← Home

Latest articles

EvilGinx and adversary-in-the-middle phishing, explained

How reverse-proxy phishing steals session cookies to bypass MFA — and how GottaPhish reproduces it safely in simulations.

GottaPhish Team

SaaS, hybrid or on-premise: deploying GottaPhish your way

The full SaaS is the default, but sensitive components can run on-premise or in a hybrid model for regulated organizations.

GottaPhish Team

Data residency and sovereignty for phishing programs

Simulation data contains employee names and behavior. Where it lives matters — EU hosting by default, on-premise when required.

GottaPhish Team

Why Zscaler can be a problem for phishing defense

Web proxies like Zscaler help — but relying on them creates blind spots and a false sense of security against modern phishing. Here’s the risk, and how to close it.

GottaPhish Team

The limits of URL rewriting and link scanning

Cloaking, geofencing and single-use links make click-time link protection unreliable. Defense-in-depth is the answer.

GottaPhish Team

How phishing slips past secure email gateways

Compromised accounts, QR-code phishing and delayed weaponization routinely defeat SEGs. Why training closes the gap.

GottaPhish Team

What is phishing? A plain-English guide

A jargon-free introduction to phishing: what it is, how it works, and why it targets people.

GottaPhish Team

10 signs an email is a phishing attempt

The red flags that give a phishing email away — and how to check before you click.

GottaPhish Team

Spear phishing vs mass phishing: what’s the difference?

Why targeted attacks are so much more dangerous than the generic ones — and who they hit.

GottaPhish Team

You clicked a phishing link — what to do next

A calm, step-by-step checklist for the moments right after you realize you took the bait.

GottaPhish Team

Smishing and vishing: phishing by SMS and phone call

Phishing has moved off email. Here’s how text-message and voice scams work — and how to resist them.

GottaPhish Team

CEO fraud and Business Email Compromise, explained

The scam that costs companies billions: a fake boss, an urgent transfer, and no malware in sight.

GottaPhish Team

Building a human firewall: why awareness training works

Technology stops a lot of attacks, but not all. How a security-aware culture closes the gap.

GottaPhish Team

Protecting your family from phishing at home

Scammers target relatives, kids and retirees too. Simple habits to keep your household safe.

GottaPhish Team

SPF, DKIM and DMARC: email authentication against phishing

The three DNS records that let receivers tell your real mail from a spoof — and how they fit together.

GottaPhish Team

Anatomy of a modern phishing kit

A technical look inside the ready-made toolkits that power most credential-harvesting campaigns.

GottaPhish Team

Deploying DMARC step by step

From p=none monitoring to full enforcement without breaking legitimate mail — a practical rollout.

GottaPhish Team

Reading email headers to spot spoofing

What Received, Return-Path and Authentication-Results really tell you about a suspicious message.

GottaPhish Team

How generative AI is supercharging phishing

Flawless copy, deepfake voices and instant personalization: how attackers use AI, and how defenders respond.

GottaPhish Team

Homograph attacks and typosquatting explained

Look-alike domains and Unicode tricks that turn a trusted address into a trap.

GottaPhish Team

How to run an effective phishing simulation program

Design, cadence, metrics and ethics: turning simulations into lasting behavior change, not just scary numbers.

GottaPhish Team

Beyond passwords: phishing-resistant MFA

Why OTP codes still get phished, and how FIDO2 / passkeys finally break the attack.

GottaPhish Team