Creating your first campaign? If so be sure to complete these steps first:
- Ensure that you have a process for employees to report a potential phish (slack, ticketing system, email alias, etc.) attack.
- Whitelist all IP addresses used by Reflex to prevent phishing emails from going to spam folders.
- Read our Pre-Campaign Communication to Employees
This article covers the following topics:
Step 1: Create a new campaign
Navigate to Reflex and click on the new campaign sub-tab.
Select the "Start the Campaign" button toward the bottom of the page.
- Name the campaign. Recommended format: Group to be phished_test type_date (e.g., Engineering_Github_April 2019).
- Add a campaign description.
- Campaign Approach. Click on 'Advanced options' if you want to be able to: customize notifications, add an expiration date to Phishing links, reporting option or pre-schedule.
- Stagger mails. To ensure that your messages don't get blocked by your firewall we stagger the emails so it is not interpreted as a brute force attack. You can use the default settings or choose to spread them out even more.
- Admin Options: If you don't want the phishing test to contribute to your employees phishing score in Vision and show up as a simulation in Pulse, check the 'test run' box. Tip: Use this for internal tests of Reflex functionality.
- Click 'Create campaign'.
Step 2: Target Campaign
Choose a group from the dropdown list. If you want to create a group that you don't see you can create a new custom group. Information on how to do that is here: Utilizing Groups in Elevate Security
At this time you can only choose one group at a time. The first 500 users will show in the preview box to the right.
Once you have the correct group you can click 'Continue'.
Step 3: Design Phishing Email
- Input "Phishing Email" details toward the top of the page.
- Click 'Templates' and select a template which will update all the fields.
- Each template can be customized a little bit further. For example, with the Dropbox template, you can change the text within the email.
- To customize the template, click 'Source' in the menu bar.
- You can also change the from name, from address, and subject line.
- Click 'Preview Email' to continue.
- When you click 'Preview Email' the system will check that your mail server will accept the from address. This process could take a few minutes.
- If the process were successful, you would receive a phishing test confirmation email.
- Click 'Proceed to the next step.'
Step 4: Design Phishing Site
From there, you can customize the URL that phishing emails will be “sent” from. If using Gmail, please test the different URL options to see which URL does not have a Gmail warning associated with it.
- Next, select the appropriate landing page for the phishing template. Click 'Source' in the menu bar to edit the template.
- Select the appropriate after-login page. Click 'Source' in the menu bar to edit the template.
- Click 'Save websites' to continue.
Step 5: Review and Launch
- On this page, you can make additional edits or send a test email to yourself. Tip: If you use Gmail as your email provider, we recommend sending a few test campaigns internally to at least three people.
- If you're ready to start your campaign click 'Launch Campaign'! You can create as many campaigns as often as you like.
To help determine how hard a phishing email is or should be, we recommend you read Best Practice Guide: Determining Phishing Test Difficulty
Ready to review campaign results? Accessing your reporting
Read our best practice guide, Post-Campaign Communications.