Reflex: Creating a Reflex campaign


  1. Ensure you have a process for employees to report a potential phishing attack (slack, ticketing system, email alias, etc.)
  2. Whitelist all IP addresses used by Reflex to prevent phishing emails from going to spam folders.
  3. Read the following article, Simulated Phishing Campaign communication

This article covers the following topics:

  1.  Create a new campaign
  2.  Choose recipients
  3.  Select templates
  4.  Set notification preferences
  5.  Schedule campaign 
  6. Confirm & schedule campaign 

Step 1: Create a new campaign

Navigate to Reflex and click on 'Create New Campaign'


  1. Name the campaign. Recommended format: Group to be phished_test type_date (e.g., Engineering_Github_April 2019).
  2. Add a campaign description.
  3. Determine if it is a test campaign. Results for campaigns marked as test will not impact employee's security scores. 
  4. Clicks 'Save & Continue' button.



Step 2: Choose recipients

Choose a group from the dropdown list. If you want to create a group that you don't see, you can create a new custom group. To perform that task, read the following article: Utilizing Groups in Elevate Security At this time, you can only choose one group at a time. Once you have the correct group, click 'Continue'. 


Step 3: Select templates

Send multiple templates to a single campaign (AKA the variety pack). Turn on the toggle to enable this feature. 


  1. Choose a 'Phishing Email Template' from the dropdown menu and preview by clicking 'Preview Template'. Make any change to the template by going to the 'Templates' tab. More information is available about how to do that. Screen_Shot_2020-12-01_at_10.41.37_AM.png
  2. Choose the Phishing URL from the dropdown menu. The sub-domain is created manually, if you want to change it, you can. Do not use a branded name (i.e., Facebook or Google) or else the URL will be caught by your email vendor and browser security as phish. Screen_Shot_2020-12-01_at_10.44.22_AM.png

Step 4: Set notification preferences

Determine under which email and conditions, you would like email notifications sent about the phishing campaign. 


Step 5: Schedule campaign

  • Campaign start - time emails will begin sending
  • Campaign End - time when links will no longer be tracked or available for employees to click on. 
  • Stagger rate - Elevate Security recommends not to change this stagger rate. This ensures your system does not interpret the simulation as a brute force attack. 


Step 6: Confirm & schedule campaign

  1. Validate all the configurations are correct. 
  2. Send yourself a sample email template. 
  3. Click the box 'Yep everything looks correct!'
  4. Click Schedule Campaign


Next Steps

To help determine how hard a phishing email is or should be, we recommend you read Best Practice Guide: Determining Phishing Test Difficulty

Ready to review campaign results? Accessing your reporting

Read our best practice guide, Post-Campaign Communications.






Was this article helpful?
1 out of 1 found this helpful