Organizations

Roll out phishing training without putting it behind a paywall.

Just For Phishing is free, open-source training for schools, nonprofits, small businesses, and teams that need practical phishing awareness without vendor lock-in or surprise licensing costs.

Plan a rollout Self-host from GitHub

The public site stays free. Optional help is implementation support — not a gate around the training.

Use cases

Simple enough for a one-person rollout. Credible enough for a real security program.

Use the public site as a lightweight awareness exercise, or fork the project and adapt it for internal onboarding, annual refreshers, tabletop prep, or post-incident reinforcement.

🏫

Schools & nonprofits

Give staff and volunteers realistic phishing practice without adding another paid platform to the budget.

🏢

Small businesses

Build baseline awareness before employees handle invoices, customer data, shared mailboxes, or admin tools.

🧑‍💻

IT & security teams

Pair modules with internal policy: how to report suspicious mail, when to deny MFA prompts, and where to get help.

🚀

Onboarding

Send new hires through a short training path before they receive broader access to business systems.

Rollout plan

A practical launch path that does not require accounts, LMS integration, or procurement.

This is intentionally lightweight. Start with the public modules, gather aggregate completion feedback however your organization already tracks training, and only customize when you know what your team needs.

Pick the training path

For most teams, start with Quick Check, Phish or Treat, MFA Fatigue Drill, and SMS Smishing. Add Email Lab and Targeted Phishing for higher-risk roles.

Explain the privacy model

Tell learners that progress stays in their browser on the public site. The site uses aggregate analytics to improve content, not employee-level monitoring.

Connect it to your policy

Pair the modules with your actual reporting process: where to forward suspicious email, how to report smishing, and who to call after an accidental click.

Decide whether to self-host

Self-host if you need internal branding, custom scenarios, private analytics, or an intranet-only copy. The MIT license allows adaptation.

Privacy

Public-site training is intentionally low-data.

The public version does not ask learners to create accounts or submit names, employers, passwords, or answers in free-text fields. Training runs in the browser, and module progress stays local to the learner’s device.

Analytics

Aggregate signals, not employee surveillance.

Google Analytics is used for aggregate site improvement signals such as module starts, completions, and score ranges. If your organization needs employee-level records, self-host and implement your own consent, policy, and reporting workflow.

Self-hosting

Fork it, brand it, and make the scenarios match your real threat model.

Because Just For Phishing is a static, open-source site, an organization can host a customized copy with GitHub Pages, Cloudflare Pages, Netlify, an internal web server, or another static host.

  • Swap in your reporting address, security contact, and internal escalation process.
  • Add organization-specific examples: payroll fraud, gift-card scams, fake vendor invoices, student account takeovers, or helpdesk impersonation.
  • Configure your own analytics or remove analytics entirely for an internal-only deployment.
  • Keep the public training free while using custom implementation only when it adds value.
Optional support

Need help turning this into an internal training rollout?

The free public site is the default. If you want a customized deployment, help adapting scenarios, or a rollout plan for a specific school or business, reach out through the project channels.

Contact the project Open a GitHub issue