Inspired eLearning's PhishProof campaigns are a powerful tool designed to enhance your organization's security by:

• Simulating realistic phishing attacks: Safely assess your employees' ability to identify and respond to phishing threats without exposing your organization to actual risk.
• Providing valuable insights into employee behavior: Track how employees interact with simulated phishing emails to gain a clear understanding of your organization's vulnerabilities.
• Delivering targeted training opportunities: Use campaign results to inform your security awareness training, focusing on areas where employees need the most support.
• Measuring the effectiveness of your security awareness program: Run campaigns regularly to track progress and demonstrate the impact of your training initiatives.
• Helping to build a more security-conscious culture: Consistent exposure to simulated phishing scenarios can raise employee awareness and encourage safer online behavior.

Campaign Types

PhishProof offers two primary campaign types to help you assess and improve your security awareness:

Templates are the building blocks of your PhishProof campaigns, allowing you to customize the simulated attacks and educational content.

• Email Template Types: PhishProof campaigns utilize various email template types to simulate different attack vectors:
  • Link Click campaigns send emails that encourage recipients to click a link. Upon clicking, the user's interaction is tracked, and they are automatically directed to an educational landing page within their web browser.
  • Form Submit campaigns ask recipients to fill out a web form (no data is retained). If the form is submitted, the user's action is recorded, and an education landing page opens in a new browser tab.
  • Attachment campaigns prompt recipients to open an attachment. Upon opening, the file's content directly informs the user of the risk and provides preventative instructions, rather than directing them to a separate landing page. The act of opening the attachment is recorded.
• Key Template Features: Templates can include advanced features to enhance realism and tracking:
  • Risk Indicators provide immediate feedback after a user interacts with a simulated phishing email. The accompanying education landing page features contextual annotations that highlight key phishing indicators within the email itself. It pinpoints suspicious elements such as:
    • Unusual content
    • Embedded URLs or QR codes
    • Grammatical errors or inconsistent tone
    • Urgency tactics
    • Unexpected attachments or requests for sensitive information
  • QR Codes replace traditional direct links. Recipients are typically prompted to scan the code with their phone under urgent pretenses, such as to "verify an account" or "access an important document." In an actual attack, scanning such a QR code can lead users to a deceptive website intended to harvest sensitive data (e.g., login credentials, financial information) or initiate the download of malicious software.

Managing Templates

PhishProof provides robust tools for managing both system-provided and custom templates. You can easily preview system email templates to understand their content and design. The platform allows for comprehensive customization of both email and education landing page templates to fit your specific needs..

• My Templates Filters: The "My Templates" section includes filtering options to help users manage their custom templates more easily. Users can choose to "show converted templates" to view templates that have been adapted from other sources and "show inactive templates" to access templates that are not currently in active use.
• Active/Inactive Icons: The visual icons indicating "active" and "inactive" template statuses allow for additional clarity.
• Default Template View: For users who have not yet created customized templates, navigating to "Templates > Email Templates" automatically displays the available System Templates, ensuring immediate access to ready-to-use options.

Preview System Templates

Follow the instructions below to preview pre-configured system email templates that are available for use in your campaign.

1. Log into iLMS and click PhishProof
2. On the left menu, select Templates, then Email Templates
3. At the top, click System Templates
4. Under Type, select Link Click, Form Submit, or Attachment
5. Under Difficulty, select Easy, Medium, and/or Hard - this step is optional
6. Under Features, select Risk Indicator and/or QR Code - this step is optional
7. Select your desired template

 

 

Customize Templates

1. Within iLMS, select PhishProof
2. Navigate to the (1) Templates main tab and select (2) Email Templates
   • Once you have saved customized templates, they will be displayed in the My Templates sub-tab
3. Select Create New Template
4. Name your template
5. Describe your template
6. Determine how you want education to be provided; Options include:
   • Educate on link click
   • Educate on form submission
   • Education on Email Malware Attachment run
7. Write the body of your template as desired
8. Add Phishing Links, User Properties, and/or QR codes as desired
9. If using Risk Indicators, highlight the portions you want to flag as a risk indicator, then next to User Properties, select the flag  for Risk Indicators; It will present you with the ability to write a tooltip
10. When you've finished editing your email template, you can select Preview or Save

Watch the video below to see an example of how to create a customized email template using Risk Indicators.

 

 

 

 

Clone Templates

PhishProof also allows users to clone System Templates and Education landing pages, customize them, and save them as My Templates.

1. Identify a system email template you would like to use as a starting point for your custom template.
2. Hover over the chosen template name, and the clone icon will appear.
3. Click the clone icon. A "Clone Template" dialogue box will pop up.
4. Change the name of your custom template within this dialogue box.
5. Click the Clone Template button.
6. Your newly cloned system template will now appear under the My Templates sub-tab.
7. You can navigate to your template by choosing the appropriate template type from the Show All Templates dropdown list.

Edit a Cloned Email Template

Important Note

• Misspellings and grammatical errors found in the email content are intentional and reflective of true phishing attack characteristics. 
• Templates containing unsupported content may fail to send. 
• If your template includes an image, you can double-click it to modify or replace it. 
• Edits made to the English system template will NOT carry over to other language templates automatically.

 

1. Once you have cloned an email template, you can proceed to customize its content:
2. Under the My Templates sub-tab, find the template you have cloned.
3. Hover over the template name to reveal the Edit icon.
4. Click on the Edit icon to modify the template. This action will open the "Customize Email Template" page.
   1. On this page, you can edit the header and the main email content for each available language option.
   2. The PhishProof Editor allows you to manipulate pre-designed content blocks or upload images using its embedded drag-and-drop function.
   3. You can edit content sections by hovering over them and clicking the pencil icon that appears.
   4. To add more content, drag items from the "Blocks" column (shown on the left) into the body of your email template.
5. If the template has been translated, select the language from the Template Language dropdown to edit the content in that specific language. You must do this for each language your users utilize.
6. Once all desired changes have been made to each email template version, click Save Template to save your modifications.

Custom templates must be enabled after creation for them to appear in the campaign builder for selection. To make your custom template available for use, return to the main "My Templates" page. Hover over the template in the "My Templates" list and click the power button to enable (turn on) it for use in campaigns. 

 

 

Edit Email Template Header and Contents

These instructions assume you have already cloned and/or customized your chosen email template. 

1. Select your desired template from the Templates > My Templates tab.
2. Click the pencil icon to edit the template
3. Under Settings, there is a grey box that shows details such as “Sender's Friendly Name” and "Subject". These are the header details. Click the pencil icon to edit.
4. Change any email header options and when you are done, click OK.

Important Note: Be aware that misspellings and grammatical errors found in the email content are often intentional, reflecting characteristics of real phishing attacks. Templates containing unsupported content may fail to send.

 

Once all desired changes to either the Settings or Content of this email template have been made, click Save Template at the bottom.

 

 

User Properties Variables in Template Editors

When customizing email templates, the Org Admin template editor provides user properties variables (often called "shortcodes" or "dynamic fields"). These variables allow you to automatically populate emails with personalized user information from your iLMS console.

These variables include:

• 27 Standard User Profile Variables: These cover common user attributes.
• iLMS Console User Variables such as:
  • Organization name
  • First name
  • Email address
  • Hire date
• The ability to include custom fields you've defined in iLMS

Understanding PhishProof Education Templates

Education Landing Pages are a critical component of PhishProof campaigns. They are designed to provide immediate, contextual learning after a user interacts with a simulated phishing email. They transform a moment of potential vulnerability into a valuable training opportunity.

Here's how Education Landing Pages work and what they provide:

• Immediate Feedback: When a user falls for a simulated phishing attempt (e.g., clicks a malicious link or submits a form), they're immediately directed to an Education Landing Page. This instant feedback is crucial for reinforcing the learning moment.
• Contextual Learning (Risk Indicators Only): These pages feature contextual annotations that highlight the specific phishing indicators within the simulated email. This allows users to see what they missed.
• Key Elements Highlighted (Risk Indicators Only): The annotations pinpoint various suspicious elements, including:
  • Unusual or suspicious content
  • Embedded URLs or QR codes
  • Grammatical errors or inconsistent tone
  • Urgency tactics ("Act now!", "Your account will be suspended!")
  • Unexpected attachments or requests for sensitive information
• Reinforced Awareness: By visually demonstrating the "red flags" users should look for, Education Landing Pages help reinforce security awareness training and encourage safer online behavior in the future.
• Customization: Like email templates, Education Landing Pages are fully customizable. You can tailor their content to align with your organization's specific security policies and training objectives.
• Risk Indicator Integration: Some Education Landing Pages are designed to work seamlessly with Risk Indicator email templates. These special pages dynamically display a visual "risk score" and specific details from the simulated email, offering even more personalized and detailed post-phish feedback.

Clone and Customize Education Templates

1. Navigate to Templates > Education Templates.
2. Locate the System Education Page sub-tab and click on it.
3. Choose a system template from the list.
4. Click the Clone icon under the "Actions" list corresponding to your chosen template.
5. When the Clone Template dialogue pops up, change the template name to something unique and descriptive.
6. Click the Clone Template button to create your copy.
   • Your newly cloned template will automatically appear under the My Education Page sub-tab.
7. Under the My Education Page sub-tab, locate the template you just cloned.
8. Click on the Edit icon under the "Actions" list for your cloned template. This will open the “Customize Education Template page.”
9. Edit the pre-designed content using the toolbar in the WYSIWYG editor.
   • Your organization's logo and contact information should automatically appear; if they need to be edited for all templates, use the main Settings tab in PhishProof.
   • You can also upload your own PDF version of the content by clicking the Replace with a PDF File button and following the prompts.
10. Once desired changes have been made to the landing page content, click Save Template to save your changes.

Manage Translated Education Templates

1. To edit translated versions, select the desired language from the Template Language dropdown.
2. Edit the template content for each specific language in which your users will receive phishing emails. You must do this for every language your users utilize.
3. You can also upload PDF versions in any language; before uploading the PDF, ensure the correct corresponding language is selected from the Template Language dropdown list.
4. After making all desired changes to each language version, click Save Template to save these changes.
5. Return to the main My Education Page subtab to make your customized template available for use in campaigns.
6. Click the toggle under the Active column to turn the template to the ON position.
   • It is recommended to activate the template only AFTER all edits are finalized and have been saved.

Creating and Managing Email Campaigns

Setting up an email campaign involves several straightforward steps:

• Campaign Naming & Description: Begin by giving your campaign a clear and descriptive name and add a brief description to help you identify its purpose later.
• Template Selection: Choose the email template that will be used for the simulated phishing attack, and select the appropriate education landing page that users will see if they fall for the phish.
• Target Selection: Define your campaign's target audience by selecting the specific users or groups that will receive the simulated phishing emails.
• Scheduling: Set the start and end dates/times for your campaign, determining when the emails will be sent out.

Setting up your Email Campaign

When creating an email campaign, users can select multiple template types (including Attachment, Link Click, or Form Submit) for inclusion within a single campaign, providing versatile simulation options. Template types are visually identified by icons accompanying each template, clearly indicating whether it is an attachment, link click, or form submit type. Custom email templates must be created before creating the email campaign; see Customizing Templates above for details on how to do this.

To set up your email campaign:

1. Navigate to: Campaigns > Start a New Campaign > Email Campaign.
2. Enter a Campaign Name. This title will appear on the main Campaign page.
3. Add a Campaign Description to provide additional details about your campaign.
4. Click the Choose Template button to open the template selector for email templates.
   • Use the tabs in the upper-left to switch between viewing System Templates or your Custom Templates.
   • Utilize the search and filter options on the left pane to narrow down results by Type, Difficulty, and Features (including QR Code and Risk Indicators).
   • Click on any template to preview the email content that will be sent, which appears in the right pane.
   • Use the Language dropdown (upper-right) to view how the template will look in other languages.
5. To select templates for your campaign, place a check in the box next to the template's name.
6. Click Selected Templates to view only the templates you have chosen for use in the campaign; targeted users will receive a random template from this selection.
7. Click Done.
8. Select an Education Landing Page from the dropdown list. Your users will see this whenever they are "phished" or fall victim to a phishing simulation.
9. Note: Custom education landing pages must be created before creating the campaign; go to the main Templates tab and click on Education Templates.
10. When selecting, you can choose between standard Education Landing Pages or those with Risk Indicator functionality (identified by [Risk Indicator] in their name).
11. If you are using a Risk Indicator Email Template and a Risk Indicator Education Landing Page, you can preview how they will look together.
12. If you choose a combination of a Risk Indicator Email Template and a NON-Risk Indicator Education Landing Page, you will see a warning next to the preview button.
13. Select Targets for your randomized campaign. Targets include:
    1. Hierarchy (region, division, dept)
    2. Groups
    3. Individual Users
    4. Previous Campaigns Target List
    5. Susceptible Users list (individuals who have been phished in previous campaigns)
14. Send Now is selected by default
    • To specify the Start Date and Time at which your campaign will begin sending emails select Randomized Send
15. Define the Send Duration, which is the number of days over which the campaign will take place (a 7-day span is often optimal).
16. In the Business Hours/Days section, specify the hours and days of the week that make up your organization's business hours.
    1. Note: Scheduled campaigns cannot start and end on the same day. We recommend selecting at least two business days for a campaign with a one-business-hour/day duration, or ensuring your Start date/time is at least 24 hours apart from your intended end date/time.
17. Use the Stop Tracking option to specify how long user actions in the phishing simulation will be recorded for reporting after the campaign emails have been sent.
18. Define the Display Domain: When a learner hovers over a targeted link in the phishing email, the selected display domain will be shown instead of the actual destination.
19. Enable Hide from Global Reports only if an administrator is running a test campaign; this ensures results are not included in reporting, and recipients are not assigned training upon failure.
20. To save your input and return later, click Save & Exit (the campaign will appear as "incomplete" in the Draft section).
21. To launch the campaign immediately, click Save & Schedule (the campaign will appear in the "Scheduled" section and move to "Completed" once all messages are sent).

Campaign details will not appear until all emails for the campaign have been sent; after sending, you will see details for all users and interaction data.

Reviewing Completed Email Campaigns

Reviewing the details of your completed email campaigns provides valuable statistics and insights into how your organization's users performed throughout the simulation. This data is crucial for assessing user behavior and the effectiveness of your security awareness program.

To access campaign details:

1. From the Campaigns page, click on the name of any completed campaign.
2. This will open the campaign's details, including its start and end dates, the education method used, and which templates were part of the campaign.

Understanding Campaign Performance

The campaign details page offers various views to help you analyze results:

• Overview Tab
  • This tab features a pie graph that visually summarizes the actions users took during the campaign (e.g., passed, clicked link, opened attachment, etc.).
  • You will also see the total number of phishing emails sent and the total number of users who were "phished" (fell victim to the simulation).
• User Details Tab
  • Selecting this tab displays a comprehensive list of all users who engaged with the campaign.
  • You can efficiently search for specific users by email address or filter the list to view only phished users, users who reported the email, or users based on their email sent status.
  • The table lists users with details such as their name, the specific template they received, and the date they were phished (regardless of the method used).

Creating and Managing USB Baiting Campaigns

USB Baiting Campaigns are a distinct way to test physical security vulnerabilities. The platform provides specific files designed for them that you can download. When using macro-enabled documents in your USB campaigns, the system is designed to capture specific data points to help you understand user interaction and risk.

1. Navigate to: Campaigns > Start a New Campaign > USB Drop Campaign

2. Provide a Campaign Name for your reference.
3. Add a Campaign Description to provide additional details about your campaign.
4. Specify the Location where the USB drive was placed (e.g., "Parking lot," "Breakroom").
5. Select a Landing Page to be used specifically for Macro-Enabled Campaigns.
6. Once all Campaign Details have been populated, click Save Start. 
   •  This will take you to the Overview page for the USB Campaign.
7. On the Overview page, review the list of documents available for download under the "Download File" section.
8. Download the desired files to be placed on your USB drives for the campaign.
9. You may rename the files after downloading them.

Understanding USB Baiting Campaign Files & Management

Once your campaign is set up, it's important to understand the different file types and how to monitor your campaign's progress and results.

Campaign Files (Macro-Enabled vs. Non-Macro): The "Download File" section lists documents that can be placed on your USB drives. These files can either contain macros or not contain macros. Files that contain macros are capable of capturing more detailed user data if the macro is enabled upon opening the document. If a macro is enabled, the user will be taken to the designated education landing page in a web browser. Files that do not contain macros will not direct users to a landing page.

Monitoring & Reporting: While the campaign is active and after the USB drive(s) have been planted, any record of users opening the documents or enabling macros (if applicable) will be displayed on the Details Tab. This tab provides insights into user interactions and distinguishes between data captured by documents with and without macros. You can export the data from the Details Tab using the Export Results to Excel button.

Ending Your Campaign: Once sufficient reporting data has been gathered, you can end the campaign by clicking the "End Campaign" button on the Overview Tab. After a campaign ends, no further data from its associated documents will be recorded. A summary of all USB Campaigns will be listed in their own dedicated section at the bottom of the main PhishProof Campaigns Page.