Creating a Reflex campaign

Creating your first campaign? If so be sure to complete these steps first:

  1. Ensure that you have a process for employees to report a potential phish (slack, ticketing system, email alias, etc.) attack.
  2. Whitelist all IP addresses used by Reflex to prevent phishing emails from going to spam folders.
  3. Read our Pre-Campaign Communication to Employees

This article covers the following topics:

  1.  Create a new campaign
  2.  Choose recipients
  3.  Select templates
  4.  Set notification preferences
  5.  Schedule campaign 
  6. Confirm & schedule campaign 

Step 1: Create a new campaign

Navigate to Reflex and click on 'Create New Campaign'


  1. Name the campaign. Recommended format: Group to be phished_test type_date (e.g., Engineering_Github_April 2019).
  2. Add a campaign description.
  3. Determine if it is a test campaign. Results for campaigns marked as test will not impact employee's security scores. 
  4. Clicks 'Save & Continue' button.



Step 2: Choose recipients

Choose a group from the dropdown list. If you want to create a group that you don't see you can create a new custom group. Information on how to do that is here: Utilizing Groups in Elevate Security

At this time you can only choose one group at a time. 

Once you have the correct group you can click 'Continue'. 


Step 3: Select templates

You can now send multiple templates to a single campaign (AKA the variety pack). You can do this by turning on the toggle. 


  1. You can choose a 'Phishing Email Template' from the dropdown and see a quick preview by clicking 'Preview Template'. If you want to make any change to the template you can do so by going to the 'Templates' tab more information about how to do that is hereScreen_Shot_2020-12-01_at_10.41.37_AM.png
  2. You then can choose the Phishing URL from the dropdown. The sub-domain is created manually for you, if you want to change it you can. However, do not use a branded name (i.e., Facebook or Google) or else the URL will be caught by your email vendor and browser security as phish. Screen_Shot_2020-12-01_at_10.44.22_AM.png

Step 4: Set notification preferences

Determine under which email, and under which conditions, you would like email notifications sent about the phishing campaign. 


Step 5: Schedule campaign

  • Determine campaign start - time emails will begin sending - and campaign end - time when links will no longer be tracked or available for employees to click on. 
  • Determine stagger rate. We recommend that you do not change this stagger rate. This helps ensure your system does not interpret the simulation as a brute force attack. 


Step 6: Confirm & schedule campaign

  1. Validate all the configurations are correct. 
  2. Send yourself a sample email template. 
  3. Click the box 'Yep everything looks correct!'
  4. Click Schedule Campaign

And you are done! 



Next Steps

To help determine how hard a phishing email is or should be, we recommend you read Best Practice Guide: Determining Phishing Test Difficulty

Ready to review campaign results? Accessing your reporting

Read our best practice guide, Post-Campaign Communications.






Was this article helpful?
1 out of 1 found this helpful