How to Create a Phishing Campaign

Phishing attacks are a major risk for organisations worldwide, so it's important to stay proactive in identifying vulnerabilities. Regular phishing campaigns play a key role in strengthening your organisation’s defences against these threats.

✅Proactive Preparation:

A little setup goes a long way! Before launching any campaigns, we recommend:

  1. Whitelisting: Ensure your phishing and training emails land in learners’ inboxes without interruption. Follow the exact steps in our whitelisting guides for a smooth setup.
  2. Run a Test Phishing Campaign: Send a test to 3- 4 users to check that whitelisting is working and emails are getting through.
  3. Launch a Baseline Phishing Test: Assess your organisation’s current vulnerability to phishing attacks.

Need more help? Visit:

Watch our Video Tutorial:

Launch a Phishing Campaign in 5 Simple Steps

Step 1. Create Campaign

  • Sign in to your Admin dashboard.
  • Go to the 'Phishing' section.
  • Click 'Create Campaign' to get started.

Step 2. Select Template

  1. Choose which phishing templates your learners will receive:
  • Select a Single Template - All learners receive the same phishing email.
  • Select Random Templates - Learner receives different phishing emails selected randomly from your chosen group.
  1. Use the tabs to browse:
  • All - Full template library.
  • My Templates - Your saved templates (Draft, Modified, Published).
  • Favourites - Templates you’ve liked.
  1. Use filters to narrow down your search by:
  • Type - Attachment, Credential, URL Phish
  • Topic - Banking, Delivery, Cloud Services, etc.
  • Status - New, Updated, Draft, Modified, Published
  1. To Add a Template:
  • Click the three-dot menu (⋮) on any template card.
  • Select ' Select’ to add it to your campaign.
  • Keep an eye on the “Selected” counter to track how many pieces you’ve chosen.

Once you're happy with your selection, continue to the next step.

Step 3. Select Recipients

Choose who will receive the phishing simulation:

  • Everyone - Send to all learners.
  • Specific Departments - Target select teams/ groups.
  • Specific Learners - Manually select users.

Note: Unlicensed learners will be automatically excluded. To include them in future campaigns, remember to renew their licenses.

Step 4. Set a Schedule

Choose how and when emails are sent:

  1. Now - Launch the campaign immediately.
  2. Scheduled - Choose a date and time using the calendar icon.
  3. Random Delivery - Randomise email delivery to avoid all learners receiving the email at once. This helps prevent sharing or tipping off.

*For Random Delivery:

  • Pick a launch date.
  • Set the active period (e.g 7 days).
  • Use the 'Send email over' field to define a delivery window( e.g. 1-3 days).

* Emails will be sent in randomised batches.

Step 4. Select Training Type

Decide how learners are trained or notified if they interact with the phishing email:

  1. When the campaign ends:
  • Learners who click or share information are redirected to a 404 error page.
  • When the campaign ends, they receive an automated email explaining their actions.
  1. Just-in-Time Training:
  • Learners are redirected to a training page (eg, infographic, webpage, video) immediately after clicking or sharing information.
  1. No Training:
  • Learners are redirected to a 404 error page with no further training interaction.

Note: Managers often disable training notifications for baseline phishing assessments to avoid tipping off learners.

Step 5. Complete Setup

  1. Click ' Complete Setup' and review your campaign.
  2. Enter the following:
  • Campaign Name
  • Description
  • Spoofed Sender Name ( what appears in learners' inboxes).
  1. Click the Edit button next to any section to make changes.
  2. Click 'Start Campaign' to launch.

Campaign Overview

To review and monitor your campaign:

  1. Go to the 'Phishing' section.
  2. Click on the campaign you want to review.
  3. Click 'View Campaign'
  4. On the overview page, click Expand Status

You’ll now see detailed timestamps and actions taken by each learner. For example:

  • Learner A: Email sent, April 17, 6:30 AM
  • Learner B: Email scheduled, April 18, 22, 5:11 AM

For more, visit our Monitor and Review Phishing Campaigns guide.

Post-Launch Notifications

  1. Learner Notifications: Learners receive emails based on their actions (if enabled).
  2. Phishing Campaign Results: Campaign results are automatically emailed to the admin company manager once the campaign concludes.

For more, visit:

If you get stuck, contact our support team via the chatbot - we’re happy to help!

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles