How to Create a Phishing Campaign
Read this tutorial, or watch our Phishing-related videos on our Tutorial Videos page, to learn about the various functions of KnowBe4's Phishing area.
Creating a Phishing Campaign
A campaign can consist of either a single phishing test or a recurring series of tests done Weekly, Bi-Weekly, Monthly, or Quarterly. You can choose one or more groups to target or phish all your users. You can also select individual phishing templates for a one-time test or fully randomize the templates so that users are receiving different phishing templates at different times.
Remember to import your users into the console before conducting your phishing tests. This is how we know which users to send our tests to. Click here to learn about importing users.
To create a new Phishing Campaign, click the +Create Campaign button in the upper right-hand corner of the screen. This will take you to the campaign creation screen.
Campaign Creation Screen:
The first option is to choose a name for your Phishing campaign. This will help you determine the purpose or scope of the campaign at a glance in other areas of the product.
2) Deliver To:
Choose which users should be phished as part of this campaign. Select All Users to phish everyone in your console, or limit this campaign to specific Groups. You must make a selection to continue. Depending on your role, you may not see the All User or Specific Groups option.
Set the frequency for the campaign using one of the options provided, or leave it as a one-time campaign. For ongoing phishing, we recommend testing your users at least monthly.
4) Start Time:
Set the time this campaign begins. This is useful if you want to plan out specific campaigns in the future, or do not want to start the campaign immediately. Note the default start time is 10 minutes from when you entered the campaign creation screen. You can select a specific time zone to phish your users in as well.
In this section, you’ll decide if you want to do an email blast to users, meaning they will receive the phishing test emails all at once, or if you’d rather spread the emails out over a specific duration of time.
- Send all emails when the campaign starts - selecting this option will send all the emails to your users all at once. It may take several minutes for all the emails to be delivered. Please be aware that every recipient adds approximately 1 second to the delivery duration. For example, if you have 500 recipients, it will take approximately 500 seconds (8.3 minutes) to deliver all the emails.
- Send emails over ‘X’ Business days/Weeks/Months - selecting this option will randomly spread them out over the selected duration. The minimum sending duration is 1 day, while the maximum is 6 months. The digit entered must be from 1 to 6.
6) Set your Business Hours:
When you choose to send the emails out over a specified duration, you’ll also be able to define your organization’s business days and hours to limit the period of time when emails will be sent to your users. Business days and hours will be respected no matter what sending duration you choose, meaning if you choose for your campaign to send emails for a week or a month, emails will only be sent on the business days selected and during your defined business hours.
You can set your organization's default settings in your Account Settings so that it will default to the proper time zone, date format, business days, and hours.
7) Track Activity:
Choose how long you’d like to track activity on your phishing campaign. This period will begin after the last email is sent. At a minimum, we recommend tracking activity for at least 3 days (here, days = calendar days, rather than business days).
Activity includes clicks, attachment opens, replies, data entry, as well as reporting by the Phish Alert Button. The minimum tracking duration is 1 day, while the maximum is 6 months. The digit entered must be from 1 to 6.
8) Track Replies to Phishing Emails:
With this setting, you can track if your users are prone to responding to phishing emails. For more details on this feature, view our article on Reply-To Phishing.
Choose the type of emails you will be sending in your phishing test. This consists of selecting one or more categories of emails. These categories will determine the types of emails you can have your campaign send out.
If you don't want your users to be tested with phishing emails that include attachments, you can disable any of the attachment attack vectors from the Phishing section of the Account Settings page. See this article to learn more.
Click the drop-down list to choose the categories you'd like to select emails from. You can select more than one category of emails by clicking on them.
If you see categories that you’d rather not use, you can hide categories in your System Templates area so that they don’t appear in your list of available categories when setting up a phishing campaign.
Next, choose the email(s) you'd like to send out in the campaign. The list will change dynamically based on the categories you chose from the email templates. You can select a specific email from the drop-down list and use the preview button to see what it will look like. You will also be able to quickly view the estimated difficulty rating of each template.
You can also select one of two randomizing options (explained below).
There are two other options available when choosing emails that can help you with the effectiveness of your campaign:
- Option 1: Random (same random email to all users)
This option chooses a random email from the selected categories and sends the same email to all users in the test. If the campaign is recurring, a different email is chosen for subsequent tests and the campaign remembers the last five templates used to avoid repetition. For this option, we recommend that you send all the emails out at once.
- Option 2: Full Random (random email to each user)
This option will randomly select a different email for each user in the test. The email chosen will come from among all the categories you checked. This is ideal to prevent users from easily identifying when a phishing test is occurring. For this option, we recommend that you send the emails out over a longer duration of time.
10) Difficulty Rating:
The Difficulty Rating is a setting we apply to a template to estimate how sophisticated it is (meaning, how likely it is to trick your users into failing). Here you can select which difficulty rating(s) you’d prefer to use for your campaign. Select one or more difficulty ratings and your list of templates will dynamically update to match this specification.
11) Phish Link Domain:
This is the domain that will appear if a user inspects the phishing link by mousing over it (without clicking). There are a variety of domains to choose from (some more obviously “phishy” than others!). The default setting will randomize the domain for each campaign.
These domains are owned by us and are only used for phishing tests.
12) Landing Page:
The landing page is what the user will see if they click on a simulated phishing link. This selection will apply to all templates in this phishing campaign. Selecting a landing page here will override any template-specific landing pages as well as your default landing page. See this article for more information on landing page options.
13) Add Clickers To:
This option allows you to select a group to which any “Clickers” from this campaign will be added. Essentially, if a user clicks on a phishing link or opens an attachment in any of the tests in this campaign, it will add them to the group you specify here. This can be helpful if you'd like to set up remedial training campaigns for phish-prone users. Please note that if any modifications are made to this field after the phishing campaign is created, the changes will not take effect until the next time a phishing test is run.
For information on setting up remedial training, you can click here. If you're a Platinum or Diamond-level customer, you can use our Smart Groups feature to automate remedial training for your phish-prone users. Click here to learn more.
14) Send an email report to account admin after each Phishing Security Test:
This will send a report to all admins on the account each time a phishing test is completed and include metrics such as phish-prone percentage, attachments opened, etc.
15) Hide this campaign from reports:
This option removes all phishing campaign information from affected users and from phishing reports. Hidden campaigns will not affect risk scores or Phish-prone percentages. Campaigns used to test phishing functionality should be hidden. For example, phishing campaigns that are created to test for whitelisting or the tracking of clicks on phishing links.
Once you are done specifying your campaign settings, click Create Campaign.
Different Types of Phishing Tests
Our phishing emails allow you to test your users on multiple attack vectors.
Phishing link test
A typical phishing test is an email that has a link to a supposedly malicious website. You can use our built-in templates for your phishing tests, customize them to your specifications, or create them from scratch. These emails can appear to come from any sender email address, such as a reputable organization or a spoofed email address that the user may recognize.
We will track who clicks on the links in the phishing email. See more on how phishing link clicks are tracked here.
Attachment tests are phishing emails that are sent out with an attachment included, allowing you to test if your users are vulnerable to this method of social engineering. The data for users who fail your attachment phishing tests will be available in your reports. Our built-in attachments can be added to any email template while in the template editor. Just select an attachment type and provide a name for the file.
See all of the different types of built-in attachments you can add to your email templates and how they work by checking out this article. You cannot modify our built-in attachments or upload your own attachments to a phishing email template.
Our phishing templates (under System Templates and Community Templates) will show the attack vector (Attachment, Link, etc.) in the Template Name, so you can search for templates that have a specific attachment type that you'd like to test out.
Data entry tests (Phishing for Sensitive Information)
A data entry test, referred to also as “phishing for sensitive information”, is an email that contains a phishing link which will redirect the user to one of our pre-made landing pages that resemble actual login or data entry screens for legitimate websites. These tests record not only who clicked on the link, but also who entered data.
We will never save or record in any way what the user submits or types into these boxes. We only track that they did type in and submit some data into the text fields.
In order to make sure the data is not logged on our servers, you must use, for the form field names, one of the following: password, password_confirmation, old_password, credit_card, ssn, social_security_number, domain_name, uname, number, verification_value, brand. See this article for more information.
Spear phishing tests
A spear phishing test is a directed test at a particular user or set of users that uses more targeted information or even personal information to try to trick the user into opening the attachment or clicking on the link in the phishing email. You can spear phish your users within your console. You can create customized email templates to phish certain users with if you think they are prone to a certain type of phishing technique or scam and would like to test this.
If you would like more assistance with a spear phishing test, please contact support and we'd be happy to advise you on how to craft these tests.
You can test your users with phishing emails while optionally allowing our system to both track and record any replies that they send to that phishing email. This is recommended, especially for departments (such as Accounting) that are often the target of real-life business email compromise or CEO fraud attacks.
For more details on our reply-to phishing feature and how it can be useful, click here.
Clicking on the Campaigns tab will let you manage current and past campaigns. You can choose to see Active, Inactive, or Hidden campaigns. You can see the status, duration, and other helpful information about the campaign.
Campaign Monitoring Screen
Editing a campaign:
You can edit a recurring campaign by clicking the drop-down arrow on the right side and selecting Edit. You can change certain campaign settings here if you wish.
Do not change a recurring campaign into a one-time campaign. Deactivate a campaign if you'd like to end it.
Cloning a campaign:
You can clone any existing campaign to expedite the process of making similar phishing campaigns. All of the same settings will transfer to the cloned campaign, aside from the original start date and time. The title will remain the same, but with "Clone" added to the end.
Deactivating or reactivating a campaign:
You can deactivate or reactivate a campaign by clicking the down arrow on the right side of the campaign. Do not deactivate one-time campaigns as they cannot be reactivated.
Note: We recommend that once you deactivate a campaign, that you start a new one instead of reactivating it.
Hiding a campaign:
You can choose to hide certain campaigns from your reports by clicking the drop-down arrow on the right side and selecting Hide from reports. This option removes all phishing campaign information from affected users and from phishing reports. Smart Groups that reference phishing security test failures will be impacted. The details for hidden reports can still be viewed under the Hidden tab under Campaigns.
Deleting a campaign:
You can delete a campaign or even a single phishing test from within a campaign. This will delete all data associated with that test or campaign including who it went to, who clicked or did not click and the record of what email was used. This is permanent and cannot be undone. You can use this if you’d like to conduct a sample phishing test to see how it works and purposely click on a phishing link, and in this way, you would be able to remove that test or campaign from your overall results.
Clicking on a campaign will take you to the campaign overview screen for that specific campaign. If the campaign was a one-time test, you will see an overview of your phish-prone percentage, clicks in the first 8 hours, clicks by day, as well as other useful information. If the campaign was a recurring campaign, running on an ongoing basis, you can see the Phish-prone percentage over the course of the campaign, as well as the top 50 users that clicked on phishing links over the campaign’s duration. On recurrent campaigns, you can click on Phishing Security Tests to see a list of all the tests that have run as part of that campaign. You can drill down further and see test-specific information by clicking on each test.
Users tab under each phishing test:
Clicking the Users tab next to the Overview tab will let you filter statistics such as who clicked a link or opened an attachment within the phishing email or any users who entered data on a landing page.
Under the Clickers tab, you will be able to view the date and time each user clicked the link, as well as their IP address, operating system, and browser.
You can remove any phishing test failure as needed. See more here.
For more details on the individual campaign results, click here.