Creating your first campaign? If so be sure to complete these steps first:
- Ensure that you have a process for employees to report a potential phish (slack, ticketing system, email alias, etc.) attack.
- Whitelist all IP addresses used by Reflex to prevent phishing emails from going to spam folders.
- Read our Pre-Campaign Communication to Employees
This article covers the following topics:
- Create a new campaign
- Choose recipients
- Select templates
- Set notification preferences
- Schedule campaign
- Confirm & schedule campaign
Step 1: Create a new campaign
Navigate to Reflex and click on 'Create New Campaign'
- Name the campaign. Recommended format: Group to be phished_test type_date (e.g., Engineering_Github_April 2019).
- Add a campaign description.
- Determine if it is a test campaign. Results for campaigns marked as test will not impact employee's security scores.
- Clicks 'Save & Continue' button.
Step 2: Choose recipients
Choose a group from the dropdown list. If you want to create a group that you don't see you can create a new custom group. Information on how to do that is here: Utilizing Groups in Elevate Security
At this time you can only choose one group at a time.
Once you have the correct group you can click 'Continue'.
Step 3: Select templates
You can now send multiple templates to a single campaign (AKA the variety pack). You can do this by turning on the toggle.
- You can choose a 'Phishing Email Template' from the dropdown and see a quick preview by clicking 'Preview Template'. If you want to make any change to the template you can do so by going to the 'Templates' tab more information about how to do that is here.
- You then can choose the Phishing URL from the dropdown. The sub-domain is created manually for you, if you want to change it you can. However, do not use a branded name (i.e., Facebook or Google) or else the URL will be caught by your email vendor and browser security as phish.
Step 4: Set notification preferences
Determine under which email, and under which conditions, you would like email notifications sent about the phishing campaign.
Step 5: Schedule campaign
- Determine campaign start - time emails will begin sending - and campaign end - time when links will no longer be tracked or available for employees to click on.
- Determine stagger rate. We recommend that you do not change this stagger rate. This helps ensure your system does not interpret the simulation as a brute force attack.
Step 6: Confirm & schedule campaign
- Validate all the configurations are correct.
- Send yourself a sample email template.
- Click the box 'Yep everything looks correct!'
- Click Schedule Campaign
And you are done!
To help determine how hard a phishing email is or should be, we recommend you read Best Practice Guide: Determining Phishing Test Difficulty
Ready to review campaign results? Accessing your reporting
Read our best practice guide, Post-Campaign Communications.