Admin Managers' Guide: How to Create a Phishing Campaign

Phishing attacks pose a major risk to organisations worldwide. Running regular phishing campaigns helps identify vulnerable learners or teams and provides "teachable moments" to build a stronger security culture.

Proactive Preparation:


A little setup goes a long way! Before launching your first phishing campaign, we recommend verifying the following:

  • Have you whitelisted? Ensure you've fully whitelisted our domains and any third-party systems so simulation emails land safely in learners' inboxes.
  • Have you set up the Phish Reporter? Ensure the reporter is configured and your team knows how to use it (either via the Phish Reporter button or by forwarding to your dedicated internal reporting mailbox).
  • Have you sent out a test campaign? Send a quick test campaign targeting just 2 or 3 users to verify your setup.
  • Recommended Baseline: Send an unannounced Baseline test first to measure your team’s starting risk level before any training begins.

See our Technical Guides here:

Watch our Video Tutorial:

Launch a Phishing Campaign in 6 Steps


Step 1. Create Campaign


  1. Sign in to your Admin Dashboard.
  2. Navigate to Phishing > Campaigns.
  3. Click the Create Campaign button (top right).

Step 2. Select Template


Choose how you want to test your team:

  • Single Template: Send one specific email template to everyone.
  • Random Templates: Select multiple templates. The system will randomly distribute them among learners to prevent "office chatter" ("Hey, did you get that fake UPS email?").

Tip: Use Filters to quickly find templates by Language, Name, Type (Attachment, Credential, or URL), Topic or Status.

Step 3. Select Recipients


  1. Everyone: Targets all active learners.
  2. Specific Departments: Target specific groups (e.g., Finance, HR, or Sales).
  3. Specific Learners: Manually select individual users.

Note: New learners added to the platform while a campaign is live or upcoming will be automatically enrolled.

Step 4. Set a Schedule


Select your delivery strategy:

  1. Now: Emails start sending immediately upon launching the campaign.
  2. Scheduled: Choose a specific future date and time for deployment.
  3. Random Delivery (Recommended): Set an Active Period (e.g., 7 days) and a Delivery Window. The system will send the emails out randomly during this time to maximise realism.

Step 5. Select Training Type


Decide what happens if a learner "fails" the test (clicks a link, opens an attachment, or shares credentials):

  1. Just-in-Time Training (Recommended): The learner is immediately redirected to a remedial landing page (Video, Infographic, or Web Page) to reinforce training.
  2. When the Campaign Ends: Learner sees a "404 Error" page; they get a training email only after the campaign ends.
  3. No Training: Learners see a 404 page with no follow-up training. (Always use this option when launching a Baseline test.

Need more info? Visit our Just-in-Time Training guide.

Step 6. Complete Setup


Review your settings and finalise the details:

  • Enter your Campaign Name
  • Sender Name: What shows in the inbox (e.g., "IT Desk" or "HR Portal").
  • Click Start Campaign to go live!

Platform Domain & Roadmap Notes:

  • Sender Domain: Custom domains are not supported at this time. Sub-domain customisation is on our product roadmap (allowing your brand name in the URL), but the Goldphish domain will remain a part of the URL for application security and reporting purposes.
  • Sender Names: We are currently developing a feature that will allow you to assign unique sender names to individual templates within a multi-template (Random) campaign.

Campaign Overview & Metrics


You can track your campaign's performance in real-time via two routes:

  1. Go to Dashboard > My Company > Scroll down to Phishing Campaigns > Select your campaign.
  2. Go to Phishing > Campaigns > Select your active or ended campaign > Click View Campaign.

*Click Expand Status on the overview page to see specific action timestamps for each learner.

🔍 Metrics & Troubleshooting

Metric Definition Troubleshooting
Open

The learner opened the email.

Why is there a hollow "Assumed Opened" icon?

We track opens via a tiny hidden image. If a learner's email client blocks automatic image downloads, an open can't be logged. However, if they click a link in that email, the platform automatically marks it as Assumed Opened, so your engagement metrics remain accurate.

Guide: How to Enable Automatic Image Downloading
Clicked

The learner clicked a link or opened an attachment.

Unusually high or 100% Click Rate? (False Positives)

If your metrics show immediate clicks across your entire team, your corporate email security filters/firewalls are likely "clicking" the links to check them before delivering them to inboxes. Please revisit your Whitelisting Setup to bypass these automated checks.

Guide: How to fix False Positives

Guides: Whitelisting
Compromised The learner went a step further and entered credentials into a fake landing page. Risk indicator. Consider targeting these users with dedicated follow-up training.

Trained


 The learner completed their assigned "Just-in-Time" training. Tracks remedial efforts.
Report Rate The percentage of learners who actively used the Phish Reporter tool and reported the email.

Reported emails not reflecting on the dashboard?

If your users report the emails, but the numbers aren't climbing, your email server's security settings may be blocking external outbound email forwarding.

Guide: Reported Emails not showing on Dashboard

Need more help? Explore our Phishing and Troubleshooting guides.

If you get stuck at any point, click the chatbot icon on the bottom right to chat with our support team - we’re happy to help!

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles