A comparative analysis of phishing tools: Features and countermeasures

Phishing is a form of social engineering attack in which tar gets are contacted by email by someone posing as a legitimate sender to lure the target into sending them sensitive information, such as login information, credit card details, or other personal information. There are a large number of methods to perform phishing attacks, with one of the most common being website-based phishing attacks. These are attacks in which targets are lured to a website that seems to be legitimate but is a fraudulent webpage that steals all the submitted information. There are several tools that can be used for these phishing attacks, e.g., Social Engineering Toolkit (SET), Zphisher, and GoPhish. These tools set up fake websites for phishing and collect login information from the targeted users who are fooled by the legitimate website. This paper presents the method for performing a phishing attack using these three tools and compares the application of these tools to launch phishing attacks and campaigns. We specifically select these three tools because they are free and provide a good platform to create or mimic legitimate websites and use this to launch phishing campaigns to get confidential information. The comparative assessment is performed based on criteria such as GUI, integration with Windows and Linux, report generation, multiple phishing campaign, extracting victim system and browser details. The evaluation shows that GoPhish satisfies most of the features and is widely used in industry for phishing campaigns and creating cyber awareness. Copyright © 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.