Adding a Phishing Template
Adding a Phishing Template
Overview
A phishing template is the email your targets receive during a simulation. A good template is realistic enough that users might genuinely click it — that's what makes the simulation valuable. This guide walks you through creating one from scratch.
Step 1 — Navigate to template creation
Go to Templates in the left sidebar → click New Template → click Create under Email Attack Designer.
Step 2 — Enter basic information
| Field | Notes |
|---|---|
| Template name | Be descriptive — you'll filter by this later. Include the scenario type and difficulty, e.g., "IT Password Reset — Beginner" |
| Template description | What attack scenario does this simulate? Who is the intended target group? |
| Tags | Add tags for filtering: attack type, difficulty, target department |
| Difficulty level | Beginner / Intermediate / Advanced — affects the susceptibility indicator |
| Private | Keep on to restrict to your organisation (default) |
Step 3 — Configure the sender
This is the "From" field your targets will see. Make it convincing.
| Field | What it does | Tips |
|---|---|---|
| Sender's Name | Display name in the inbox | Use something believable: "IT Support", "Payroll Team", "Microsoft" |
| Sender's Username | The email address shown | Pick something plausible for the scenario |
| Email Server | Sending domain | Choose from your configured domains (e.g., mailservers.xyz, secure365.org) |
| Logo URL | Optional header image | Use a company or service logo to increase realism |
| Email Subject | Subject line | High-performing subjects include urgency: "Action required: password expiring", "Invoice overdue — immediate attention needed" |
Step 4 — Write the email content
Three methods available:
WYSIWYG Editor Build the email visually. Drag and drop elements, format text, add links. Best for creating polished, branded-looking emails.
Email to Generate Send an email to PhishGrid's designated import address. The content of that email becomes your template. Useful if you want to start from a real email you've received or drafted.
Upload an EML file Upload a saved .eml file. Useful for importing real phishing emails you've captured as educational examples (after verifying they're safe).
Step 5 — Add awareness content (optional but recommended)
Select the content users see after they click the simulation link. This is the learning moment — choose something relevant to the attack scenario:
- A page explaining how to spot this type of phishing
- A short quiz
- A link to your security training course
Step 6 — Add an attachment (optional)
Attach a non-malicious file to simulate document-based attacks. This adds realism for scenarios like "please review this invoice" or "your contract is attached".
Supported file types: PDF, DOCX, XLSX, images
Never attach actual malicious files. PhishGrid simulations are for awareness only.
Making your template more convincing
Study real phishing emails. Your security team likely receives real phishing reports — use these (safely) as inspiration for realistic subject lines and copy patterns.
Use urgency and authority. The most effective phishing emails create time pressure ("respond within 24 hours") or invoke authority ("from your CEO", "from IT Security").
Match the scenario to the target. Finance teams are more likely to click invoice or wire transfer emails. IT staff are more likely to click password reset or system update emails. Executives are targeted by BEC/CEO fraud.
Test it on yourself first. Before sending to a group, preview the template and ask: would I pause before clicking this?