✅ Assess threats and the security awareness of your people.

✅ Consider the phishing and training strategy you need and begin developing it.

✅ Run a baseline campaign.

Before you begin setting up your first phishing campaign, it's important to think about the overall security awareness program you want create. Here are a few things to help you get started:

  • Assess your risk landscape and identify your assets. What are the threats and vulnerabilities faced by your clients and their industries? Different industries face different threats.

  • Assess your clients. How do they view security? Do they understand their roles, company policies and procedures? Consider running a survey to identify their level of security awareness.

Developing Your Phishing and Training Strategy

Once you have performed your assessment, you can begin developing a strategy to build security awareness:

  • Build a learning ladder. What priorities and security gaps have you identified? Create a list of targeted learnings for the year. You can intertwine important dates, and use the dates as a stepping stone to reinforce your learnings — such as Data Privacy Day, CSAM (Cyber Security Assessment and Management), Holiday Scams, and so on.

  • Combine learning goals with your phishing campaigns. Just a few of the risks associated with phishing include password safety, credential theft, finance risk, and BEC (business email compromise). Understand each risk and use them to teach your targeted lesson.

  • Apply follow-up training. After you've analyzed the results of a campaign, you can determine where vulnerability exists, and create training campaigns to raise awareness and mitigate risk.

You can refer to the Twelve-Month Campaign Planner for phishing campaign suggestions, paired with appropriate follow-up training campaigns. This should only be considered as an example, because your own assessment should inform how you set up your own security awareness program.

Create a Blind Baseline Test

It is recommended that your first campaign be a blind baseline test. You'll send this without notifying your recipients first, which will enable you to get a controlled, unbiased set of data around the phishing susceptibility of your organization. You can then run it again in six months or a year, which will enable you to compare the results and see where improvements have been made. Results can be analyzed based on region, language, department, time of employment, and so on.

You can set this up by going to your SafeTitan MSP Dashboard, selecting Phishing Campaigns > Create New Campaign. Follow the instructions in the SafeTitan MSP Setup guide for help in navigating the MSP Admin Dashboard. Whether you decide to set up a standard campaign or create an automated one, the following are some tips to observe for your first campaign:

  • The template you select contains a lure, which can be based on various themes. It's designed to attract a recipient's attention so that they engage with the email in some way — by opening it, clicking on a link, entering data, and so on. Fraudsters use lures to convince people to share sensitive information; you'll create phishing campaigns to help your people become more vigilant against this. Therefore, start with less complex lures in order to give users a chance to become familiar with what is being asked of them. These lures are generic and every customer can use them — regardless of their region or working sector. It is also easier to identify mistakes before moving to more sophisticated lures. So consider using a template that is Low Complexity.

  • Select a template that can be applied across the organization on a theme, such as credential theft. Everyone uses a password and credential theft is a common scam. The template Microsoft Outlook - Password Expired is an example you could consider using.

  • For your first campaign, there is no need to add an attachment. Attachments are intended to be used with specific types of emails; for example where you would include a DocuSign attachment. In your first few campaigns, you will want to offer fewer options to your recipients, so that you can focus on specific interactions with the phishing email. Further information about this is in the Analyzing Results section.

  • When you select your training recipients, consider selecting a random number across the whole organization.


    If you have assessed your organization, then you may be aware that a particular department has already experienced a phishing scam. At a later stage, you may want to create a campaign that targets that specific department.

  • When you're scheduling your campaign, it's recommended that the duration be between eight days and two weeks. This is to enable anyone who has been out of the office to react to the email. Also, consider the times of the day that you set your campaigns to start. It's advisable not to start campaigns on a Monday morning at 9am or send them out monthly at the same time. People are quick to see patterns, so send out campaigns on a random basis.

  • You can modify the template, such as changing the content in the Subject line to reflect language that the organization might use. You can also change the email address, which is important when it comes to training your recipients. If they suspect they are being phished, comparing the email address with the From name is a useful habit to encourage.

  • As an MSP, it's important to preview the phishing email before sending it to your recipients. Review the subject line and the contents of the email. Ensure that the formatting, fonts, and images are aligned correctly. Once you're satisfied with the details, you can create your campaign.