Create Your First Campaign
Create Your First Campaign
Overview
A campaign is how you deliver a phishing simulation to your targets. This guide walks you through launching your first one — from setup to the moment the campaign goes live.
Before you start, make sure you have:
- At least one target or group set up (see Targets & Groups)
- A template selected — email, SMS, or vishing (see Templates)
- Whitelisting done — simulation emails must reach inboxes (see Whitelisting & Admin)
Step 1 — Start a new campaign
Click Campaigns in the left sidebar → click Launch Campaign.
Step 2 — Name your campaign
Give it a name that includes:
- Date or sprint — so you can find it later
- Target group — so you know who it went to
- Scenario type — so you know what was tested
Good example:
Finance Team — Credential Harvest — March 2026Poor example:Campaign 3
Step 3 — Select your targets
Choose who receives the simulation:
- Individual users — select specific people
- Groups — send to an entire group at once (recommended)
- Multiple groups — combine several groups in one campaign
If you haven't set up groups yet, you can select individual targets, but groups make future campaigns and reporting much easier.
Step 4 — Choose a template
Select the phishing email, vishing script, or SMS template for this campaign.
Advanced options:
- Change mail sending domain — send from a different domain than the default (
mailservers.xyz). Useful if your organisation uses domain-specific filtering or if you want greater realism.
Step 5 — Set up awareness content
This is what targets see after they click the simulation link — the teachable moment.
Content types:
| Type | When to use |
|---|---|
| Image | Quick acknowledgement — "You were just phished" with key tips |
| Detailed educational material for users to read and save | |
| Webpage | Rich interactive awareness content |
| Landing page | Realistic credential-capture page (shows users how convincing fake logins look) |
| Multistage content | Multi-page flow (login → micro-learning → quiz) |
Advanced options for landing pages:
- Skip storing — don't record what users typed
- Store in plain text — capture entered data in readable form
- Store encrypted — capture data securely
Change content serving domain — serve awareness content from a custom domain for greater realism.
Step 6 — Schedule the campaign
| Option | Best for |
|---|---|
| Send immediately | Quick tests, verifying deliverability |
| Specific date and time | Timing campaigns for maximum realism (Monday morning, busy periods) |
| Date range | Large campaigns — spreads sends randomly so users can't warn each other |
See Campaign Scheduling Strategies for detailed guidance on timing.
Step 7 — Launch
Click Launch to start the campaign.
Once live, PhishGrid tracks every interaction in real time:
- Delivered — email reached the inbox
- Opened — user opened the email
- Clicked — user clicked the simulation link
- Submitted data — user entered credentials on a landing page
- Reported — user flagged it as suspicious
View results in the Campaigns & Reports section.
First campaign best practices
Start small. Run a pilot with 10–20 users before the full organisation. This lets you catch deliverability issues without affecting everyone.
Pick a beginner template. Use a low-susceptibility template for your first campaign. You need a baseline measurement, not a gotcha.
Plan your follow-up. Decide before launching: what training will you assign to users who click? Have it ready to assign the moment the campaign ends.
Brief your IT/SOC team. Let them know a simulation is running so they don't raise incident tickets when they see the simulation traffic.