Proactive training against phishing emails using simulations with the GoPhish tool

Abstract

Phishing, a threat exploiting the human factor, poses a critical risk to organizations. Confronting the inadequacy of traditional theoretical training, this study implemented a controlled simulation program using the open-source tool GoPhish. Across four successive campaigns employing distinct attack vectors, a clear decreasing trend was observed in interaction rates and credential submission was significantly reduced. Analysis of participating users revealed a strong learning curve, with most showing substantial improvements in detection capabilities. Concurrently, a considerable increase in voluntary reporting of real suspicious emails was recorded, particularly in high-exposure areas. The findings confirm that combining practical training, immediate feedback, and periodic simulations effectively transforms users from a vulnerable link into a proactive defense barrier, thereby sustainably strengthening the organizational cybersecurity culture.