Building a Quarterly Phishing Campaign
Learn how to create progressive phishing simulations that adapt to user behavior and track improvement over time.
Overview
Quarterly phishing campaigns provide a structured approach to security awareness training. This tutorial shows you how to design, implement, and analyze progressive campaigns that measure and improve your organization's phishing resilience over time.
What You'll Learn
- Create baseline assessment campaigns
- Design realistic phishing templates
- Schedule progressive difficulty levels
- Analyze click-through rates and trends
- Generate compliance reports
Step 1: Create Baseline Assessment Campaign
Start with a straightforward phishing email to establish baseline metrics. This first campaign should use obvious phishing indicators to measure your organization's current awareness level without being overly deceptive.
POST /api/campaigns/
{
"name": "Q1 Baseline Assessment",
"template": "generic-password-reset",
"launch_date": "2025-01-15T09:00:00Z",
"send_by_date": "2025-01-15T17:00:00Z",
"groups": ["all-employees"]
}Step 2: Design Realistic Phishing Templates
Create email templates that mirror real-world phishing threats your industry faces. Use familiar brands, realistic urgency, and appropriate tone for your organization.
- Month 1 (Baseline): Generic password reset with obvious red flags
- Month 4 (Q2): IT security update with moderate sophistication
- Month 7 (Q3): Executive impersonation with urgency
- Month 10 (Q4): Targeted spear phishing based on roles
Step 3: Schedule Progressive Difficulty Levels
Gradually increase campaign difficulty to challenge employees as they improve. Track metrics over time to measure effectiveness.
Recommended Schedule
| Quarter | Difficulty | Success Metric |
|---|---|---|
| Q1 | Easy (Baseline) | <30% click rate |
| Q2 | Moderate | <20% click rate |
| Q3 | Challenging | <15% click rate |
| Q4 | Advanced | <10% click rate |
Step 4: Analyze Click-Through Rates and Trends
Track campaign results to identify trends and improvement areas. Focus on three key metrics:
- Email Open Rate: Percentage of users who opened the phishing email
- Click-Through Rate: Percentage who clicked malicious links
- Data Submission Rate: Percentage who entered credentials
- Reporting Rate: Percentage who reported the email as suspicious
GET /api/campaigns/123/results
GET /api/analytics/trends?period=12monthsStep 5: Generate Compliance Reports
Create reports for auditors, executives, and compliance teams showing security awareness training effectiveness.
GET /api/reports/compliance?period=2025-Q1&format=pdfNext Steps
- Deploy your first GoPhish campaign on AWS or Azure
- Explore advanced templates in our documentation
- Get support from our team via contact page