Running a Baseline Phishing Test

The baseline test is a useful way to reveal your organisation's initial susceptibility to falling for phishing emails, indicated by your Click-Prone® Score. Once you know this number, you can monitor your progress throughout your security awareness training and observe it decline as your users become more adept at spotting phishing emails.

1. Click "Campaigns" under "PHISHING" on the main menu.
   
   
   
2. Click "CREATE NEW PHISHING CAMPAIGN".
   
3. Give the campaign a name such as "Baseline Test".
4. Click "NEXT STEP".
5. On the recipient information page, you can select who should be targeted in this campaign. We recommend sending to all recipients by checking the box 'Send emails to all recipients'. However, you can use tags to include or exclude recipients.
   
   We recommend selecting a tag to be applied to all recipients who are part of this campaign. This will allow you to easily view who participated in the baseline test. You can select the tag you would like to use in 'Tags to associate with each Recipient after they have been phished' and then click "NEXT STEP".
6. Choose a start time and date for your baseline test.
   
7. Check the box "Send emails to all recipients" and hit "NEXT STEP."
   
   • This will ensure that all emails are sent at the start of the campaign instead of staggering them over a long period of time. This method simulates a sudden phishing attack on all staff and is recommended for baseline tests.
8. On the Campaign Tracking page, check the first box "Would you like to track user replies to phishing emails".
   
   • If you wish to track email replies, you must specify a From Name. This can be anything you like and will end with one of our custom domains.
     
     • Pro Tip: To add additional authenticity, add in a subdomain that mimics your own domain.
   • If you wish to view the content of recipients' replies, check the last box "Would you like to keep any replies sent back from your recipients for later review?".
   • Click "NEXT STEP".
     
     
     
9. Select a phishing template. We recommend using one of the "Change of Password..." emails, as these are often employed in large-scale organisational attacks.
   
   • NOTE: Any template can be chosen for a baseline test, but we suggest selecting one that users will recognize (such as a Microsoft 365 or Gmail template). For each email environment, we recommend the following templates:
     
     • Microsoft 365: "Office 365: Change Your Password Immediately".
     • Exchange on-premise: "Exchange: Mandatory Password Reset".
     • G Suite: "Google/Gmail/Gsuite: Create your new password now".
     • Other: "Change of Password Required Immediately".
       
10. Choose a domain for the phishing links. We recommend using one of the organisation/security-based domains (E.G. "Microsoftested.com" or "Https-secured.online" etc).
    
    
11. Select an innocuous landing page, such as the "404 Error Page" or a blank page; this can help reduce the number of users being alerted to the test. For more information on landing pages, see this guide.
    
    
12. On the Reporting page, you will be able to enable automated reports to be sent, which will provide you with information about this campaign. This setting does not have to be enabled. If you would like to learn more about report automations, you can read our guide here. Then, click "NEXT STEP".
    
    
    

13. The summary page will allow you to review your phishing campaign. When you are happy, click "save".

    

The test will now begin at your scheduled time. You will be able to access the campaign results on the "Campaigns" page. Below, our guide will explain how to review a phishing campaign.

• Reviewing a phishing campaign

Please let us know if you require any further assistance, you can contact our support team by clicking here. Or by sending an email to support@phishingtackle.com