Frequently Asked Questions

Note: Email addresses on ISP or public domains (example:,,, etc.,) are restricted and cannot be used within the QuickPhish service. User account and target email addresses must be valid company or organization addresses. On sign up, you will receive a welcome email with a validation link to enable your account to run a simulation. For evaluation purposes, you can send simulations to your own validated email without purchasing credits.


QuickPhish was created by two co-founders from Oregon, USA each with 15+ years experience in technology including web development, solution design and information security. The solution was designed with security in mind including the following features:

  • DigitalOcean App Hosting
  • AWS hosted MongoDB Database
  • SendGrid Transactional Email Relay
  • Developed using Angular JS by Google
  • Stripe Payments Processing
  • QuickPhish sanitizes lure pages on the client side to ensure that credentials (usernames/passwords) are never sent to or seen by our servers.
  • QuickPhish ensures that simulations can only be launched against targets on your validated domains.
  • QuickPhish restricts launching simulations against public ISP domains.

As our client, you will be able to build your phishing simulations through our easy to use Simulation Wizard. Through the wizard steps, you will:

  1. Import your company's email target list
  2. Add your bait email and lure page by either choosing from our pre-canned templates, or writing your own content
  3. Send a test email to test the simulation.
  4. Schedule and launch your simulation against your targets.
  5. Watch reports in real-time
    • Email processing and delivery
    • Email opens and clicks
    • Data post attempts to the lure page

Real-world phishing attacks can be devastating. QuickPhish only simulates a phishing attack. Our service can only collect action statistics on your user's interaction with the simulation to help you identify your organization's ability to spot phishing attacks. QuickPhish alters simulated emails and lure pages to ensure that data such as usenames, passwords or any other sensitive data never leaves the user's device, and is never seen by our servers. Also, simulation emails and lure page code are sanitized on the server to ensure users cannot add custom scripts, links or forms to emails or lure pages. This ensures only action statistics are collected.


There are two types of email addresses that you enter into QuickPhish:

  1. Authorized Domain Address: This is your own address on your company's or organization's domain. When you add an Authorized Domain address, you will be sent a validation link to your inbox. Click on that link to verify that you are the owner of the email box, and have an account on your company's/organization's domain. This will allow you to import target email addresses on that domain.
  2. Target Email Addresses: These are your company's or organization's employee's or member's email addresses that you will target your simulation toward. These are needed by the simulation in order to deliver the bait email.

We do not share any of our client's email addresses that are entered into QuickPhish, period. We will never sell or share email addresses in our system with any non-QuickPhish person or group, nor do we use any of your target addresses for ourselves. You can easily purge your data from QuickPhish if you ever choose to.


By default, phishing simulations are only available to launch against your authorized domains. You will not be able to target email addresses outside of your authorized domains list. These types of tests are generally ran by your company IT or security team. Before running any simulations against your organization, you should consult with your company's IT and/or security team to make them aware of the tests, and maximize the success of your simulation. If you are a security consultant, you can contact us to become a verified security consultant to launch campaigns for your clients.

Note: Email addresses on ISP or public domains (example:,, etc.,) are restricted and cannot be used within the QuickPhish service. Target email addresses must be valid company or organization addresses.


You will be able to see data about the following types of email events in the Email Activity Feed:

  • Processed - Requests from your website, application, or mail client via SMTP Relay or the API that the emailer processed.
  • Clicks - Whenever a recipient clicks one of the Click Tracked links in your email.
  • Delivered - An email that was delivered to a recipient.
  • Opens - Whenever an email is opened by a recipient.
  • Deferred - The recipient mail server asked the emailer to stop sending emails so fast.
  • Drops - The emailer will drop an email when the contact on that email is in one of your suppression groups, the recipient email previously bounced, or that recipient has marked your email as spam.
  • Bounces - When an email is attempted to be delivered, but the recipient mail server rejects it.
  • Spam Reports - Whenever a recipient marks your email as spam and their mail server tells us about it.

Quickphish tracks nearly all activity associated with a phishing campaign including; number of messages sent and delivered, number of messages opened and clicked, number of individuals who post data along with who the individuals are. Reports are presented in graphically pleasing donut and line charts directly within the solution. Reports can be exported simply by printing the report or saving as PDF direct from your browser.

Some spam filters may bounce mail coming from QuickPhish which is both good and bad. Good for proving that your spam filter is working but bad for phishing awareness purposes. If mail does bounce from QuickPhish you may need to white-list the QuickPhish send mail server by IP address or server name or you can also white-list the sending domain. To do so log into your email gateway/spam filter and add a white-list for either:
  1. QuickPhish IP Address:
  2. QuickPhish Mail Server: ( [])
  3. QuickPhish sending domain(s): use sending domain you setup/choose

TRY IT NOW FOR FREE You are 5 minutes away from your first phishing trip.