Free Phishing Websites

CanIPhish maintains an ever-evolving library of free phishing websites that update with the latest trends. Don't just take our word for it. Take a look at some of the websites in our library!

How Are Phishing Websites Used?

Cybercriminals typically combine phishing websites with phishing messages to lure victims. Phishing messages are typically personalized and paired directly with a relevant phishing website. The websites themselves can either be a single phishing page or a complete copy masquerading as a legitimate website. The type of phishing website created will vary depending on the cybercriminal's goal and the defensive controls in place, which may hinder them from meeting this goal.

Phishing Website Library

Now that we know how phishing websites are used, let's take a look at the library of free phishing websites offered by CanIPhish!

Example Phishing Pages 72 Office365 Login Page Google Login Page Dropbox Login Page LinkedIn Login Page Paypal Login Page Facebook Login Page CommBank Login Page Concur Login Page EBay Login Page Govia Login Page JIRA Login Page HSBC Login Page Bell Canada Login Page FedEx Login Page Capital One Login Page Verizon Login Page Generic Login Page DocuSign Login Page Zoom Login Page Netflix Login Page Canada Post Login Page Instagram Login Page Qantas Login Page Uber Login Page Deliveroo Login Page Okta Login Page GitHub Login Page African Bank Login Page Office365 MFA Login Page Slack Login Page STC Login Page AMEX Login Page Canada Revenue Login Page Xero Login Page 1Password Login Page Bitwarden Login Page Dashlane Login Page LastPass Login Page Stripe Login Page Zendesk Login Page Blank Webpage Page Microsoft Login Page OneLogin Webpage Page Jenkins Login Page Pento Login Page Udemy Login Page TikTok Login Page Adobe Login Page Bank of America Login Page User Awareness Training Page Western Union Login Page Venmo Login Page BambooHR Login Page Vanta Login Page Drata Login Page Apple iCloud Login Page ADP Login Page Atlassian Login Page ClickUp Login Page GoDaddy Login Page Linkt Login Page Mailchimp Login Page Monday Login Page Quickbooks Login Page Shopify Login Page Square Login Page Zoho Login Page British Airways Login Page Air New Zealand Login Page BNZ Login Page X Login Page Generic Phone Login Page

Masquerading as the Office 365 login portal.

Masquerading as the Google login portal.

Masquerading as the Dropbox login portal.

Masquerading as the LinkedIn login portal.

Masquerading as the Paypal login portal.

Masquerading as the Facebook login portal.

Masquerading as the CommBank login portal.

Masquerading as the Concur login portal.

Masquerading as the Bell Canada login portal.

Masquerading as the Capital One login portal.

Masquerading as the Verizon login portal.

Masquerading as a generic company login portal.

Masquerading as the DocuSign login portal.

Masquerading as the Netflix login portal.

Masquerading as the Canada Post login portal.

Masquerading as the Instagram login portal.

Masquerading as the Qantas login portal.

Masquerading as the Deliveroo login portal.

Masquerading as the GitHub login portal.

Masquerading as the African Bank login portal.

Masquerading as the Office365 MFA Login portal.

Masquerading as the Saudi Telecom Company Login portal.

Masquerading as the American Express Login portal.

Masquerading as the Canada Revenue Agency portal.

Masquerading as the 1Password Login portal.

Masquerading as the Bitwarden Login portal.

Masquerading as the Dashlane Login portal.

Masquerading as the LastPass Login portal.

Masquerading as the Stripe Login portal.

Masquerading as the Zendesk Login portal.

Blank Webpage Page

Masquerading as the Microsoft Login portal.

OneLogin Webpage Page

Masquerading as the Jenkins Login portal.

Masquerading as the TikTok login portal.

Masquerading as the Bank of America login portal.

User Awareness Training Page

Masquerading as the Western Union login portal.

Masquerading as the BambooHR login portal.

Masquerading as the Apple iCloud login portal.

Masquerading as the Automatic Data Processing login portal.

Masquerading as the Atlassian login portal.

Masquerading as the ClickUp login portal.

Masquerading as the GoDaddy login portal.

Masquerading as the Monday login portal.

Masquerading as the Quickbooks login portal.

Masquerading as the Shopify login portal.

Masquerading as the Square login portal.

Masquerading as the British Airways login portal.

Masquerading as the Air New Zealand login portal.

Masquerading as the Bank of New Zealand login portal.

Masquerading as a generic phone number login portal.

Generating Your Own Phishing Links, Websites, and Pages

Are you looking for more information on how attackers create enticing phishing links, phishing pages, or full-blown phishing websites? These topics are shrouded in mystery, but the team at CanIPhish has performed exhaustive research to provide you with the answers you need.

Generating Phishing Links

When creating or generating phishing links, two complications need to be overcome.

Firstly, we need to ensure that phishing links look attractive to potential victims. To do this, we need to ensure there is some level of personalization. We want to ensure that the beginning of the link contains something familiar, perhaps a sub-domain that directly references the service or website being masqueraded.

Secondly, we need to ensure the phishing link doesn't get blocked by popular browser-based protection tools such as Google Safe Browsing, Microsoft SmartScreen, and much more. If a victim can't see the intended phishing page, then it's of no use. Phishing links need to use various evasion techniques such as randomisation, single-use detonation, and much more to evade browser-based protections.

To learn more about the importance of phishing links and how you can get started, see our blog, which details what a phishing link is. Alternatively, if you're curious how QR codes are abused to send phishing links, see our blog which outlines what quishing is.

Generating Phishing Pages

One of the first questions you should ask yourself when creating a phishing website is whether you need to duplicate the entire website or if you only need to make a single phishing page.

This requirement is defined by the type of phishing attack you're performing and what the end goal is. If you just want to harvest user credentials, then a single webpage masquerading as the login page will meet your needs. If you're looking to duplicate the end-to-end workflow of a banking transaction, then perhaps you need to create a complete duplicate of the website.

At CanIPhish, we focus on only creating single phishing pages. We've found that creating complete duplicates of a website can be troublesome and nearly impossible to maintain. Should a provider make a single change to a web API, redesign a page, or make one of a thousand different types of changes, your full copy will be out-of-date and potentially ineffective.

Frequently Asked Questions

What Is A Phishing Website?

A phishing website is a deceptive website designed to masquerade as the website of a trusted organization. These websites are typically operated by cybercriminals with the goal of stealing or capturing sensitive information from a victim. Cybercriminals will commonly use fake login, product, or checkout pages to meet this goal.

Are Phishing Websites Used In Phishing Simulations?

Yes. Using phishing websites in phishing simulations is extremely beneficial for several reasons. Firstly, from a reporting and tracking perspective, it allows organizations to better understand how susceptible an employee is to phishing – did the employee click the simulated phishing link but then close the page after they noticed the suspicious URL? Or did they still proceed to enter their credentials? Secondly, your employees also benefit from seeing the full lifecycle of a phishing attack in action, training them to always look at the URL of any website they visit.