Phishing simulations are an essential part of any IT security strategy. This is simply because phishing is still a major and serious problem that can compromise companies relatively easily and quickly. The phishing simulation provides you with security and sensitizes your own employees to this extremely important topic, because in the end it is primarily a matter of raising awareness within your own company in order to prevent any attacks. Only if employees know exactly what to expect and what they are up against they can be prepared and react correctly in an emergency. Phishing simulations, some of which can also be carried out automatically with the appropriate tools, help in this process.
What are phishing simulations?
At this point, we do not want to go into detail about what a phishing simulation is and how it is built. We have already done this in our article “What is a phishing simulation?” and dived deep into the matter of phishing simulations. Those who want to know all the details should therefore read the linked article in more detail. For the rest of you, here is a brief explanation of what phishing simulations are all about.
Basically, phishing simulations are nothing more than a controlled attack. As a service provider, we take on the role of the attacker and try to obtain the relevant data. So we simulate different types of phishing attacks and in this way find out whether there is a risk of successful phishing attacks in the company.
So in the end, the phishing simulation is nothing more than a simulated attack to find vulnerabilities and uncover them accordingly.
Phishing simulation tools
Now, of course, nothing beats manual scenarios and tests. In the security sector, it is generally known that manual and manually performed tests in particular can be carried out in a correspondingly targeted manner and therefore also produce correspondingly accurate results. Nevertheless, there are now a variety of tools that can help to automate such phishing simulations.
These tools can be of great help in phishing simulations, depending on the use case. Especially if the budget or knowledge for a manual phishing simulation is missing. Therefore, in this part, we would like to introduce you to a few of the common phishing tools in more detail and explain their purpose a bit.
1. Zphisher
Zphisher is a phishing tool for beginners and novices, which includes some automated phishing tests. More specifically, Zphisher currently has about thirty phishing templates ready to launch and run automated tests. Excitingly, as mentioned before, Zphisher is very much aimed at beginners and thus has little complexity.
2. Evilginx2
The Evilginx2 phishing tool describes itself as a man-in-the-middle framework for attacks. For this purpose, Evilginx2 uses session cookies to create an effective attack system. Thus, the tool itself is used for phishing credentials, which can be used to bypass different two-factor authentications. The two in the name indicates that Evilginx2 is the successor to the ever-popular Evilginx, which security researchers know all too well. Evilginx2 already implements its own HTTP and DNS server, which in Evilginx still existed in the form of nginx HTTP server proxies.
3. Gophish
With the phishing tool Gophish, which is operated via a REST API, a variety of phishing attacks are possible. The tool itself is an open source framework. It is possible to create specific phishing templates within the tool, as well as campaigns that follow schedules and are sent in the background. What’s really ingenious is the chic interface that Gophish offers you in the process. Everything can be set visually, which only simplifies the use of the phishing tool. The web interface with a full-fledged HTML editor is just the beginning, because the tracking of the results is also done in fancy representations of the most important data. The tool can be used under Windows, MacOS and Linux thanks to various Gophish binaries.
4. HiddenEye
HiddenEye describes itself as a modern phishing tool, which has all the usual tools at its disposal. Whether it’s classic phishing, keyloggers or social engineering collection tools, HiddenEye has everything on board for successful phishing attacks. Multiple tunneling services, Serveo URL type selection, high-level penetration testing or even live attacks with IP, geolocation, ISP, country, address and much more are possible. This makes it an extremely efficient phishing tool, which is ideal for particularly elaborate phishing simulations at the enterprise level.
5. Infosec IQ
The Infosec IQ tool from developer Infosec enables automated phishing risk tests and simulated phishing campaigns. The free tool is handy, but it is also only a preview of what will be possible with the manufacturer’s even much bigger tool PhishSim. This is used to perform full-fledged and highly comprehensive phishing simulations on a large scale. With more than 1,000 phishing templates, typical scenarios can be quickly and easily queried automatically. There is also a drag-and-drop builder for phishing emails in PhishSim. So the Infosec IQ tool is really just the beginning of what else developer Infosec has to offer you.
6. King Phisher
King Phisher simulates realistic and thus real phishing attacks in order to raise the awareness of users accordingly. Thus, it is the ideal phishing tool if you have planned an extensive phishing simulation. King Phisher is popular because it is particularly flexible and provides complete control over email and server content. Its flexibility makes it perfect for simple phishing simulations, but it can equally be used for complicated scenarios. The interface of the phishing tool does not necessarily look modern, but it serves its purpose, as it ensures that all King Phisher features can be easily selected and controlled.
7. LUCY
As a commercial tool, LUCY has been developed with appropriate care, which includes a pretty, if very cluttered, web interface. LUCY itself is a full-fledged social engineering platform, which means it can handle more than just phishing. Awareness of such attacks is emphasized here, which is done, among other things, through individualized quizzes. While there was or is a community version of LUCY, in general the tool is also available in three expensive and extensive enterprise versions. As an awareness platform, however, LUCY functions smoothly, stably, and is also suitable as a phishing platform for awareness programs on a larger scale.
8. Phishing Frenzy
With Phishing Frenzy phishing tool, you can basically complete mainly penetration tests. The tool, which is written in Ruby on Rails, can also be used for phishing simulations. This is due to the fact that some of the tool’s functions make it equally suitable for carrying out corresponding phishing campaigns, which are then executed internally within the company. Particularly noteworthy is the ability to create very comprehensive and accurate statistics on the campaigns. However, Phishing Frenzy is not at all suitable for beginners.
9. SEToolkit
The SEToolkit stands in plain text for Social Engineer Toolkit and is often abbreviated simply as SET. The tool comes from TrustedSec, more precisely from the ingenious Dave Kennedy. The tool was written in Python and is ideal for penetration testing within social engineering. In the field of phishing and as a phishing tool, SEToolkit can send spear-phishing emails and run mass email campaigns. As a Python-based tool, SEToolkit does not have a graphical interface and is therefore less suitable for beginners than for experienced security experts.
10. Simple Phishing Toolkit
With Simple Phishing Toolkit, we mainly find one feature interesting, which is the redirection to a prepared landing page. Within the phishing tests or simulations, phished users can then be redirected to this landing page. This way, the phishing simulation can be combined with an appropriate security training. In this way, those who have fallen in are immediately informed, educated and trained accordingly. Users who have undergone appropriate training can also be tracked again separately with the phishing tool. However, because the Simple Phishing Toolkit is no longer being actively developed, it is difficult to actually use it in a company, let alone recommend it. In our opinion, however, it still belongs in the list because it simply has some fascinating approaches.
11. SpearPhisher
SpearPhisher is an exciting phishing tool, which was once developed by TrustedSec. The goal of SpearPhisher was to program the simplest possible tool for creating phishing emails. This is a tool that not only security experts but also CEOs can easily use in their company. A Windows-based program, with simple user interface and a WYSIWYG HTML editor for creating quick emails. TrustedSec says it developed the tool to enable phishing emails without an external service provider or complicated Linux installation.
12. SpeedPhish Framework (SPF)
Designed primarily as a pentesting tool, SpeedPhish Framwork nevertheless has a lot of features ready to launch effective phishing attacks. The program, written in Python, enables phishing campaigns against multiple targets and allows convenient collection of emails. So even though SPF primarily provides templates for pentesting, it can also be used wonderfully for common phishing attacks. This makes it ideal for running a phishing simulation.
Use phishing tools in companies
Phishing primarily exploits the human vulnerability. Particularly in companies, these are repeatedly responsible for leaks or security vulnerabilities. In most cases, this is due to the lack of appropriate safety training. In this case, a relatively simple phishing e-mail is sufficient to obtain the relevant data.
Phishing simulations help to quickly and effectively find out where any risks and gaps are to be found in companies. More importantly, they disclose where there are currently still problems in their own operations and systems. Education and protection can be provided here before an actual and malicious phishing attack then occurs.
Our overview of phishing tools includes both tools that help perform such simulations and tools that work largely automatically. In the end, everyone should have found what they were looking for and should be able to try out one or the other phishing tool.
