How to Create a Phishing Campaign
Phishing attacks pose a major risk to organisations worldwide. Running phishing campaigns helps identify learners who may be vulnerable, and provides opportunities to build awareness, reinforce behaviours, and reduce organisational risk.
✅ Proactive Preparation:
A little setup goes a long way! Before launching your first phishing campaign, we recommend:
Whitelisting
- Ensure phishing and training emails land in learners’ inboxes without being blocked. Follow our Whitelisting Guides for step-by-step setup.
Run a Test Phishing Campaign
- Send a test to 3 - 4 users to check that whitelisting is correctly configured and emails are being delivered.
Launch a Baseline Phishing Test
- Assess your organisation’s current vulnerability to phishing attacks.
Need more details?
Watch our Video Tutorial:
Launch a Phishing Campaign in 6 Simple Steps
Step 1. Create Campaign
- Sign in to your Admin dashboard.
- Go to the Phishing section > Campaigns.
- Click Create Campaign.
Step 2. Select Template
Template Types
- Select Single Template or Random Template
- Use Filters to find the right template, language, Type, Topic and Status.
- Click the three-dot menu (⋮) on any template card.
- Click Select.
- Keep an eye on the selected counter to track how many templates you’ve chosen.
The platform defaults to English (GB), but you can override this when creating a localised campaign. For more info, visit our Localisation Guide.
Step 3. Select Recipients
Choose who will receive the phishing campaign:
- Everyone - All active learners
- Specific Departments - Target by department or group
- Specific Learners - Manually choose individuals
Note: During campaign setup, if you select 'Everyone' or a 'Specific Department' for a scheduled campaign, any new learners added to the platform before the campaign end date will be automatically included in any live or upcoming campaigns. They won't be added to past campaigns that have already ended.
Unlicensed learners will be automatically excluded. To include them in future campaigns, remember to Renew Their Licenses.
Step 4. Set a Schedule
Choose how and when phishing emails are delivered. Emails will begin sending as soon as the campaign starts, unless you schedule a future date or enable random delivery.
Delivery Options
- Now - Start the campaign immediately. Emails will begin sending as soon as the campaign is launched.
- Scheduled - Choose a start date, duration, and time for the phishing campaign to begin.
- Random Delivery - Send emails at random times to learners during your selected window, helping to avoid predictability.
*For Random Delivery:
- Select a launch date.
- Set the active period (e.g 7 days).
- Use the Send email over field to define a delivery window (e.g. 1-3 days).👇🏼
Step 5. Select Training Type
Choose what happens when a learner interacts with a phishing email:
- When the Campaign Ends: Redirects learners to a 404 page, then sends a follow-up training email after campaign completion based on the action they took.
- Just-in-Time Training: Redirects learners to a training page immediately after interaction (e.g. infographic or video).
- No Training: Redirects to a 404 page with no follow-up or training.
Need more info? Visit our Just - in - Time Training guide.
Step 6. Complete Setup
- Click Complete Setup to review your campaign settings.
- Enter the following:
- Campaign Name
- Description
- Spoofed Sender Name (the name that appears as the sender in learners’ inboxes - e.g. “IT Support” or “Security Team”).
- To make changes, click Edit next to any section.
- Click Start Campaign to launch!
*If you’ve scheduled the campaign or selected random delivery, emails will be sent according to your chosen settings.
Campaign Overview
To track progress and performance:
- Go to the Phishing section> Campaigns
- Click on your campaign > View Campaign.
- Click Expand Status ( Top right) to view detailed learner activity and timestamps.
Example:
- Learner A: Email sent, April 17, 6:30 AM
- Learner B: Email scheduled, April 18, 5:11 AM
Need more info? Visit our Monitor and Review Phishing Campaigns guide.
System Emails - What Learners & Admins Receive
Email Type |
Recipient | Purpose |
Clicked phishing link | Learners | Quick tips to avoid phishing in future |
Didn't open the phishing email | Learners | Congrats message for not engaging |
Opened attachment | Learners | Reinforcement tips to be cautious when opening attachments |
Opened phishing email | Learners | Educational tips for cautious behaviour |
Shared information | Learners | Quick tips to reinforce training and avoid sharing information |
Phishing campaign results | Admin Manager | Results of a training campaign that recently ended. |
Need more info?
If you get stuck, contact our support team via the chatbot - we’re happy to help!