CyberRiskAware provides two types of phishing campaign strategies.

Simple phishing campaigns

Simple or "Ad-Hoc" phishing campaigns can be used for penetration testing or staff evaluation and baselining. 

An Ad-Hoc campaign is a simple mock phishing campaign delivered for the purposes of identifying and evaluating high-risk users (susceptible to a malicious phishing attack) 


Phishing campaigns with reactive training

Phishing campaigns with reactive training provide the ability to identify and evaluate high-risk users and automatically enroll these users in phishing awareness training.


We recommend that administrators begin by creating and testing a simple (Ad-Hoc) phishing campaign.

We also recommend that your first simple phishing campaign should be sent to you only.

This will test email delivery success and allows you to become familiar with your portal.


To create a simple phishing campaign please complete the following steps.


Step 1: How to create a phishing campaign

To begin, select the "Phishing Manager" main menu item followed by the "Phishing Campaigns" sub-menu item.


Phishing Manager

    - Phishing Campaigns

    - C-Suite Settings

    - Phishing E-mail Templates

    - User Feedback Messages


You are now in the phishing campaigns list

Note: On a new portal, this list will be empty


Select "Create a new Campaign" to start the phishing campaign wizard. 

After reading some basic information on phishing, select the "Next" button to proceed or "Cancel" to exit the wizard.

You may now select from the three categories of phishing email templates. These are:

  • Home and Personal
  • Business
  • Attachments


Note: A fourth category also exists namely C-Suite. This is made available once you configure your C-Suite information. 

This information includes Chief Executive Officer and Chief Financial Officer names for usage in CEO mock phishing campaigns. 

You can configure this information now using the link provided in the wizard or later if you wish using the menu item below.


Phishing Manager

        - Phishing Campaigns

        - C-Suite Settings

        - Phishing E-mail Templates

        - User Feedback Messages


Step 2: How to configure a phishing campaign

You can now configure your first phishing campaign in the phishing campaign details form. The following configurable items exist.


1. Send Mode:

CyberRiskAware provides three phishing campaign send modes. 

a. Standard Mode: One phishing template sent to all recipients simultaneously at publication time.

b. Batch Mode: One phishing template sent to all recipients at different times over a selected time period beginning at publication time. Recipients will receive their email at different times thus reducing a "tip off" effect.

c. Burst Mode: Multiple phishing templates sent to all recipients at different times over a selected time period beginning at publication time. Recipients will receive different templates at different times further reducing a "tip off" effect.


The mode can be selected by using the slider bar provided.

Note: For your first Phishing campaign, we recommend selecting the standard mode.


2. Email Template:

Select the email template (or multiple templates if in burst mode). You can preview an individual template by selecting the preview button to the right of the email template option.


3. User Feedback Message. 

CyberRiskAware provides the facility to create customized user feedback messages. These messages are presented to the recipient upon clicking on an embedded phishing email link or opening a phishing attachment.

When using your portal for the first time a CyberRiskAware default user feedback message is available. You can preview the user feedback message by selecting the preview button to the right of the "User feedback message" option.


4. Campaign name: 

The campaign name is needed to identify and refer to the campaign in future. This is an editable field that contains a default name consisting of the template name + date/time stamp.


5. Campaign description: 

This is an editable field that contains the name of the email template by default.


6. Targeted groups

Here you can add the groups or departments you wish to receive the phishing email. 

Remember: At startup, you are the only user on your portal and you are a member of the "Default Department"

For your first campaign simply select the "Default Department" unless you have created a new department and moved your username into that department.

If you have other users in your department it is recommended that you test your first campaign on yourself and maybe a colleague so be aware of the department or group you select here.

See managing users and groups for more information.


7. Locale

This is used to select the email content language.


8. Override users default locale

When setting up a new user, they are given a default language. This option allows you override each users locale and force the email to contain the language selected in option 7 (Locale) above.


9 Create reactive training.

Select this only if you wish to prepare a reactive training campaign. Reactive campaigns auto enroll users in training based on phishing email activity. (e.g. Opening email, clicking on link, opening an attachment etc.)

For your first campaign, we recommend that you stick to a simple campaign. 


Step 3: How to schedule a phishing campaign

Select the "Publish Start" option on the campaign scheduling form to schedule the start date and time for your phishing campaign. 

This can be selected only and is not text editable. Times available are in fifteen-minute intervals and begin on the next quarter hour interval.



Step 4: Phishing campaign sender and subject details.

The sender and subject information contain default values pertaining to the subject matter of the selected phishing email template. 

You may customize these values using the following options in the email template modifications form: 


1. Email from:

Edits the name of the email sender. (e.g. info, admin, Jim etc)

Change the domain of the email sender. (e.g. e-messages.com, e-owa.com etc) 

Note: to add more domains to this list, submit a support request to the CyberRiskAware support desk.


2. Custom subject:

Customize the email subject


3. Custom from name

Customize the sender name appearing in the recipients' email inbox.


Step 5: How to submit a phishing campaign.

Select the "Submit" button to proceed or "Cancel" to exit the wizard.

Select the "Close Wizard" button to exit the wizard.


Step 6: How to view a phishing campaign.

You are now back in the phishing campaigns listing table where you will now see your first "Unpublished" phishing campaign.

Using the drop-down actions menu to the right of the unpublished status you will find the following options.

1. Details

Selecting this option will provide some basic information about the campaign.


2. Delivery Report

Selecting this option shows the delivery times of the campaign (More useful in batch and burst mode campaigns)


3. Edit, Delete

As described, these allow you to edit or delete a phishing campaign,


4. Publish.

Even though you have selected a scheduled time to publish the campaign you may wish to publish immediately. This is especially the case when running your first few "test" campaigns. 

Simply select publish and your first standard mode phishing campaign will immediately be published and the phishing email sent. 


Note: Because batch and burst mode campaigns have scheduled distribution times, you will not be able to manually publish such campaigns.

It is more effective to run standard mode phishing templates when running early tests.



Previous: Add users to your portal        Next: Review a phishing campaign