Phishing Campaigns

Phishing Campaigns

Goal: Document a complex process so that other team members can follow it.

Before You Begin

You should have a login to [Vendor], [Company]’s phishing campaign vendor. As of this writing, our contacts there are: [redacted]

Choose a Phish

  1. Starting in 2020, phishing campaigns go out in April and October. Begin this process two months earlier.
  2. Visit and click Scenarios. Use the tools on this page to make a preliminary list of 3 to 5 phishing tests you think would be appropriate for the global staff in the current information security climate.
  3. Circulate this list to [list of security executives], and anyone else working on this project. In the ensuing conversation, listen to their priorities and work with them until the group has chosen one preferred option.
  4. As of late 2019, we send these campaigns in the following languages:
  • English
  • Spanish
  • Portuguese
  • French
  • German
  • Chinese
  • Japanese
  • Thai

When you’re checking in with the executives, also ask whether there are any other languages they need.

  • Important: Use Delve to check the name of the fictitious “sender” so that we aren’t maligning any actual [Company] staff. If we have someone on staff with that name, work with Cofense to change the name.
  • Ask the Messaging Team to whitelist the email address of the “sender” so that our test messages don’t get caught in [Company]’s filters.

Choose Education Page

  1. Visit the [Vendor] education catalog. Choose an appropriate education page to be displayed to users who fail the phishing test (clicking and/or entering credentials). Text on these pages can be edited to reflect [Company] policies and procedures.
  2. Work with your team to finalize what the education page will say and how it will look. Be sure to include [Company] branding so recipients know this is company-sponsored.
  3. Email the following information to our practice manager at [Vendor]:
    1. Which phishing email we’ve chosen (name and/or number)
    2. All text and graphics for education page, along with which theme has been chosen
    3. List of languages for translation
    4. When the campaign is scheduled to begin
  4. Allow 2-3 weeks for [Vendor] to prepare the translations and the custom education page. Check all links!

Identify and Segment Recipients

  1. Email the Messaging Team and ask for a list of staff from the three regions (AM, AP, EMEA), including the Country field and excluding those who forward their email to a client address.
  2. You will receive three spreadsheets.  For each region:
    1. Use the Filter function in Excel to find all recipients whose email addresses include “[BusinessUnit].” Pull these names out into a separate sheet.
    2. On both [Company] and [BusinessUnit] sheets, sort the names by country. Pull out non-English language recipients by country and save them as separate spreadsheets. (Yes, this is probably not 100% accurate, but it’s what we’ve got.) Keep a record of how many are in each segment, perhaps by indicating the number in the spreadsheet name (i.e. “AM Spanish 3829”).
  • EMEA Spain: Spanish
  • EMEA France, Belgium: French
  • EMEA Germany, Austria: German
  • EMEA Portugal: Portuguese
  • AM Argentina, Chile, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Panama, Peru, Uruguay, Venezuela: Spanish
  • AM Brazil: Portuguese
  • AP China, Taiwan, Singapore: Chinese
  • AP Japan: Japanese
  • AP Thailand: Thai
  • Everyone else: English

Break up large segments into subgroups so that no single group contains more than 5,000 names.

Create a Schedule

  1. The reason for all the segmentation is to avoid overburdening the help desk with calls, emails and tickets. Each region should get no more than one segment per day, and no more than two per week. Avoid scheduling any segments on Mondays, which are the busiest days for tech support.
  2. Send this schedule to [Messaging Team Head], [Help Desk Operations Manager]; and [Help Desk Service Manager]. Ask them if there are any issues with the schedule from their perspective.
  3. Once you have heard back from them and revised to address any issues, send the proposed schedule to [Security Executives] to inform their technical support teams.
  4. Also, provide all of the people in steps 2 and 3 with a test version of the phishing email.

Upload Recipients

  • Back at, click the Recipients tab.
  • You will probably see all the recipient groups from the last campaign. Click the trash can at the right of each group to delete it.
  • For each of the segments you created:
    • Delete extraneous information columns.
    • At the top of the column with the email addresses, enter EMAIL.
    • On the Cofense “recipients and groups” page, click the Import link in the top left bar.
    • In the file selection section on the left, choose the spreadsheet you’re entering.
    • Check Add recipients to static group and use the dropdown menu to select Create a new group.
    • Click Import.
    • If you get an error here, it is probably because you forgot to put the header on the email column. Add it and try again.
    • After a couple of minutes, you’ll be asked to confirm the format and continue the import. Depending on the size of your segment, the import can take several minutes.
    • Once the import is complete, look through the groups list for the one that says “New Group.” Click the group name to open it, then click the pencil next to the group name to rename it so that it matches the name you’ve assigned it in the schedule.

Schedule Segments

  1. On [Vendor] site, click the Scenarios tab at the top. Choose Create a New Scenario.
  2. Use the search tools to find the phishing email you chose for this campaign. Click Select.
  3. In the Title field, enter the name of the segment that will receive this email. (You can skip the Description field.) If you are just testing, click the slider for “This is a test scenario.” Click Create.
    1. Note: Resist the temptation to lump LaSalle segments in with similar language/region segments from JLL. This will allow you to more easily report on just LaSalle later.
  4. A new page will display. Enter the name of the segment in Recipients. Click Save and Continue.
  5. The education page will display. Choose the education template for this send, or enter your custom education data. Click Save and Continue.
  6. A scheduling page will display. Choose the time and date for this send. For each segment, try to choose a time that falls during business hours in the recipients’ time zone.
  7. Leave the scenario active for five days. Uncheck the box for a daily summary. Click Schedule Scenario for Launch.
  8. Repeat this process until all segments are scheduled.
    1. If you need to correct the title or education page for a scheduled segment, you can do that without unscheduling it.
    2. To change the recipients or date/time, you must unscheduled and reschedule the segment.
    3. To unschedule the segment, click on the title in the Scenarios list, then scroll down to the bottom and click Reschedule.
    4. Click the X next to the previously assigned date and time. It will take a little while for Cofense to process this.
    5. When the page reloads with a blank box where the date and time were, you can make your changes and reschedule it.

Update Records

  1. While the segments are active, monitor the IT Security mailbox daily. Continue to encourage users to report to the help desk rather than to that mailbox. Answer any questions as they arrive.
  2. Assemble screen shots of the phishing email and education page, along with the segmented lists, into a folder and put it in the appropriate year in the Phishing Campaigns section in Box.