NOTE: Once a phishing campaign status is "Started" the phishing campaign cannot be edited.
In this article, we will cover creating a custom simulated phishing campaign.
We will create an example campaign from start to finish, which will give you an understanding of how to create and edit your own campaigns in the future.
The aim of this example campaign will be to send a specific email template to to all users except those working in the IT department. Then we can see who opens it, who replies to it, and who clicks on the link.
Note: This is just an example campaign to take you through all aspects of campaign creation and the various options available. We encourage you to experiment with different ideas to find what suits your organisation best.
As with all the examples, you can substitute the names and descriptions used within for your own organisation's.
Prerequisites
Tags and Templates:
Make sure you have the right tags created and have chosen an appropriate email template and landing page.
Tags
First, create the following tags: (If you are unsure how to create a tag, see this article).
- "IT Team" - Assign this to any recipients you wish to exclude (if you're unsure how, see this article)
- "Clicker" - This is going to be assigned to anyone who clicks the link within our campaign (we'll get to that bit shortly)
You can also use your own tags to follow along if you prefer.
Templates
Take a look at the email templates page and select one you believe to be appropriate. (If you're unsure of how to do that, see this article)
From the main dashboard
Click "Campaigns" under "PHISHING" on the main menu:
Click "CREATE NEW CAMPAIGN"
Step 1 - Campaign Description
- Name it "Phishing Campaign to non-IT recipients" (or anything you like really, it's just an example).
- You can assign it a campaign tag, but this is totally optional as it is only used when sorting many campaigns by their tags. It does not affect which recipients it goes to (that's all covered in step 2).
Step 2 - Recipient Information
- Click "Send emails to all recipients" - Pretty simple, but we still need to exclude the IT Team...
- Under "Select the Recipients to EXCLUDE from this Campaign", select the "IT Team" - Sorted.
NOTE: If you haven't assigned a tag to any recipients, it will not appear in either the INCLUDE or EXCLUDE lists.
Step 3 - Scheduling Details
- Select the date and time you want the campaign to start
- By default, the start time of a new campaign will be the current time, using the organisation's time zone.
- This campaign needs to send everything immediately, so we hit "Send all emails now"
- This is just an example, you can stagger your campaigns over as short or long a period as you like.
- We don't wish to exclude any dates so we leave this section blank.
- To add authenticity when scheduling Campaigns, think about times you may wish to exclude from sending.
- E.G - A recipient is probably unlikely to open an email from the "Finance Team" on a day when the company is closed (e.g - Bank Holidays), so you can add in exclusion tags associated with those days if you wish.
- To add authenticity when scheduling Campaigns, think about times you may wish to exclude from sending.
- We don't want it to keep sending the same email so we leave the "Repeat the whole campaign..." set to "Never".
Step 4 - Campaign Tracking
- The default tracking time is 1 week, which we will leave as is.
- As we want to know who replies to it, we'll hit "Track user replies".
- Don't forget to specify an email address in the Custom Reply-to Address, if you leave this blank Recipient's emails won't be tracked.
NOTE: The subdomain is purely optional, but can be used to add a little more authenticity. - We also want to know what they respond with so will "Keep reply content for review".
Step 5 - Email Content
- We want to use the template(s) which we decided on earlier (during the prerequisites).
- If this is a group of templates, we select the tag(s) associated to those templates and then choose either Full Random or Half Random (Explained below).
- You can also select email tags you may wish to exclude from the phishing campaign.
NOTE:- Full Random selects a random email from the tag(s) selected on the left for each recipient in the campaign.
- Half Random selects a single random email and sends it to all the recipients in the campaign.
- If this is just one email, we simple select the single email template from the Email Selection box.
- We can select a domain to add more authenticity.
- We want our template to go to a "404 page" so we pick one of those.
- We want anyone who clicks this link to be Tagged "Clicker" so we can filter the Recipients later, then hit SAVE.
NOTE: Once a phishing campaign status is "Started" the phishing campaign cannot be edited.
All Phishing Campaigns are refreshed every 60 seconds, so you will see the status as "Waiting" for a short while before it begins.
We'll leave this for a while until the Recipients have had a chance to react to the Campaign...
After this has run for some time, it's time to Review the Campaign.
To learn about Reviewing the Campaign, check out the link below: