Course
Review written: July 2025
Course Format:
The course reviewed is Simply Cyber Academy's Hands-On Phishing by Tyler Ramsbey.
Course Materials:
This course material is online content which is made up of videos and text.
Class size:
The online content is just for the student.
Lab Environment
You create your own lab environment using DigitalOcean, Namecheap, SpoofCard and Google Voice.
Estimated cost:
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
$34.99 one-time purchase
My motivation:
I have done a lot of phishing campaigns... but I had never used Evilginx or done Pretext Calling (Vishing) and I was interested in learning how those worked.
Review:
The course:
There are 9 sections with 67 lessons.
Welcome To The Course!
This starts with an introduction video explaining the topics that will be covered in the course to include setting up the lab environment, performing OSINT, using GoPhish and Evilginx2, and Pretext Calling (Vishing). What is really cool, and stands out from the start, is that instead of learning all these topics in an isolated lab environment, this course takes you through setting up real infrastructure (DigitalOcean), registering domain names (NameCheap) and steps you through the same processes you would use when doing a real-world engagement.
This section also provides you information about Tyler Ramsbey, just in case you bought the course and aren't aware of who he is or anything about his background. Also, there are just a few prerequisites for the course but most people who have purchased the course will probably have these prerequisites already.
Configuring the Lab Environment
This starts with a link to sign up with DigitalOcean and get $200 of free credit to use within the first 60 days. I have used DigitalOcean a LOT over the past number of years, and $200 in free credit is huge even if the time period is short. So don't miss out on that deal if you are new to DigitalOcean. This section also covers setting up a billing alert so that you get notified if your monthly bill is going to go over your set budget. Please don't skip this step and end up caught off guard owing a lot of money. I have heard horror stories over the years, and I know people who have gotten nasty surprises in the form of huge bills. Play it safe and set an alert.
The next steps are spinning up the Droplet, and securing it via ssh keys and firewall rules. Finally, this section wraps up with some good information on DigitalOcean pricing and provides information that can save you money if you have to take a break from the course while working on it, and you want to come back later and pick up where you left off.
Preparing for a Successful Phishing Trip
The section starts with analyzing poor phishing emails, or what to avoid when writing your own phishing emails, and then moves into performing basic passive OSINT (Open Source Intelligence), followed by three challenge labs and the walkthroughs for completing the challenge labs.
This section ends with an some ideas on selecting a domain, purchasing that domain, and finally configuring a trial on GSuite with he domain you purchased. There is a 14-day FREE GSuite trial, and I took Tyler's advice and I set my calendar to remind me to cancel in 10 days.
GoPhish Setup and Initial Configuration
Short and sweet section on installing GoPhish, configuring GoPhish, getting SSL certs for GoPhish, setting up DNS for the domain and launching GoPhish. The section ends with a fairly complex challenge that isn't required to finish the course, but good practice if you care to attempt it. I let ChatGPT do the heavy lifting for me and got a Python script, but I haven't tested it because I already had stuff setup. I do plan to test it after I finish this review and I really hope I didn't mess anything up.
Launching a Phishing Campaign with GoPhish
The section starts by stepping you through creating an email template (I realized it had been a while since I last created a template and this brought back memories both good and bad), followed by a challenge to create a phishing email and a walkthrough of the challenge.) I didn't complete the challenge with the same level of enthusiasm I would have used for a real engagement, and I did a really cheesy job going about it, but I was in a hurry and at least I typed something up. In hindsight, I would have done a better job....maybe. That being said, my email did go through with no modifications on the first try. Woot!
The next step was creating a landing page, followed by adding target users, and then creating a sending profile. There is a challenge for launching your first phishing campaign, and a walkthrough for the challenge.
Phishing with Evilginx
While the last section, for me, was a trip down memory lane, this is the section I was most interested in. It starts with a brief introduction to Evilginx, followed by how to install and configure it, and a challenge to automate the install with a script. I decided that instead of manually installing it, I would see if I could get a Python script created to do the installation. That is what I used to do my install, and it worked, except it launches Evilginx and then exits and doesn't background the process (which was fine for me since I just connected back to the VPS via SSH and started Evilginx and everything was ready for me.)
Phishlets overview is next, followed by configuring your first phishlet, and then another challenge to create a custom phishlet...and a walkthrough on how to create the custom phishlet. There is another challenge, this time of re-using stolen session cookies, and the walkthrough for the challenge. I ended up going a totally different route than what Tyler shows, but my method worked so I was happy.
This section ends with showing you how to destroy your digital ocean droplet, and how to cancel your Google Workspace Account, and I guess once I finish this I will need to delete that calendar reminder so it doesn't show up a week from now and send me into a panic.
Bypassing Common Defenses
This section starts with Tyler explaining the differences between a penetration test and a red team engagement. The "Leverage Known Services" and "List of Known Services Useful for Phishing" sections are a solid foundation for bypassing common defenses.
Building infrastructure trust is a topic I have a fair amount of experience with, but not really from the phishing standpoint, so I found this information pretty valuable and the Email Evasion Checklist is a very handy guide.
Combining Pretext Calling with Phishing
Take Note: Do NOT Skip the "8.1 - Legal Warning (Do Not Skip!)" section.
This section covers the overview of pretext calling, creating an effective pretext, setting up SpoofCard, and setting up Google Voice. The section then has a challenge and a walkthrough for the challenge. Since this is a topic I have no experience with, for me it was a great learning experience. And I love how Tyler kept it real saying you want to be calm and confident, but then admits that it is way easier said than done. I can only imagine what it would be like to do my first pretext calling and I would probably be more than just shaking and nervous.
And while I have used Google Voice for many, many, years now, I had never heard of SpoofCard and I found that to be a really handy site to know about.
And the last part of this section is a note on the legality of recording calls. Do not skip this section either.
Course Conclusion
The course concludes with encouraging you to plan some practical projects as well providing some information on possible next steps for your career.
Misc:
From my experience, GoPhish is fairly powerful, and it appears that Evilginx is too. There was talk in the videos about maybe later on down the line adding a section about integrating Gophish and Evilginx and I look forward to seeing the power of the two combined.
The Exam:
There is currently no exam for this course.
My two cents:
I had a lot of fun with this course. It was short and sweet, packed full of great information, and provides the foundation needed to run your own successful phishing/vishing campaign. I highly recommend this course if you are interested in phishing/vishing.