Latest articles
EvilGinx and adversary-in-the-middle phishing, explained
How reverse-proxy phishing steals session cookies to bypass MFA — and how GottaPhish reproduces it safely in simulations.
SaaS, hybrid or on-premise: deploying GottaPhish your way
The full SaaS is the default, but sensitive components can run on-premise or in a hybrid model for regulated organizations.
Data residency and sovereignty for phishing programs
Simulation data contains employee names and behavior. Where it lives matters — EU hosting by default, on-premise when required.
Why Zscaler can be a problem for phishing defense
Web proxies like Zscaler help — but relying on them creates blind spots and a false sense of security against modern phishing. Here’s the risk, and how to close it.
The limits of URL rewriting and link scanning
Cloaking, geofencing and single-use links make click-time link protection unreliable. Defense-in-depth is the answer.
How phishing slips past secure email gateways
Compromised accounts, QR-code phishing and delayed weaponization routinely defeat SEGs. Why training closes the gap.
What is phishing? A plain-English guide
A jargon-free introduction to phishing: what it is, how it works, and why it targets people.
10 signs an email is a phishing attempt
The red flags that give a phishing email away — and how to check before you click.
Spear phishing vs mass phishing: what’s the difference?
Why targeted attacks are so much more dangerous than the generic ones — and who they hit.
You clicked a phishing link — what to do next
A calm, step-by-step checklist for the moments right after you realize you took the bait.
Smishing and vishing: phishing by SMS and phone call
Phishing has moved off email. Here’s how text-message and voice scams work — and how to resist them.
CEO fraud and Business Email Compromise, explained
The scam that costs companies billions: a fake boss, an urgent transfer, and no malware in sight.
Building a human firewall: why awareness training works
Technology stops a lot of attacks, but not all. How a security-aware culture closes the gap.
Protecting your family from phishing at home
Scammers target relatives, kids and retirees too. Simple habits to keep your household safe.
SPF, DKIM and DMARC: email authentication against phishing
The three DNS records that let receivers tell your real mail from a spoof — and how they fit together.
Anatomy of a modern phishing kit
A technical look inside the ready-made toolkits that power most credential-harvesting campaigns.
Deploying DMARC step by step
From p=none monitoring to full enforcement without breaking legitimate mail — a practical rollout.
Reading email headers to spot spoofing
What Received, Return-Path and Authentication-Results really tell you about a suspicious message.
How generative AI is supercharging phishing
Flawless copy, deepfake voices and instant personalization: how attackers use AI, and how defenders respond.
Homograph attacks and typosquatting explained
Look-alike domains and Unicode tricks that turn a trusted address into a trap.
How to run an effective phishing simulation program
Design, cadence, metrics and ethics: turning simulations into lasting behavior change, not just scary numbers.
Beyond passwords: phishing-resistant MFA
Why OTP codes still get phished, and how FIDO2 / passkeys finally break the attack.
