Despite ever‑more sophisticated e‑mail filters and state‑of‑the‑art security appliances, phishing remains the most successful and common way for attackers to access sensitive data of companies and individuals. Generative artificial intelligence now enables attackers to craft messages that are increasingly difficult to detect, even as awareness grows. People therefore remain the weakest — and at the same time the most important — link in the defence chain.
The Czech research network CESNET helps organisations in the Czech Republic reinforce this “human firewall” through the Phishingator tool. In just a few minutes administrators can design and launch a realistic phishing simulation and train and educate employees to recognise and report threats in a completely safe environment. Afterwards, Phishingator provides users with feedback on what specifically was suspicious about the message, what to watch for next time, and how to avoid falling for the next scam.
From a term paper to a working tool
Phishingator’s story began in 2019 at the University of West Bohemia (ZČU) in Plzeň. Engineering Informatics student Martin Šebela sent classmates a fake “password change” email as part of a term paper, demonstrating how easy it is to produce a convincing phishing message and website.
The experiment impressed both the course lecturer and Aleš Padrta, a member of the university’s security team who also worked in the CESNET Forensic Laboratory. Aleš started working with Martin and the initial one-off mailing and term paper gradually turned into not only an award-winning bachelor’s thesis, but also into an open-source tool for educating users about phishing. Phishingator quickly found its way into day-to-day use at ZČU.
Since 2022, the Forensic Laboratory of the CESNET Association has taken over the development of Phishingator — in agreement with ZČU — and provides the tool as a SaaS service. The goal is to make phishing education intuitive: even non‑technical staff can prepare a simulation in minutes.
How Phishingator works
- Administrators access a web interface, choose or customise templates and select target recipients.
- Phishingator continuously collects data on who followed the link, entered credentials on the mock site, or reported the attempt, then presents the results in clear statistics and graphs.
- Organisations may create unlimited campaigns, messages and spoof sites with no licence restrictions.
Benefits for organisations
- Speed and simplicity – campaigns are ready in minutes.
- Hands‑on experience – users meet phishing in a controlled setting.
- The more you sweat in training, the less you bleed in battle – a user who succumbs to a mock phishing campaign will practically learn what to look out for in a real scam.
- Process verification – mass mailing tests whether and how helpdesks and CSIRTs respond and how many users report the attack.
- Immediate user education and feedback – users learn immediately what should have been a warning sign and how not to fall for phishing next time.
- Resource savings – no in‑house infrastructure or phishing specialist required.
- Active development – new features are added continuously.
- Fair licensing policy – no limits on users, campaigns, e‑mails or fraudulent sites.
Phishingator is open source (MIT licence), yet CESNET provides active development and support. A standard deployment takes 14 days, and a monthly fee covers operation and ongoing development based on customer suggestions. A lively community on phishingator‑forum@cesnet.cz is created and helps push the project forward.
Interesting numbers
- > 10 institutions from academia, government and business already use Phishingator.
- ≈ 35 000 users have been trained to date.
- ≈ 10 % average success rate in capturing valid passwords across all simulations.
- 20–30 % success rate in the most sophisticated mock‑phishing attacks.
For more information about Phishingator, visit CESNET website.
Read the full online magazine here
