- Ensure you have a process for employees to report a potential phishing attack (slack, ticketing system, email alias, etc.)
- Whitelist all IP addresses used by Reflex to prevent phishing emails from going to spam folders.
- Read the following article, Simulated Phishing Campaign communication
This article covers the following topics:
- Create a new campaign
- Choose recipients
- Select templates
- Set notification preferences
- Schedule campaign
- Confirm & schedule campaign
Step 1: Create a new campaign
Navigate to Reflex and click on 'Create New Campaign'
- Name the campaign. Recommended format: Group to be phished_test type_date (e.g., Engineering_Github_April 2019).
- Add a campaign description.
- Determine if it is a test campaign. Results for campaigns marked as test will not impact employee's security scores.
- Clicks 'Save & Continue' button.
Step 2: Choose recipients
Choose a group from the dropdown list. If you want to create a group that you don't see, you can create a new custom group. To perform that task, read the following article: Utilizing Groups in Elevate Security At this time, you can only choose one group at a time. Once you have the correct group, click 'Continue'.
Step 3: Select templates
Send multiple templates to a single campaign (AKA the variety pack). Turn on the toggle to enable this feature.
- Choose a 'Phishing Email Template' from the dropdown menu and preview by clicking 'Preview Template'. Make any change to the template by going to the 'Templates' tab. More information is available about how to do that.
- Choose the Phishing URL from the dropdown menu. The sub-domain is created manually, if you want to change it, you can. Do not use a branded name (i.e., Facebook or Google) or else the URL will be caught by your email vendor and browser security as phish.
Step 4: Set notification preferences
Determine under which email and conditions, you would like email notifications sent about the phishing campaign.
Step 5: Schedule campaign
- Campaign start - time emails will begin sending
- Campaign End - time when links will no longer be tracked or available for employees to click on.
- Stagger rate - Elevate Security recommends not to change this stagger rate. This ensures your system does not interpret the simulation as a brute force attack.
Step 6: Confirm & schedule campaign
- Validate all the configurations are correct.
- Send yourself a sample email template.
- Click the box 'Yep everything looks correct!'
- Click Schedule Campaign
To help determine how hard a phishing email is or should be, we recommend you read Best Practice Guide: Determining Phishing Test Difficulty
Ready to review campaign results? Accessing your reporting
Read our best practice guide, Post-Campaign Communications.