Creating a phishing campaign in PhishGrid is a straightforward process designed to simulate real-world phishing and vishing scenarios.
Step 1: Initiate Campaign Creation
Go to your PhishGrid Dashboard and click on ‘Campaigns’.
Select ‘Launch Campaign’ to start a new phishing or vishing campaign.
Step 2: Name Your Campaign
Provide a meaningful name for your campaign which reflects its purpose and content.
Step 3: Selecting your targets
Choose who will participate in the campaign. You can select individual users, groups, or entire departments.
Step 4: Selecting Your Template
Choose a template for your campaign. In PhishGrid, you have the option to select from various phishing and vishing templates. Check the box next to the template(s) you wish to use, whether they’re for email-based phishing or voice-based vishing simulations.
Change Mail sending domain:
If you are launching a Phishing campaign, and want to send email using domain, other than default i.e “mailservers.xyz”, then click on “Advanced Options” and choose domain from the list.
Step 5: Setting Up Content
When creating a phishing campaign in PhishGrid, incorporating effective awareness content is essential to educating your users and enhancing the realism of the simulation. Awareness content can vary in format and complexity to suit the needs of your scenario. Below is a guide on choosing the right type of content for your campaign and customizing data storage settings.
Types of Awareness Content:
- Images: Use simple images to immediately inform participants that they’ve been part of a phishing simulation.
- PDF Content: Provide educational PDFs that detail safe online practices and how to identify phishing attempts.
- Webpages: HTML webpages that contain informative content regarding phishing awareness.
- Landing Pages: HTML landing pages, such as Microsoft / Google login or password reset pages, to replicate where a phishing link might take a user.
- Multi-staged Phishing Attack Content: For a more complex simulation, use multi-staged content that dynamically responds to user actions. For example, once a user submits information on a mock login page, they could be redirected to another landing page or awareness content.
Selecting Content and Customizing Storage Settings:
For Images, PDFs, and Webpages:
These can be selected normally within the campaign setup. These content types typically do not capture user data, focusing instead on delivering educational messages post-“phish”.
For Landing Pages:
If your landing page is designed to capture data, you’ll need to manage how this information is stored. When selecting your content, click on “Advanced Options” to access data storage settings:
- Skip Storing: Choose this to bypass storing any information entered by the user.
- Store in Plain Text: Select this if you need to review the captured data, but be cautious as this information will be visible when viewing campaign results.
- Store in Encrypted Text: Opt for this to ensure all captured information is stored securely and encrypted, enhancing data protection.
For Multi-Staged Attack Content:
When setting up a multi-staged phishing attack, content will be presented sequentially as per your configuration. Ensure that the flow of content logically progresses from one stage to the next, guiding the user through the simulation in a manner that mirrors a real-life phishing attack.
Change content serving domain:
If you wish to serve awareness content using domain other than default, then you can click on “Advanced Options”, and choose from content serving domain list other than default domain i.e “securit365.xyz”
Step 6: Set the campaign schedule
There are three options while sending campaigns:
- Send it immediately.
- Schedule it for any date and time according to your preference
- Schedule a campaign between any two dates.
Click on “Launch” to launch your first campaign.
Best Practices for Your First Campaign:
Data Privacy and Compliance: Always prioritize data privacy and ensure your campaign complies with relevant regulations like GDPR.
Target Audience: Know your target audience. Tailor the campaign to fit the awareness level and roles of the participants.
Testing: Before launching the campaign organization-wide, consider a pilot test with a small group to ensure everything works as expected.
Debriefing: Plan a debrief session at the end of the campaign to discuss the results and provide educational feedback.
Congratulations, On launching your first Phishing campaign, Happy Phishing !
