A comprehensive collection of professionally designed email templates and landing pages for conducting effective employee security awareness phishing simulation campaigns using the GoPhish framework.
- Realistic phishing scenarios mimicking common attack vectors
- Corporate communication themes (IT updates, HR notifications, security alerts)
- Social engineering templates (delivery notifications, account suspensions, payment alerts)
- Entertainment platform impersonations (Spotify, Starbucks)
- Financial service attacks (banking, wire transfers, payment confirmations)
- Cloud service phishing (Dropbox, Google Drive, Office 365)
- Healthcare: HIPAA compliance, patient portals, insurance verification
- Education: Student portals, financial aid, academic systems
- Manufacturing: Supplier portals, vendor compliance, supply chain
- Legal: Case management, confidential document sharing
- HR/Payroll: Benefits enrollment, direct deposit, payroll systems
- Technology/SaaS: API keys, developer portals, system updates
- Retail: Loyalty programs, customer accounts, inventory systems
- Hospitality: Hotel reservations, loyalty programs, booking systems
- Utilities: Billing credits, service notifications, account management
- Multi-industry coverage for comprehensive training programs
- Immediate learning opportunities after simulation clicks
- Category-specific training tailored to attack types
- Interactive quizzes to reinforce learning
- Real-world statistics and impact data
- Actionable protection strategies employees can implement
- Progressive difficulty levels for ongoing education
- Credential harvesting pages for testing user behavior
- Educational notification pages for immediate training
- Mobile-optimized responsive designs for all devices
- Professional, realistic appearance to maximize effectiveness
- Instant educational value rather than just "gotcha" moments
- Drop-in templates requiring minimal configuration
- Modern GoPhish syntax with proper template variables
- Mobile-responsive design for all screen sizes
- Based on real-world attack patterns and methodologies
- Updated for 2024/2025 threat landscape
- Professional design matching legitimate services
- Designed with privacy and legal considerations
- Educational focus over punitive measures
- Immediate learning opportunities for participants
- Easy branding modifications for your organization
- Configurable difficulty levels and scenarios
- Modular design for mixing and matching components
gophish-training-templates/
├── delivery-shipping/ # Package delivery and shipping notifications
├── it-security/ # IT security alerts and system updates
├── cloud-services/ # Cloud platform phishing (Dropbox, Drive)
├── social-media/ # Social media platform impersonations
├── financial/ # Banking and wire transfer scams
├── entertainment/ # Entertainment service phishing
├── corporate/ # Corporate communications and news
├── government/ # Government agency impersonations
├── microsoft/ # Microsoft service themed templates
├── healthcare/ # HIPAA, patient portals, insurance
│ ├── hipaa_compliance_alert.html
│ ├── patient_portal_security.html
│ └── insurance_verification.html
├── education/ # Student portals, financial aid
│ ├── student_portal_lockout.html
│ └── financial_aid_urgent.html
├── manufacturing/ # Supply chain and vendor portals
│ └── supplier_portal_update.html
├── legal/ # Case management, document sharing
│ └── case_document_sharing.html
├── hr-payroll/ # Benefits, payroll, HR systems
│ ├── payroll_direct_deposit.html
│ └── benefits_enrollment.html
├── technology/ # API keys, developer portals
│ └── api_key_expiration.html
├── retail/ # Loyalty programs, customer accounts
│ └── loyalty_rewards_expiring.html
├── hospitality/ # Hotel reservations, booking systems
│ └── hotel_reservation_confirm.html
├── utilities/ # Power/utility billing and credits
│ └── power_outage_credit.html
├── landing-pages/ # Credential harvest & education pages
│ ├── credential-harvest.html
│ └── education-notification.html
└── campaign-guides/ # Implementation guides & best practices
├── implementation-guide.md
├── subject-lines-guide.md
└── best-practices-guide.md
- GoPhish server installation
- Administrative access to GoPhish interface
- Basic understanding of phishing simulation concepts
-
Clone the Repository
git clone https://github.com/hailbytes/gophish-training-templates.git cd gophish-training-templates -
Import Email Templates
# Navigate to GoPhish Admin Panel # Go to Templates > Email Templates > New Template # Copy and paste HTML content from desired template # Configure subject line (see subject-lines.md for suggestions)
-
Set Up Landing Pages
# Go to Landing Pages > New Page # Import HTML from landing-pages/ directory # Configure credential capture settings if using harvest pages
-
Create User Groups
# Go to Users & Groups > New Group # Import your employee list # Segment by department or risk level for targeted campaigns
-
Launch Your First Campaign
# Go to Campaigns > New Campaign # Select appropriate template and landing page # Configure sending profile with realistic sender # Schedule during business hours for maximum realism
Establish current security awareness levels across your organization
- Recommended Templates: IT Security, Delivery notifications
- Frequency: Quarterly
- Target: All employees
Focus on risks relevant to specific roles and departments
- IT Department: Advanced technical phishing, software updates, API security
- Finance Team: Wire transfer scams, payment confirmations, invoice fraud
- HR Personnel: Benefits enrollment, payroll updates, employee verification
- Healthcare Workers: HIPAA compliance, patient portal security, insurance verification
- Legal Teams: Case management, confidential document sharing
- Manufacturing/Supply Chain: Vendor portals, supplier compliance
- Customer Service: Account verification, loyalty programs
- General Staff: Social media, entertainment, delivery scams
Gradually increase sophistication to build resilience
- Level 1: Obvious phishing with clear red flags
- Level 2: Moderate sophistication with subtle indicators
- Level 3: Advanced attacks mimicking legitimate communications
- Level 4: Spear phishing with personalized content
Leverage current events and holidays for realistic scenarios
- Holiday Shopping: Package delivery, shopping confirmations
- Tax Season: IRS communications, financial services
- Back-to-School: Educational platform attacks
- Year-End: HR benefits, company announcements
Every template includes corresponding educational content that:
- Explains why the attack was effective
- Identifies specific red flags users should watch for
- Provides real-world context and statistics
- Offers actionable steps for future protection
- Visual indicators highlighting suspicious elements
- Interactive quizzes to test comprehension
- Scenario-based examples for practical application
- Progressive disclosure of information to maintain engagement
Track improvement through:
- Click-through rate reduction over time
- Increased reporting of suspicious emails
- User feedback and comprehension scores
- Behavioral change metrics
These templates are designed exclusively for:
- Authorized security awareness training within your organization
- Educational purposes with proper consent and notification
- Improving security posture through awareness and training
- Unauthorized testing of external organizations
- Malicious attacks or actual credential theft
- Testing without proper legal authorization
- Any activity that violates applicable laws or regulations
- Obtain proper authorization before conducting simulations
- Ensure compliance with organizational policies and applicable laws
- Focus on education rather than punishment
- Provide immediate learning opportunities for participants
- Maintain confidentiality of individual results
- Follow up with additional training for those who need it
We welcome contributions to improve and expand this template collection!
- Fork the repository
- Create a feature branch (
git checkout -b feature/new-template) - Add your templates following our naming conventions
- Include educational content for any new attack vectors
- Test thoroughly with GoPhish before submitting
- Submit a pull request with detailed description
- Follow existing naming conventions and folder structure
- Include both email templates and educational modules
- Ensure mobile responsiveness for all designs
- Test with current GoPhish version before submission
- Provide realistic, educational content rather than obvious fake attempts
- Include suggested subject lines and implementation notes
- Additional attack vectors (new platforms, services, techniques)
- Industry-specific templates (healthcare, education, manufacturing)
- Non-English templates for international organizations
- Advanced persistent threat scenarios for mature security programs
- Accessibility improvements for inclusive design
- Implementation Guide - Detailed setup instructions
- Subject Line Suggestions - Proven effective subject lines
- Best Practices Guide - Campaign management tips
Track your security awareness program effectiveness:
- Click Rate Reduction: Measure decreasing susceptibility over time
- Reporting Increase: Monitor growth in suspicious email reports
- Time to Report: Track how quickly users report potential threats
- Repeat Offenders: Identify users needing additional training
- Knowledge Retention: Test comprehension through follow-up assessments
Industry standard targets for mature security awareness programs:
- Click Rate: <5% for sophisticated attacks
- Reporting Rate: >80% of suspicious emails reported
- Response Time: <1 hour average time to report
- Training Completion: >95% completion rate for educational modules
- Complete template redesign with modern GoPhish syntax
- Added educational modules for all template categories
- Mobile-responsive design for all templates
- Organized folder structure for better management
- Enhanced landing pages with immediate educational value
- Basic HTML templates with limited GoPhish integration
- Simple phishing scenarios without educational components
- Desktop-focused design
- Template variables not rendering: Ensure proper GoPhish syntax
- Mobile display problems: Check CSS media queries
- Landing page capture fails: Verify form configuration in GoPhish
- Educational modules not loading: Check file paths and permissions
- Open an issue on GitHub for bugs or feature requests
- Check existing issues before creating new ones
- Provide detailed information including GoPhish version and error messages
- Include screenshots for visual issues
For questions about implementation or customization:
- Email: [info@hailbytes.com]
- GitHub Issues: [https://github.com/HailBytes/gophish-training-templates/issues]
- Security Team: security@hailbytes.com
This project is licensed under the Mozilla Public License 2.0 - see the LICENSE file for details.
- Commercial use: Allowed
- Modification: Allowed (with source disclosure requirements)
- Distribution: Allowed (with license preservation)
- Private use: Allowed
- Patent use: Granted (with termination clause for patent litigation)
- Trademark use: Not granted
- Liability: Limited
- Warranty: Limited
- Copyleft: File-level (modified files must remain open source)
- Source Disclosure: Modified files must include source code and license notice
- License Preservation: MPL 2.0 license must be included with distributions
- Patent Protection: Automatic patent license grant for contributors
- Compatibility: Can be combined with proprietary code (file-level copyleft)
- Modifications: Changes to MPL-licensed files must remain under MPL 2.0
- GoPhish Team for creating an excellent phishing simulation platform
- Security Community for sharing knowledge and best practices
- Contributors who help improve and expand this template collection
- Organizations using these templates to build stronger security cultures
These templates are for authorized security awareness training only. Always:
- Obtain proper authorization before conducting phishing simulations
- Ensure legal compliance with all applicable laws and regulations
- Focus on education rather than punishment or embarrassment
- Respect privacy and maintain confidentiality of results
- Follow organizational policies for security awareness training
Unauthorized use of these templates for malicious purposes is strictly prohibited and may violate local, state, and federal laws.
Building Security Awareness Through Education
Help us improve cybersecurity one simulation at a time