1. Recommended GoPhish Workflow

Phase 1 – Preparation

  1. Obtain written approval from management.
  2. Define target population:
    • All employees
    • Selected departments
    • New hires
    • High-risk groups (Finance, HR, IT, Procurement)
  3. Define metrics:
    • Email Open Rate
    • Click Rate
    • Data Submission Rate (if using a form)
    • Repeat Offender Rate
    • Department Comparison

Phase 2 – Create Email Template

In GoPhish:

Email & Templates → New Template

Components:

Subject

Examples:

  • Action Required: Password Expiration Notice
  • Updated Remote Work Policy
  • Mandatory HR Benefits Confirmation
  • Employee Recognition Reward
  • New Payroll Portal Available

Body

Example:

Dear Employee,

As part of our annual security review, we have updated the Employee Self-Service Portal.

Please review and confirm your details by clicking the button below.

[Review Information]

Thank you,
Human Resources

Phase 3 – Landing Page

Instead of collecting passwords, use a benign page.

Example:

Cybersecurity Awareness Exercise

You have clicked a simulated phishing email.

This exercise was conducted to help improve our organization’s cybersecurity awareness.

Indicators that this email was suspicious:

  • Unexpected request
  • Generic greeting
  • Urgent language
  • Unverified link

Please review the awareness materials below.

This avoids capturing credentials while still providing immediate learning.

2. Tracking Failures Without Capturing Credentials

Option A – Click Tracking Only (Recommended)

GoPhish records:

  • Email Sent
  • Email Opened
  • Link Clicked

Anyone who clicks is considered:

“Requires Awareness Reinforcement”

No credentials collected.

Option B – Form Submission Tracking

Create a fake login form:

Username: __________
Password: __________

When Submit is clicked:

  • Do NOT store data
  • Redirect immediately to awareness page

Track only:

User submitted the form

Not:

What username/password they entered

This is the preferred method if management wants to measure deeper susceptibility.

3. Example Failure Categories

Category Meaning
Passed Did not interact
Opened Read email only
Clicked Clicked link
Submitted Submitted form
Repeat Offender Failed multiple campaigns

This provides useful reporting without collecting sensitive information.

4. GoPhish Whitelisting Requirements

This is the most commonly forgotten step.

If not whitelisted, security controls may:

  • Rewrite URLs
  • Block emails
  • Detonate links
  • Generate false clicks

Microsoft 365

Allow:

Sending Domain

Whitelist:

  • Phishing simulation domain
  • SMTP server IP

Example:

training-company.com
203.0.113.25

Safe Links

Microsoft Defender Safe Links may click links automatically.

Create exclusions for:

https://awareness.company-training.com/*

or

*.company-training.com

Safe Attachments

If attachments are used:

Exclude simulation domains from sandboxing.

Google Workspace

Allow:

  • Sender domain
  • Sending IP
  • Simulation URLs

Under:

Apps
→ Google Workspace
→ Gmail
→ Spam

Create allowlist entries.

Email Gateway Solutions

If they use:

  • Proofpoint
  • Mimecast
  • Cisco ESA
  • Barracuda
  • Trend Micro Email Security
  • FortiMail

Whitelist:

Sender

noreply@training-company.com

Domain

training-company.com

IP Address

203.0.113.25

Landing Page Domain

awareness.company-training.com

Endpoint Security

If landing pages download awareness PDFs or media:

Whitelist:

  • Web domain
  • Hosting IP

in:

  • Microsoft Defender
  • CrowdStrike
  • SentinelOne
  • Trend Micro Apex One
  • Sophos

as needed.

5. Avoiding False Positives

Many awareness programs incorrectly report failures because security tools click links.

Common Automated Clickers

  • Microsoft Safe Links
  • Proofpoint TAP
  • Mimecast URL Protect
  • Barracuda Link Protection

These may show:

Email Sent
Clicked

within seconds.

Human clicks typically show:

  • Several minutes later
  • After email open
  • From employee workstation IP

GoPhish logs help distinguish these events.

6. Suggested Reporting

For management:

Metric Value
Users Targeted 500
Delivered 492
Opened 350
Clicked 75
Submitted 22
Reported to Security 40

Department breakdown:

Department Click Rate
Finance 8%
HR 15%
Operations 22%
IT 4%

This helps prioritize training.

7. Recommended Benign Scenarios for a BPO

  1. HR Benefits Enrollment
  2. Payroll Adjustment Notice
  3. Mandatory Security Awareness Refresher
  4. Work-From-Home Policy Update
  5. Performance Incentive / Employee Reward

Avoid:

  • Fake disciplinary actions
  • Fake layoffs
  • Medical emergencies
  • Personal tragedies
  • Salary reductions

Those tend to create negative reactions and are generally discouraged for awareness exercises.

For a BPO client, I would recommend running a 3-stage campaign:

  1. HR Policy Update (easy)
  2. Payroll Portal Verification (medium)
  3. MFA Reset Notification (advanced)

This creates a measurable baseline and shows whether awareness improves over time.

Leave a Reply