live timeline showing:
The results breakdown reveals far more than a simple click rate. You can correlate click behavior against job title, department, or time of day to understand your highest-risk user populations.
A well-run phishing simulation will typically surface one of three outcomes:
High click rate with low report rate: Employees are not trained to recognize or report suspicious emails. Security awareness training is urgently needed.
Moderate click rate with some reporting: Partial awareness exists, but training is inconsistent across teams.
Low click rate with high report rate: A mature security culture exists. The simulation should escalate to more sophisticated pretexts such as spear phishing with OSINT-derived context.
If your organization falls into the first or second category, a professional red team engagement can go beyond simulation and demonstrate full attack chains from phishing to domain compromise. Redfox Cybersecurity offers exactly this, combining phishing simulations with lateral movement, privilege escalation, and full adversary emulation to show the real blast radius of a successful phish.
Some email security gateways and sandboxes will automatically click links in emails to detonate potential payloads. This creates false positives in your campaign data, inflating click rates. To filter bot clicks from real human clicks, add a JavaScript-based bot detection layer to your landing page:
if (navigator.webdriver || !navigator.plugins.length) {
window.location.href = "https://www.google.com";
} else {
document.getElementById("login-form").style.display = "block";
}
This redirects automated scanners to an innocuous page while serving the phishing landing page only to real browser sessions.
To improve inbox placement, configure your SMTP relay to add proper headers and ensure your phishing domain has the following DNS records set before launch:
# SPF Record
TXT @ "v=spf1 ip4:YOUR.SERVER.IP ~all"
# DKIM (after generating keys with opendkim)
TXT mail._domainkey "v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY"
# DMARC
TXT _dmarc "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"
Verify your configuration with:
nslookup -type=TXT yourdomain.com
nslookup -type=TXT mail._domainkey.yourdomain.com
For large-scale red team operations, Gophish exposes a REST API that allows programmatic campaign management:
# List all campaigns
curl -k -X GET "https://127.0.0.1:3333/api/campaigns/?api_key=YOUR_API_KEY"
# Create a new campaign via API
curl -k -X POST "https://127.0.0.1:3333/api/campaigns/" \
-H "Content-Type: application/json" \
-d '{
"name": "Q2 Finance Spear Phish",
"template": {"name": "Invoice Notification"},
"url": "http://phish-domain.com",
"page": {"name": "Office365 Clone"},
"smtp": {"name": "Helpdesk SMTP"},
"launch_date": "2025-04-01T08:00:00+00:00",
"groups": [{"name": "Finance Team"}]
}'
This allows you to script multi-wave campaigns where different pretexts are deployed to different groups over a scheduled period, which is standard practice in enterprise red team engagements.
Phishing simulations must be authorized in writing before any campaign is launched. Rules of engagement should define the scope of the simulation, the acceptable pretexts, whether credential capture is permitted, and how data will be stored and destroyed after the engagement.
Running unauthorized phishing simulations, even internally, can violate computer fraud statutes in multiple jurisdictions. Every engagement conducted by Redfox Cybersecurity begins with a formal scoping call and signed authorization to ensure every activity is legally sanctioned and ethically executed.
Gophish is a powerful tool for quantifying human risk within an organization. A well-executed campaign will tell you how many users clicked, who submitted credentials, which departments are highest risk, and whether your security awareness training is working.
What it cannot tell you on its own is what an attacker would actually do with those stolen credentials. That requires a full red team assessment where phishing is just the entry point, and lateral movement, persistence, and data exfiltration simulate the complete attack lifecycle.
That is the difference between a phishing simulation and a penetration test, and it is the difference between knowing you have a problem and knowing exactly how bad it is.
If you are ready to go beyond a click rate report and understand your organization's true exposure to social engineering attacks, Redfox Cybersecurity's penetration testing and red team services are designed to give you that complete picture. From phishing simulations to full adversary emulation, the team brings the methodology, tooling, and reporting to turn assessment results into a defensible security roadmap.
Protect your people before attackers exploit them. Explore Redfox Cybersecurity's services today.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
%20(1).jpg)
.avif)
.jpg)
%20Attack%20(1).jpg)