Reliable and proven security practitioners

About Phish5

Phish5 is designed, built and run by Thinkst Applied Research who have decades of experience in the security industry. After getting tired of seeing customers phished day in and day out we set out to build a tool to train users by actually phishing them (training through practise, what a concept!) Starting with Flask, Celery, MySQL and Apache we’ve built the technology from scratch so you don’t have to.

Along the way we've partnered with InfoGuardian to help reach bigger and broader markets.


  • Won't you phish dangerous information from my organization?

    No! Phish5 alters your phishing pages to ensure that credentials (usernames and passwords) are not sent to our servers. Since our servers never even see the credentials, there are no compliance issues to worry about.

  • What about the email addresses of our employees?

    We need those to perform the service (obviously), but the simplicity of the business model makes it easy to see we don't benefit from sharing this data. We will never provide or sell addresses in our system to any non-Thinkst person or group. (We won't even use it for ourselves.) We've also made it trivial to completely scrub your data if you choose.

  • Wait. So I can log in and Phish anyone?

    Not quite. By default Phish5 will only let you phish people in your domain. To phish across domains, mail us to get a verified consultant account.


  • Is this testing my mail filtering?

    No. Filters are almost always bypassable when targeting a specific filter, but building a generic bypasser would be more valuable to sell to spammers than on Phish5 :)

    Phish5 is aimed at testing user response, not filters, and so we don't pretend to bypass filters generically. Instead, we recommend you whitelist our mailers. Contact us for details.

  • My phishing mails are not showing up!

    The global email eco-system is surprisingly complex, and email doesn't arrive for many reasons. Phish5 helps you debug where your phishing mails are failing, by sending test mails and providing you with full SMTP logs to debug mail sending.

  • Phish5 shows my mails as sent, but I don't see them?

    Sometimes mails get caught up in a mail filter (e.g. anti-SPAM). If Phish5 lists mails as sent, then check your mail filter to see whether it has flagged the phishing mails.

  • What guarantees do you provide for mail sending?

    We'll either deliver the mail to your registered mail servers, or list it as failed. Logs are kept in both instances so you can verify.