How to Create a Phishing Campaign

Launching a simulated phishing campaign is a breeze and will only take a few minutes to complete. 

Head over to the 'Phishing' section in the menu, select the 'Campaigns' tab, click 'Create Campaign', and then simply follow the steps below. Get your campaign up and running smoothly in minutes!

You can then get started by following these 5 quick and simple steps:

1. Select a Template
2. Choose your Recipients
3. Set a Schedule
4. Notifications and Training
5. Confirm and Launch

Step 1. Select a Template

One of the most important steps to building a phishing campaign is choosing which email template you would like to use. We've got a library of realistic-looking email templates regularly used in real-life phishing attacks. All appear with a brief description and an opportunity to preview the scenario email template and corresponding fake landing page.

Some templates offer a click-only experience, where learners are taken straight to a just-in-time training experience, while others offer a spoof landing page experience that resembles a real website and will request credentials for that particular service (for example, their DropBox username and password in the DropBox templates). In either instance, learners will have the opportunity to exercise their skills in identifying a phishing attack!

You can even send a test email to check it out for yourself before starting your campaign.

When you have identified the template you want to use — be it a click-only scenario, or one offering a landing page — select the template card or click the 'Select' button to add it to your campaign.

(Can’t find a scenario you are looking for? Contact our Support team for assistance.)  

Step 2. Choose your Recipients

Phishing campaigns can be set to target 'Everyone' in your training program, across 'Specific Departments', or 'Specific Learners'.

Step 3. Set a Schedule

Once you've selected your campaign template and audience, the next step is to decide when you want to kick off your campaign.  It's a piece of cake! Use the dropdown menu and schedule your desired date and duration - whether it's a few days, weeks, months, or even a custom date in the future. Easy-peasy!

Step 4. Notifications & Training

Decide when you would like your learners to be notified of the simulated phishing attack.

Training Notifications

• When the campaign ends: If the learner clicks/shares info during the phishing simulation they will be redirected to a 404 error page. At the end of the campaign, all learners will receive automated email notifications alerting them to the ended simulated phishing campaign. Learners who avoided getting phished will receive a congratulatory message, while those that were phished will receive encouraging support, as well as, a link to complete just-in-time training. 
• Just-in-Time Training: Learners clicking on a simulated phishing link or posting login credentials on a spoofed landing page will immediately be redirected to a just-in-time training page where they will need to complete the assigned training and acknowledge their completion. 
• No notification: Managers may choose not to notify their learners of a phishing campaign at all. This may be used for baseline phishing assessments, where notifications may result in some learners warning others about the ongoing campaign. When the learner clicks/shares info during the phishing simulation they will be redirected to a 404 error page. No further training interaction is made.

For the 'baseline test', we recommend disabling just-in-time training so employees won't know they are part of a test. You can turn this back on for any of your other phishing campaigns.

Training Type

If you have selected the 'just-in-time training' or 'when the campaign ends' options, you have the opportunity to choose a quick training experience on phishing prevention for those who fall for the phishing test. You can preview each of the training pages and decide which training experience you want to provide for those learners. It's a chance to offer some valuable insights to help them learn from the simulated phishing attack. Take a look at the options and make your pick. Let's make sure everyone stays informed and protected!

Click on the 'Complete Setup'  button to proceed.

Step 5. Confirmation and Launch

To launch your campaign select the 'Complete Setup' button, and be sure to review your setup. 

Here you will also be able to:

• Create a Campaign Description, for your records.
• Create a spoofed 'Sender Name' for the email template you've selected. This will change the 'Sender' name as it appears in the recipient mailbox - it will not change the actual sender's email address/domain.

You can review the template selected for this campaign, the audience participating in it, the launch date, and training. If you spot anything that needs tweaking, just click on the handy 'Edit' buttons and make the necessary changes to ensure everything is right before you kick off your campaign.

NB! TEST, TEST, TEST

We recommend that you run a small-scale 'Test' campaign first involving one or two administrative users who can confirm receipt and tracking of clicks on phishing links.

• This should be done before the baseline test and will confirm that our system onboarding emails or simulated phishing emails are getting through any spam/firewall protection.
• Also test that you've whitelisted correctly, avoiding any false positives in the phishing 'click' data.
• And finally, test the Phish Reporter, to check reported phishing emails are correctly being recorded on the Platform.

You will receive an email notification on the launch date letting you know that the campaign has gone live. Once the campaign is complete, you will receive an email notification with a link to review the campaign results in the admin platform. 

If you run into any issues while launching a phishing campaign, let our support team know using the chatbot.