How to create a phishing campaign
Read this tutorial, or watch our Phishing-related videos on our Tutorial Videos page, to learn about the various functions of KnowBe4's Phishing area.
Creating a phishing campaign
A campaign can consist of either a single phishing test, or a recurring series of tests done Weekly, Bi-Weekly, Monthly, or Quarterly. You can choose one or more groups to target or phish all your users. You can also select individual phishing templates for a one-time test, or fully randomize the templates so that users are receiving different phishing templates at different times.
Remember to import your users into the console before conducting your phishing tests. This is how we know which users to send our tests to. Click here to learn about importing users.
To create a new Phishing Campaign, click the “+Create Campaign” button in the upper right-hand corner of the screen. This will take you to the campaign creation screen.
Campaign Creation Screen:
The first option is to choose a name for your Phishing campaign. This will help you determine the purpose or scope of the campaign at a glance in other areas of the product.
2) Deliver To:
Here you can choose which users should be phished as part of this campaign. Select All Users to phish everyone in your console, or limit this campaign to specific Groups. You must make a selection to continue.
Set the frequency for the campaign using one of the options provided, or leave it as a one-time campaign. For ongoing phishing, we recommend testing your users at least monthly.
4) Start Time:
Here you set the time this campaign begins. This is useful if you want to plan out specific campaigns in the future, or do not want to start the campaign immediately. Note the default start time is 10 minutes from when you entered the campaign creation screen. You can select a specific time zone to phish your users in as well.
In this section, you’ll decide if you want to do an email blast to users, meaning they will receive the phishing test emails all at once, or if you’d rather spread the emails out over a specific duration of time.
Selecting “Send all emails when the campaign starts” will send all the emails to your users all at once, while the “Send emails over ‘X’ Business days/Weeks/Months” will randomly spread them out over the selected duration. The minimum sending duration is 1 day, while the maximum is 6 months. The digit entered must be from 1 to 6.
6) Set your Business Hours:
When you choose to send the emails out over a specified duration, you’ll also be able to define your organization’s business days and hours to limit the period of time when emails will be sent to your users. Business days and hours will be respected no matter what sending duration you choose, meaning if you choose for your campaign to send emails for a week or a month, emails will only be sent on the business days selected and during your defined business hours.
You can set your organization's default settings so that it will default to the proper time zone, date format, business days, and hours. Do this within your Account Settings (click your email address to the top-right of your screen while logged in).
7) Track Activity:
Here you will choose how long you’d like to track activity on your phishing campaign. This period will begin after the last email is sent. At a minimum, we recommend tracking activity for at least 3 days (here, days = calendar days, rather than business days).
Activity includes clicks, attachment opens, data entry, EZXploit failures, as well as reporting by the Phish Alert Button. The minimum tracking duration is 1 day, while the maximum is 6 months. The digit entered must be from 1 to 6.
8) Track Replies to Phishing Emails:
With this setting, you can track if your users are prone to responding to phishing emails. For more details on this feature, view our article on Reply-To Phishing.
Here you choose the type of emails you will be sending in your phishing test. This consists of selecting one or more categories of emails. These categories will determine the types of emails you can have your campaign send out.
Click the drop-down list to choose the categories you wish to select emails from. You can select more than one category of emails by clicking on them. This is important if you would like to randomize the emails chosen for a campaign.
Remember: If you see many categories that you’d rather not use, you can hide categories in your System Templates area so that they don’t appear in your list of available Categories when setting up a phishing campaign.
Next, choose the email(s) you wish to send out in the campaign. The list will change dynamically based on the categories you chose from the email templates. You can select a specific email from the drop-down list and use the preview button to see what it will look like. You will also be able to quickly view the estimated difficulty rating of each template.
You can also select one of two randomizing options explained below.
There are two other options available when choosing emails that can help you with the effectiveness of your campaign:
- Option 1: Random (same random email to all users)
This option chooses a random email from the selected categories and sends the same email to all users in the test. A different email is chosen for subsequent tests if the campaign is recurring.
- Option 2: Full Random (random email to each user)
This option will randomly select a different email for each user in the test. The email chosen will come from among all the categories you checked. This is ideal to prevent users from easily identifying when a phishing test is occurring.
Recommendation: If you’re sending out only one template to your users, it is best to do an email blast all at once. If you’re using multiple templates, we recommend spreading them out over a longer duration of time and fully randomizing them.
10) Difficulty Rating:
The Difficulty Rating is a setting we apply to a template to estimate how sophisticated it is (meaning, how likely it is to trick your users into failing). Here you can select what difficulty rating(s) you’d prefer to use for your campaign. Select one or more difficulty ratings and your list of templates will dynamically update to match this specification.
11) Phish Link Domain:
This is the domain that will appear if a user inspects the phishing link by mousing over it (without clicking). There are a variety of domains to choose from (some more obviously “phishy” than others!). The default setting will randomize the domain for each campaign.
Note: these domains are owned by us and are only used for phishing tests.
Choosing the right domain: Some domains are more suited to particular types of phishing emails. You can choose a custom domain to more closely match the type of phishing test you are conducting.
12) Landing Page:
If you'd like to change the landing page that all users who are a part of this test will see, you may do so quickly by selecting a landing page when setting up a campaign. If you leave "Use Defaults" as the option here, the system will use the landing page that is associated with that particular email template.
13) Add Exploit:
If desired, you can add an EZXploit pen-test to your phishing campaign which will try to retrieve certain information about the users that fail the test. A guide on EZXploit can be found here.
14) Add Clickers To:
This option allows you to select a group to which any “Clickers” from this campaign will be added. Essentially, if a user clicks on a phishing link or opens an attachment in any of the tests in this campaign, it will add them to the group you specify here. This can be helpful if you wish to set up remedial training campaigns for phish-prone users. For information on setting up remedial training, you can click here. If you're a Platinum or Diamond-level customer, you can use our Smart Groups feature to automate remedial training for your phish-prone users. Click here to learn more.
15) Send an email report to account admin after each Phishing Security Test:
This will send a report to all admins on the account each time a phishing test is completed and include metrics such as phish-prone percentage, attachments opened, etc.
Once you are done specifying your campaign settings, click “Create Campaign”.
Different types of phishing tests
Phishing link test
A typical phishing test is an email that has a link to a supposedly malicious website. You can use our built-in templates for your phishing tests, customize them to your specifications or even create them from scratch. These emails can appear to come from any sender email address, e.g. a reputable organization, or perhaps a spoofed email address that the user may recognize. We will track any employee who opens and/or clicks on the links in the phishing email.
Attachment tests are phishing emails that are sent out with an attachment included, allowing you to test if your users are vulnerable to this method of social engineering. The data for users who fail your attachment phishing tests will be available in your reports. Our built-in attachments can be added to any email template from within the template editor. Just select an attachment type and provide a name for the file.
See all of the different types of built-in attachments you can add to your email templates and how they work by checking out this article. You cannot modify our built-in attachments or upload your own attachments to a phishing email template.
Our phishing templates (under System Templates and Community Templates) will show the attack vector (Attachment, Link, etc.) in the Template Name, so you can search for templates that have a specific attachment type that you'd like to test out.
Data entry tests (Phishing for Sensitive Information)
A data entry test, referred to also as “phishing for sensitive information”, is an email that contains a phishing link which will redirect the user to one of our pre-made landing pages that resemble actual login or data entry screens for legitimate websites. These tests record not only who clicked on the link, but also who entered data.
Note: We will NEVER save or record in any way what the user submits or types into these boxes. We only track that they did type in and submit some data into the text fields.
In order to make sure the data is not logged on our servers, you must use, for the form field names, one of the following: password, password_confirmation, old_password, credit_card, ssn, social_security_number, domain_name, uname, number, verification_value, brand. See this article for more information.
Spear phishing tests
A spear phishing test is a directed test at a particular user or set of users that uses more targeted information or even personal information to try to trick the user into opening the attachment or clicking on the link in the phishing email. You can spear phish your users within your console. You can create customized email templates to phish certain users with if you think they are prone to a certain type of phishing technique or scam and would like to test this.
Note: If you would like more assistance with a spear phishing test, please contact support and we'd be happy to advise you on how to craft these tests.
EZXploit pen test
An EZXploit test will allow you to test the vulnerability of your user base by instructing them to run a Java Applet which will appear on the landing page they arrive to after failing a phishing test. If the user allows the Applet to run, various levels of data can be obtained about that particular user and their machine. A guide on EZXploit can be found here.
You can test your users with phishing emails while optionally allowing our system to both track and record any replies that they send to that phishing email. This is recommended, especially for departments (such as Accounting) that are often the target of real-life business email compromise or CEO fraud attacks. For more details on our reply-to phishing feature and how it can be useful, click here.
Clicking on the Campaigns screen will let you manage current and past campaigns. You can choose to see Active, Inactive, or Hidden campaigns. You can see the status, duration and other helpful information about the campaign.
Campaign Monitoring screen
Editing a campaign:
You can edit a recurring campaign by clicking the drop-down arrow on the right side and selecting Edit. You can change certain campaign settings here if you wish. Note: Do not change a recurring campaign into a one-time campaign. If you wish to end it, deactivate it.
Cloning a campaign:
You can clone any existing campaign to expedite the process of making similar phishing campaigns. All of the same settings will transfer to the cloned campaign, aside from the original start date and time. The title will remain the same, but with "Clone" added to the end.
Deactivating or reactivating a campaign:
You can deactivate or reactivate a campaign by clicking the down arrow on the right side of the campaign. Note that one-time campaigns do not need to be deactivated as they only run once.
Note: We recommend that once you deactivate a campaign, that you start a new one instead of reactivating it.
Hiding a campaign:
You can choose to hide certain campaigns from your reports by clicking the drop-down arrow on the right side and selecting Hide from reports. The details for Hidden reports can still be viewed under the Hidden tab under Campaigns.
Deleting a campaign:
You can delete a campaign or even a single phishing test from within a campaign. This will delete all data associated with that test or campaign including who it went to, who clicked or did not click and the record of what email was used. This is PERMANENT and cannot be undone. You can use this if you’d like to conduct a sample phishing test to see how it works and purposely click on a phishing link, and in this way, you would be able to remove that test or campaign from your overall results.
Clicking on a campaign will take you to the campaign overview screen for that specific campaign. If the campaign was a one-time test, you will see an overview of your phish-prone percentage, clicks in the first 8 hours, clicks by day, as well as other useful information. If the campaign was a recurring campaign, running on an ongoing basis, you can see the Phish-prone percentage over the course of the campaign, as well as the top 50 users that clicked on phishing links over the campaign’s duration. On recurrent campaigns, you can click on “Phishing Security Tests” to see a list of all the tests that have run as part of that campaign. You can drill down further and see test-specific information by clicking on each test.
Users tab under each phishing test:
Clicking the Users tab next to the Overview tab will let you filter various statistics such as who clicked a link or opened an attachment within the phishing email or any users who entered data on a landing page. Under the Clickers tab, you will be able to view the date and time each user clicked the link, as well as their IP address, operating system, and browser. For more details on the individual campaign results, click here.