NOTE: Once a phishing campaign status is "Started" the phishing campaign cannot be edited.
The baseline test is a useful way to reveal your organisation's initial susceptibility to falling for phishing emails, your Click-Prone® Score.
Once you know this number, you can monitor your progress throughout your security awareness training and watch it decline as your users become more adept at spotting phishing emails.
To create a baseline test, follow the steps below.
Create a Campaign
- Click "Campaigns" under "PHISHING" on the main menu.
- Click "CREATE NEW CAMPAIGN".
- Give it a name such as "Baseline Test" and hit "NEXT STEP".
- Check the box "Send emails to all recipients" and hit "NEXT STEP".
- Select the start time for the baseline test, usually this is done immediately but you may wish to schedule for the next day or another point in the near future.
- Check "Send all your emails at the start time above", and hit "NEXT STEP"
- This will send all emails at the start of the campaign instead of staggering them over a long period of time. This method mimics a sudden phishing attack on all staff and is recommended for baseline tests.
- This will send all emails at the start of the campaign instead of staggering them over a long period of time. This method mimics a sudden phishing attack on all staff and is recommended for baseline tests.
- On the Campaign Tracking page, check the first box "Would you like to track user replies to phishing emails"
- You will need to use a custom Reply-to Address to ensure email replies are tracked. This can be anything you like, and will finish with one of our custom domains.
- Pro Tip: To add additional authenticity, add in a subdomain that mimics your own domain.
- If you wish to view the content of recipients' replies, check the last box "Would you like to keep any replies sent back from your recipients for later review?"
- Hit "NEXT STEP"
- You will need to use a custom Reply-to Address to ensure email replies are tracked. This can be anything you like, and will finish with one of our custom domains.
- We recommend using one of the "Change of Password..." emails, as these are often used for large-scale organisation attacks.
- NOTE: Any template can be chosen for a baseline test, but we suggest selecting one that users will recognise (such as a Microsoft 365 or Gmail template). For each email environment, we recommend the following templates:
- Microsoft 365: "Office 365: Change Your Password Immediately"
- Exchange on-premise: "Exchange: Mandatory Password Reset"
- G Suite: "Google/Gmail/Gsuite: Create your new password now"
- Other: "Change of Password Required Immediately"
- NOTE: Any template can be chosen for a baseline test, but we suggest selecting one that users will recognise (such as a Microsoft 365 or Gmail template). For each email environment, we recommend the following templates:
- Select a domain for the phishing links; we recommend using one of the organisation/security-based domains (E.G. "Microsoftested.com" or "Https-secured.online" etc).
- Select an innocuous landing page, such as the "404 Error Page" or a blank page, this can help reduce the number of users being alerted to the test.
- Hit SAVE
The test will now run at the scheduled time, you'll be able to see the results of the campaign within the "Campaigns" page.
NOTE: Once a phishing campaign status is "Started" the phishing campaign cannot be edited.
If you'd like any further assistance setting up a baseline test campaign, or any other usage of the platform, please contact support.