Setting Up Your First Phishing Campaign
A comprehensive step-by-step guide to creating and launching an effective phishing simulation
Introduction
Phishing simulations are a critical component of security awareness training. By safely mimicking real-world phishing attacks, you can identify vulnerable users, measure your organization's susceptibility to phishing, and provide immediate education to those who fall for simulated attacks.
This guide will walk you through creating your first phishing campaign with PhishFortress, from planning to execution and analysis.
Before You Begin
Planning Your Campaign
Before creating your campaign in the platform, it's important to define your objectives and approach:
- Establish baseline phishing susceptibility
- Test awareness of specific threat types
- Evaluate effectiveness of recent training
- Target high-risk departments or roles
- Difficulty level (easy to sophisticated)
- Targeted vs. organization-wide
- Single template vs. multiple templates
- With or without immediate training
Important Consideration
Creating Your Campaign
Follow these steps to create your first phishing campaign in PhishFortress:
Access Campaign Creator
Navigate to the Campaigns section in the sidebar and click "Create New Campaign".
Campaign Details
Enter the basic information for your campaign:
- Campaign Name: Choose a descriptive name (e.g., "Q2 2023 Awareness Test")
- Description: Add details about the campaign's purpose and goals
- Start Date: When the campaign should begin
- End Date: When the campaign should conclude (typically 1-2 weeks)
- Send Time: Choose between immediate, scheduled, or randomized delivery
Select Template
Choose a phishing template from the library or create a custom template:
Browse the template library and filter by category, difficulty, or industry:
- Password Reset: Simulates IT password reset notifications
- File Sharing: Mimics document sharing platforms
- Account Alert: Warns of account issues requiring immediate action
- Package Delivery: Notification of package delivery or tracking
- Social Media: Simulates notifications from social platforms
Target Recipients
Select which users will receive the phishing simulation:
- All Users: Send to everyone in your organization
- Groups: Target specific departments or teams
- Custom Selection: Handpick individual recipients
- Random Sample: Select a percentage of users randomly
Configure Training
Set up the training experience for users who click on phishing links:
- Landing Page: Choose what users see after clicking (warning, training, etc.)
- Training Module: Assign an immediate training lesson (optional)
- Feedback Form: Allow users to provide feedback on the simulation
- Reporting Instructions: Include guidance on how to report real phishing
Review and Launch
Review all campaign settings and prepare for launch:
- Preview Email: See exactly how the phishing email will appear
- Test Delivery: Send a test email to yourself
- Verify Settings: Double-check all campaign parameters
- Launch Campaign: Activate the campaign according to your schedule
Final Checklist
- Ensure your IT and support teams are aware of the campaign
- Verify that executive stakeholders have approved the simulation
- Check that your landing page includes clear educational content
- Confirm that tracking is properly configured to collect results
During the Campaign
While your campaign is active, monitor its progress and be prepared to address any issues:
Real-Time Monitoring
Use the campaign dashboard to track key metrics in real-time:
- Delivery Rate: Percentage of emails successfully delivered
- Open Rate: Percentage of recipients who opened the email
- Click Rate: Percentage of recipients who clicked on phishing links
- Report Rate: Percentage of recipients who reported the email
- Credential Submission: Users who entered credentials on landing pages
Support Preparation
Be ready to handle questions and concerns:
- Prepare your IT helpdesk with information about the campaign
- Create a FAQ document for common questions
- Monitor support tickets related to the phishing simulation
- Have a point of contact available for escalations
Campaign Adjustments
Be prepared to make changes if necessary:
- Pause the campaign if critical issues arise
- Adjust timing if it conflicts with unexpected business events
- Extend the campaign if delivery rates are lower than expected
- Add additional recipients if needed
Analyzing Results
After your campaign concludes, analyze the results to gain insights and plan next steps:
- Overall Susceptibility: Percentage of users who fell for the phish
- Departmental Comparison: How different teams performed
- Time Analysis: When most clicks occurred
- Device Breakdown: Desktop vs. mobile click rates
- Reporting Rate: How many users reported the phish
- Repeat Clickers: Users who clicked multiple times
- Credential Submission: Users who entered sensitive information
- Training Completion: Percentage who completed follow-up training
- Time to Report: How quickly users reported the phish
- User Feedback: Comments from the feedback form
Next Steps
Based on your campaign results, consider these follow-up actions:
Targeted Training
Assign additional security awareness training to users who clicked on phishing links, focusing on the specific tactics used in your simulation.
Executive Reporting
Create a summary report for leadership highlighting key findings, risk areas, and recommendations for improving security awareness.
Campaign Schedule
Develop a regular schedule for phishing simulations, gradually increasing difficulty and varying the tactics used to build comprehensive awareness.
Policy Review
Evaluate if your security policies need updates based on campaign findings, particularly around reporting procedures and handling suspicious emails.