Skip to main content

How to create a Phishing simulation campaign

  • Updated

This article explains how to schedule a Phishing simulation campaign in SMARTFENSE, detailing each available configuration field and the indicators the campaign collects.

What is a Phishing simulation campaign?

Phishing simulation campaigns consist of emails that aim to deceive the user into revealing confidential information. These emails include links that redirect to a page with a form that attempts to capture that information.

They allow you to measure the real behavior of users against a controlled attack and, if unsafe behavior is detected, trigger a Teachable Moment to raise the user's awareness at the right time.

Create the campaign

  1. From the main menu, go to Campaigns > Calendar.
  2. Click the New campaign button.
  3. Select Phishing.

Campaign configuration

Essentially, Phishing simulation campaigns require the following data to be scheduled:

  • Groups
  • Scenario
  • Start date
  • Expiration date

SMARTFENSE automatically detects the time zone of the administrator's device when scheduling. The dates and times you configure will be defined in the time zone of the device from which you are creating the campaign.

Groups

By default, SMARTFENSE allows you to select Groups as recipients of a campaign. The other options can be displayed by clicking the More options button at the bottom of the screen.

The platform requires you to select at least one recipient to schedule a campaign.

Scenario

Defines the theme of the Phishing simulation campaign. It is possible to select more than one scenario.

If you choose more than one scenario, when the campaign is sent each user will receive a specific scenario randomly selected from the chosen set. This means that, although several scenarios are selected, each user will participate in only one. It is not possible to send multiple scenarios to the same user in a single campaign.

Start date

Date on which the campaign begins sending simulation emails and collecting interaction statistics.

Starting from the Start date, you will only be able to modify the Expiration date of the campaign while it is in progress. This action can be performed from the Calendar or Campaigns list. To do so, locate the campaign you want to edit and go to View campaign details > Information and actions.

Expiration date

Date on which the campaign stops collecting statistics.

The maximum duration of a Phishing simulation campaign is 4 days. This allows simulating attacks more aligned with reality and obtaining results similar to those of campaigns carried out by cybercriminals.

More options

The following fields are displayed by clicking the More options button at the bottom of the screen.

Mode

Defines how users are assigned to the campaign. There are two options:

  • One-time initial assignment with specific expiration date: all recipient users are assigned when the Start date arrives. Changes made to the groupings after that date are not considered.
  • Recurring assignment with relative duration: the campaign periodically checks which users meet the recipient conditions and assigns them automatically. Each user's expiration date is calculated based on the defined Duration in days, starting from the moment they are assigned.

User management in Recurring assignment with relative duration campaigns:

  • Users added to a recipient grouping after the start date are assigned automatically, but on the day after the edit and at the same time as the start date (it is not immediate).
  • Users removed from the grouping after being assigned remain assigned to the campaign.

Recipients

In this section different types of groupings can be selected as campaign recipients: Groups, Functional areas, Hierarchical levels, Smart groups, and Individual users.

You can combine the selected groupings in two ways:

  • Assign users who belong to at least one grouping of each type.
  • Assign users who belong to any of the selected groupings.

Users must belong to at least one grouping of each type

Users who meet each of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Also belong to at least one of the selected Functional areas.
  • Additionally belong to at least one of the selected Hierarchical levels.
  • And finally belong to at least one of the selected Smart groups.

Users must belong to any of the selected groupings

Users who meet any of the following points will be assigned to the campaign:

  • Belong to at least one of the selected Groups.
  • Or belong to at least one of the selected Functional areas.
  • Or belong to at least one of the selected Hierarchical levels.
  • Or belong to at least one of the selected Smart groups.

Scheduling

In addition to choosing the start and expiration date, Phishing simulation campaigns allow you to select the send type:

  • Normal sending: emails are sent to all recipient users when the campaign's start date and time arrives.
  • Random sending: emails are sent at different times of the day to each user. Sending is performed in the first half of the range between the start date and the expiration date, between 09:00 and 18:00 hours.

The platform guarantees that all assigned users receive the email during the sending days. The campaign remains active and collecting statistics until the day selected as the expiration date.

Random sending cannot be used to make each user receive a random scenario. Randomness refers only to the day and time of sending.

Campaigns with random sending cannot start on the same day they are created or scheduled. A future start date must be configured.

Campaign details

  • Name: identifies the campaign within the platform.
  • Description: displayed on the calendar when hovering over the campaign.
  • Test campaign: if you enable this option, the campaign runs without affecting reports or generating records in the user or campaign audit.

Derived actions

Allows you to add a Teachable Moment to the Phishing simulation campaign. Teachable Moments are used to raise user awareness at the moment they perform an unsafe behavior within the simulation.

To configure it you must define:

  • Topic of the Teachable Moment.
  • User action that triggers its sending:
    • Click on the Phishing link received by email.
    • Enter data on the Phishing page.
  • Delivery mode:
    • Instantly when the action occurs in the web browser.
    • Instantly when the action occurs in the web browser and also send it by email at the same time.
    • Select a date after the campaign expiration to send all corresponding Teachable Moments by email.

The Teachable Moment will have a final validation question and feedback after the user's response. Both have components editable from Settings > Simulations > Teachable moments.

Advanced

Sample sending

If you enable this option, the simulation email is sent only to a sample of the total recipients. You must enter the sample size as a percentage. The included users are randomly chosen from the total recipients.

Phishing URL

Defines the URL used in Phishing simulation emails.

  • Use SMARTFENSE URLs (default option): the link is built with the platform's subdomain and a domain randomly selected from a list of SMARTFENSE domains intended to host simulated Phishing traps.
  • Use custom URL: allows you to select a custom Hostname, managed in Settings > Organization > Hostnames, and explicitly choose a domain from the list of available domains.

If you select the Random domain option, the platform will randomly choose a domain for all the campaign's links. This domain will be the same for all recipient users. If you want to use a custom domain, contact technical support from the Help Center.

Password entry

Defines the behavior of the login form on the simulation's landing page.

  • Allow the user to enter their password (default option): only whether or not data was entered in the form is recorded. The entered data is not stored, analyzed, or manipulated at any time.
  • Prevent the user from entering their password: the password field is disabled. The user can only enter a single character in the username field. When they do, the form is automatically submitted and the Data entered statistic is recorded.

On the landing page, the fields referring to the username and password must have the attributes name="user" and name="password" respectively, so that the platform correctly captures the user's action.

Send me a test

Before scheduling the campaign, you can receive a test in your email by clicking the Send me a test button. The test takes the following configured parameters into account:

  • Scenario: the test is sent with the configured scenario.
  • Password entry: the form will allow or not the password entry as configured.
  • Teachable Moment: the defined configuration will be applied.

Other parameters such as Phishing URL have no effect on the Send me a test button. Their effect can only be seen in a scheduled campaign.

Indicators collected by the campaign

Once started, the campaign records the following indicators:

  • Sent: the email was sent to the user.
  • Opened: the user opened the email.
  • Link click: the user clicked on a link inside the Phishing simulation email.
  • Data entered: the user entered data into the form on the Phishing simulation landing page.
  • Teachable moments sent by email: the user performed an action that triggered the sending of the Teachable Moment by email.
  • Teachable moments opened: the user viewed the Teachable Moment in their email or instantly in their browser.
  • Teachable moments answered correctly: the user correctly answered the Teachable Moment question used to validate its reading.
  • Teachable moments answered incorrectly: the user incorrectly answered the Teachable Moment question used to validate its reading.
  • Phishing campaign reported: the user reported the received email. This indicator will be available if you installed the phishing reporting button.

Software-generated statistics

Before launching a Phishing or Ransomware simulation campaign, it is important to apply a Whitelist process in all the organization's tools that interact with emails sent from SMARTFENSE. This ensures that:

  • The simulation email reaches the inbox and not SPAM.
  • Security tools do not interact with the email by generating statistics on behalf of the user.

Before Saving the campaign, the platform asks you to confirm that the Whitelist was applied correctly and that test campaigns were launched to a representative sample without evidencing blocks or software interactions.

šŸ’” Best practices

  • In a Test campaign, previously verify the correct navigability of the landing page and that the domains used in the simulation are allowed in the organization's security tools.
  • Send a Test campaign to analyze statistics and check whether there are false positives. If necessary, review the whitelist application.
  • Define an Expiration date consistent with the objective and keep the campaign within the 4-day maximum to obtain realistic results.
  • Use Random sending to simulate real behaviors and reduce the "user-to-user warning" effect during the campaign.
  • Combine the Phishing simulation with a Teachable Moment to raise user awareness at the exact moment they perform an unsafe behavior.
  • Use Send me a test to validate the scenario and form behavior before scheduling the campaign.
  • For scenarios with a custom landing page, verify that the form fields use the name="user" and name="password" attributes so that the platform correctly captures the Data entered statistic.

Related to

Related articles