Course Project Title
Design, Deployment, and Execution of a Security Awareness Campaign Using GoPhish
1. Project Overview
The purpose of this project is to allow students to apply concepts related to cybersecurity awareness, social engineering, phishing simulation, project planning, risk management, and ethical cybersecurity operations through the deployment of a phishing simulation platform using GoPhish.
Students will work in groups to design, build, test, and execute a controlled phishing awareness campaign within an approved academic environment.
This project is designed to simulate the activities commonly performed by cybersecurity awareness teams, Security Operations Centers (SOC), Red Teams, and Governance, Risk, and Compliance (GRC) functions when conducting phishing awareness assessments.
The project will be completed in phases from Midterm Week until Finals Week.
2. Learning Objectives
Upon completion of this project, students should be able to:
Technical Skills
- Deploy and configure GoPhish
- Configure landing pages and email templates
- Configure sending profiles
- Create phishing campaigns
- Track user interactions and metrics
Security Skills
- Design realistic phishing scenarios
- Identify organizational attack surfaces
- Analyze human vulnerabilities
- Measure awareness effectiveness
Governance and Ethics Skills
- Develop safe and ethical phishing exercises
- Define campaign scope and rules of engagement
- Document risks and controls
- Obtain appropriate approvals
Project Management Skills
- Develop implementation plans
- Create campaign storyboards
- Present findings and recommendations
3. Group Composition
Group Size
- 4–6 students per group
Team Roles (Recommended)
| Role | Responsibilities |
|---|---|
| Project Lead | Coordinates project activities |
| GoPhish Administrator | Deploys and manages GoPhish |
| Campaign Designer | Creates templates and landing pages |
| Security Analyst | Defines tracking and reporting |
| Documentation Lead | Creates reports and storyboard |
| Presenter | Leads demonstrations |
Multiple roles may be assigned to one member if necessary.
4. Ethical and Legal Requirements
This project is an educational exercise.
The following activities are strictly prohibited:
❌ Collecting real passwords
❌ Harvesting personal information
❌ Sending phishing emails to external organizations
❌ Conducting campaigns without approval
❌ Disrupting school operations
❌ Impersonating school officials without instructor approval
Required Design Principle
All phishing simulations must be:
- Educational
- Benign
- Non-malicious
- Awareness-focused
The objective is to measure behavior, not compromise accounts.
5. Midterm Project Scope
Deliverable 1: GoPhish Deployment
Each group must deploy GoPhish using either:
Option A: Cloud Deployment
Examples:
- AWS EC2
- Azure VM
- DigitalOcean
- Oracle Cloud
- Google Cloud
Option B: On-Premises Deployment
Examples:
- VirtualBox
- VMware
- Physical Server
- Local Linux Host
Students must demonstrate:
- Installation
- Initial configuration
- Access to admin portal
- Sending profile creation
- Campaign creation
Deliverable 2: Campaign Proposal
Each group must submit one proposed phishing awareness campaign.
Target Audience
Choose one:
- Students
- Faculty
- Administrative Personnel
- IT Staff
- School Employees
Campaign Proposal Template
Campaign Name
Example:
“Enrollment Advisory Verification Campaign”
Target Group
Example:
Undergraduate Students
Objective
Example:
Measure how many students click enrollment-related links.
Success Metrics
Example:
- Email Open Rate
- Click Rate
- Form Submission Rate
- Reporting Rate
Risk Assessment
Potential Risks:
- Confusion
- User complaints
- Technical issues
Mitigation Measures:
- Awareness briefing
- Debriefing email
- Instructor supervision
Deliverable 3: Campaign Storyboard
Students must produce a visual storyboard describing the complete campaign lifecycle.
Storyboard Must Include
Step 1
Planning Phase
- Objective
- Target audience
- Scope
Step 2
Email Development
- Subject line
- Sender identity
- Message content
Step 3
Landing Page Creation
- User interaction flow
- Awareness message
Step 4
Campaign Launch
- Recipient upload
- Scheduling
Step 5
Tracking
- Opens
- Clicks
- Interactions
Step 6
Reporting
- Metrics
- Findings
Step 7
Lessons Learned
- Recommendations
- Awareness improvements
Deliverable 4: Video Demonstration
Duration
10–15 minutes
Required Content
Part 1
Team Introduction
Part 2
GoPhish Setup
Show:
- Installation
- Configuration
- Dashboard
Part 3
Campaign Creation
Show:
- Email Template
- Landing Page
- User Group
- Sending Profile
Part 4
Storyboard Walkthrough
Explain:
- Campaign objectives
- Expected outcomes
Part 5
Project Reflection
Challenges encountered and lessons learned.
6. Project Timeline
MIDTERM WEEK
Submission 1
GoPhish Setup + Campaign Proposal
Deliverables:
✅ GoPhish Environment
✅ Campaign Proposal
✅ Storyboard
✅ Video Demonstration
Weight: 25%
MILESTONE 1
Campaign Design Validation
Objective
Finalize campaign design.
Deliverables
Approved Email Template
Approved Landing Page
Rules of Engagement Document
Must include:
- Scope
- Target audience
- Timeline
- Safety controls
Pilot Testing Results
Conduct testing with:
- Team members
- Instructor
- Volunteer participants
Weight: 15%
MILESTONE 2
Pre-Deployment Readiness Review
Objective
Prepare for production simulation.
Deliverables
Infrastructure Readiness
- DNS configuration
- Sending profile validation
- Tracking verification
Risk Assessment
Identify:
- Operational risks
- Technical risks
- Human risks
Deployment Plan
Include:
- Launch schedule
- Communication plan
- Escalation procedures
Dry Run Demonstration
Show end-to-end execution.
Weight: 20%
MILESTONE 3
Pilot Simulation
Objective
Conduct limited-scope simulation.
Deliverables
Pilot Campaign Execution
Target:
- Small approved audience
Metrics Collection
Measure:
- Delivery Rate
- Open Rate
- Click Rate
- Reporting Rate
Findings Report
Document:
- User behavior
- Lessons learned
- Improvements required
Weight: 15%
FINALS WEEK
Final Campaign Execution and Presentation
Objective
Execute the approved phishing awareness campaign and present results.
Deliverables
Full Campaign Execution
Approved target audience only.
Campaign Report
Must include:
Executive Summary
Campaign Objectives
Methodology
Storyboard
Metrics
Findings
Lessons Learned
Awareness Recommendations
Final Presentation
15–20 Minutes
Required Sections:
- Project Overview
- Infrastructure Architecture
- Campaign Design
- Storyboard
- Demonstration
- Results Analysis
- Ethical Considerations
- Recommendations
Weight: 25%
7. Final Report Structure
- Cover Page
- Team Members
- Executive Summary
- Campaign Objectives
- GoPhish Architecture
- Campaign Storyboard
- Email Template Design
- Landing Page Design
- Rules of Engagement
- Campaign Metrics
- Findings
- Lessons Learned
- Recommendations
- Appendices
8. Evaluation Rubric
| Criteria | Weight |
|---|---|
| GoPhish Deployment | 20% |
| Campaign Design | 15% |
| Storyboard Quality | 15% |
| Technical Demonstration | 15% |
| Ethical Design & Safety Controls | 10% |
| Documentation Quality | 10% |
| Final Campaign Execution | 10% |
| Presentation & Defense | 5% |
| Total | 100% |
Expected Final Outcome
By Finals Week, each group should be able to demonstrate a complete phishing awareness program that includes:
- A working GoPhish deployment
- Approved phishing scenarios
- Campaign storyboards
- Safe and ethical implementation procedures
- Pilot and final campaign execution
- Measurable awareness metrics
- Recommendations for improving cybersecurity awareness within the school environment
The emphasis of this project is not on compromising users, but on understanding human behavior, measuring awareness, and designing effective cybersecurity education programs.