Phishing Simulation Tools for SMEs — Test Employee Awareness Without Breaking the Bank
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Phishing Simulation Tools for SMEs — Test Employee Awareness Without Breaking the Bank

[2026-07-18] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

You've run the security training. Everyone signed the policy. Then a fake "supplier update" email arrives, and half your staff clicks. We see it daily with clients hitting us after a real breach. The difference between passive training and active testing is simulation: putting people in a controlled phishing scenario to find the gaps safely.

At Meteora Web, we always start with the same question: what does a real attack cost vs. a simulation test? The answer is usually embarrassing. In this guide we show exactly what phishing simulation tools are, how to choose one for your SME, and how to use it right away — no complex IT, just common sense and a bit of setup.

Why is running a phishing simulation more effective than a theoretical course?

A course teaches theory. A simulation teaches reflex. When an employee receives a realistic email — bank logo, urgent tone, link to a clone page — the brain reacts differently than when reading a slide. Simulation leverages error psychology in a controlled environment where the only damage is a statistic.

What we've seen over years of testing:

  • First-test click rate: 25% to 40% even in companies with annual training.
  • After two simulations with feedback: down to 5–10% within three months.
  • Report-to-IT rates rise only when employees know testing exists.

Theoretical training is necessary, but without simulation it's like studying a manual without ever driving a car.

Sponsored Protocol

Common mistake to avoid

Don't start with a punitive simulation. If someone clicks, they need training, not punishment. The phishing simulation tool must be seen as a security ally, not a trap. We always recommend announcing the test in advance: "In two weeks we'll run a simulation. Don't worry if you click — it helps us improve." The error rate still drops because awareness stays high.

How to choose the right phishing simulation tool for your SME?

Not all phishing simulation tools are equal. Markets offer enterprise solutions costing thousands per year and open-source alternatives that do the same job for zero fees. Choice depends on budget, technical skills, and headcount.

Evaluation criteria

  1. Ease of setup: Do you have in-house IT or need a turnkey service? Tools like GoPhish need a server and SMTP config. Others like KnowBe4 are SaaS and handle everything.
  2. Available templates: Look for sector-specific scenarios (banking, supplier, fake HR).
  3. Reporting: Must show who clicked, who entered credentials, who reported. Otherwise you can't target training.
  4. Cost: For SMEs under 50 employees, open-source + some tech time is usually most efficient. Above 100, SaaS with integrated training can be worth the investment.
  5. GDPR and privacy: Simulations collect behavioral data. Ensure the tool is compliant. We discuss this further in our NIS2 supplier registry guide (read it here).

Which phishing simulation tools exist and how much do they cost?

Three categories: open-source, affordable SaaS, enterprise.

Sponsored Protocol

GoPhish — open source, powerful, zero cost

GoPhish is the most popular open-source phishing simulation tool among techies. We use it at Meteora Web for quick tests. It installs on a Linux (or Windows) server with SQLite or MySQL. It offers a web UI to create campaigns, templates, landing pages. Built-in SMTP or external relay.

Pros: free, extensible, data stays on-prem. Cons: needs some skills to configure SPF, DKIM, DMARC, otherwise emails go to spam. But it's a great learning opportunity.

Example command to start it (after installing GoPhish):

Sponsored Protocol

# Start GoPhish on port 3333
./gophish &

The web interface will be at http://your-server:3333. From there you create your first campaign.

KnowBe4 — full SaaS, paid

KnowBe4 is the market leader. It includes thousands of templates, integrated training, detailed reports. Pricing: around 20 EUR per user per year (basic plan). For 50 users, about 1000 EUR/year. Also covers vishing and social engineering training. We recommend it to clients above 100 employees who don't want to manage infrastructure.

PhishingBox, PhishER (SaaS)

Valid alternatives: PhishingBox (good for GDPR), PhishER (by KnowBe4 for managing reports). Prices range from 10 to 50 EUR per user/year. For SMEs under 20 people, open-source remains the most rational economic choice.

How to run a phishing simulation test step by step?

Let's use GoPhish because it's free and gives full control. Here are the essential steps.

1. Technical preparation

  • Server: a Linux VPS for 5 EUR/month (e.g., DigitalOcean, Netcup).
  • Subdomain: use a domain not in production (e.g., simulation.yourcompany.com). Configure SPF and DKIM records to avoid spam.
  • SMTP: if your server has port 25 open, use built-in relay. Otherwise use a service like Mailgun (free up to 1000 emails/month).

2. Creating the template

Pick a realistic template. Classic: "Google Workspace account update" with a link to a fake login page. Attention: do not collect real passwords without authorization. The landing page should only register attempts (click or form submit), not store credentials.

Sponsored Protocol

<!-- Example fake landing page (for internal testing only) -->
<form method="post" action="http://your-server/capture">
  <input type="email" name="email" placeholder="Email">
  <input type="password" name="password" placeholder="Password">
  <button type="submit">Sign in</button>
</form>

GoPhish handles capture automatically if you use its landing page feature.

3. Launching the campaign

  • Import employee email list from CSV.
  • Set date and time: a Tuesday morning usually works best for low guard.
  • Activate the campaign. GoPhish will send emails and log clicks and submissions.

4. Analyzing results

After 48–72 hours, export the report. Look for:

  • Total clicks: percentage of sent emails clicked.
  • Data entered: how many submitted credentials (if enabled).
  • Reports: did you include a "Report phishing" button? How many used it?

Don't publish names. Use data to train the most vulnerable departments.

Sponsored Protocol

What metrics to monitor after a phishing test?

The real value is trend, not a single test. Track these:

  1. Click rate: aim to get below 5%.
  2. Report rate: aim to climb above 50%.
  3. Average time to click: if decreasing, employees hesitate more.
  4. Test deliverability: did emails land in inbox or spam? If spam, test is useless.

What to do now

Don't wait for the next attack. Take action immediately:

  1. Download GoPhish from the official repository and install it on a test server.
  2. Create your first campaign with a simple template (e.g., "Shared document on Google Drive").
  3. Communicate the test to the team: transparency reduces anxiety and boosts cooperation.
  4. Analyze the report and plan a targeted training session for the most affected departments.
  5. Repeat every 3 months and compare trends. Cybersecurity is not a project, it's a process.

For a broader context on social engineering, read our pillar guide on social engineering (Italian).

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()