How to Create a Phishing Campaign

Phishing attacks are a major risk for organisations worldwide, so it's important to stay proactive in identifying vulnerabilities. Regular phishing campaigns play a key role in strengthening your organisation’s defences against these threats.

Watch our Video Tutorial:

Proactive Preparation:

Before launching your Security Awareness Training, follow these key steps to ensure a smooth setup:

  1. Run a Preliminary Test Campaign: Send a test campaign to 1–2 learners to confirm they receive system email notifications. This ensures your whitelisting and notification settings are correctly configured.
  2. Launch a Baseline Phishing Test: Assess your organisation’s current vulnerability to phishing attacks.

For detailed guidance, visit our How to Launch a Baseline Phishing Test guide.

How to Create a Phishing Campaign

Follow these five steps to set up and launch your phishing campaign:

Step 1. Create Campaign

  • Login into your Admin dashboard.
  • Navigate to the 'Phishing' section.
  • Click 'Create Campaign' to begin.

Step 2. Choose Templates

  • Select a single ' Template' or toggle the 'Random Templates' option and select multiple templates for your campaign.

Step 3. Select Recipients

  1. Choose recipients by selecting one of the following options:
  • Everyone: Send to all learners.
  • Specific Departments: Target particular teams.
  • Specific Learners: Select individual learners.

*For specific departments or learners, use the drop-down menu to make your selections.

NOTE: Unlicensed learners will be automatically excluded from campaigns. To include them in the next campaign, renew their licence.

Step 4. Set a Schedule

You have three scheduling options:

  1. Now: Launch the campaign immediately.
  2. Scheduled: Set a specific date and time.
  • Use the calendar icon to pick a launch date.
  • Adjust the dropdown menu to set the campaign’s active period..
  1. Random Delivery: Randomise email delivery over time to avoid all learners receiving the email at once. This feature minimises internal sharing or tipping off during the campaign.
  • Use the calendar icon to pick a launch date.
  • Set the active period (e.g., 7 days) to define how long emails will be monitored.
  • Specify the number of days for email delivery( e.g., 1-3 days) in the 'Send emails over' field. Emails will be sent in small randomised batches over the selected period.

Step 4. Select Training Type

Decide how learners are notified and trained based on their actions during the simulation:

  1. When the campaign ends:
  • Learners who click or share information are redirected to a 404 error page.
  • At the campaign’s conclusion, they receive an automated email explaining their actions.
  1. Just-in-Time Training:
  • Learners are redirected to a training page (infographic, webpage, or video) immediately after clicking or sharing information.
  1. No Training:
  • Learners are redirected to a 404 error page with no further training interaction.
  • Managers may opt to withhold notifications for baseline phishing assessments to avoid tipping off learners.

Step 5. Finalise and Launch

  1. Click Complete Setup and review the campaign summary.
  2. Enter the following details:
  • Campaign Name
  • Description
  • Spoofed Sender Name (the displayed email address in the recipient’s inbox).
  1. Adjust any settings by clicking Edit in the relevant section.
  2. Click Start Campaign to launch.

Review Randomised Delivery in Campaign Overview

You can view when the system will send the randomised scheduled emails by following these steps:

  1. From the Phishing section, select Campaigns, or from the Admin Dashboard, select My Company.
  2. Click on the name of the specific phishing campaign you wish to review.
  3. Click View Campaign.
  4. You’ll be taken to the campaign’s overview page.
  5. Click on Expand Status. Here, you can see the schedule for randomised email delivery. For example, if your campaign is set to send over two days, one learner may receive their email on one day and time (e.g., Jan 22, 9:55 am), while another user will receive theirs on a different day and time (e.g., Jan 22, 5:55 pm).

For detailed guidance on how to monitor and review campaigns, visit our Monitor and Review Phishing Campaigns guide.

Post-Launch Notifications

  1. Learner Notifications: Learners receive email notifications based on their actions during the campaign.
  2. Phishing Campaign Results: Campaign results are automatically emailed to the company manager once the campaign concludes.

For detailed guidance, visit our guide on Overview of System Emails.

If you run into any issues while setting up or launching a phishing campaign, contact our support team via the chatbot for assistance.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles