Executing Phishing Simulation Campaign

When to Use

• Measuring employee susceptibility to phishing attacks as part of a security awareness program
• Testing the effectiveness of email security controls (secure email gateway, DMARC, SPF, DKIM)
• Conducting the social engineering component of a red team exercise to gain initial access
• Establishing a baseline for phishing susceptibility before deploying security awareness training
• Validating that incident response procedures work when employees report suspicious emails

Do not use without explicit written authorization from the organization's leadership, for actual credential theft beyond the authorized scope, for targeting individuals personally rather than professionally, or for sending phishing emails that could cause psychological harm or legal liability.

Prerequisites

• Written authorization from executive leadership specifying the campaign scope, target groups, and escalation procedures
• Coordination with the IT/security team to whitelist the sending infrastructure (or test whether it bypasses controls, depending on scope)
• GoPhish or equivalent phishing platform configured with a sending domain, SMTP relay, and landing page infrastructure
• Phishing domain registered and configured with SPF, DKIM, and DMARC records to maximize deliverability
• Employee email list from HR, organized by department for targeted campaigns
• Incident response team briefed on the campaign timeline and escalation procedures