Help > Starting a phishing program

Starting a phishing program

While it’s possible to run a phishing campaign across a company with no warning, we’d recommend against that. You want to build engagement and trust with your employees and not come across as antagonistic and vindictive. Here’s the steps we recommend when starting a progam:

  1. Executive Buy-In
    Ensure that the appropriate executives are aware of and/or have approved the testing. You’ll need them to have talking points if their teams ask about these tests.

  2. Company Heads Up
    Give the entire company forewarning. Be clear that it’s an exercise to help everyone learn and not meant to trick or punish people. A template is available here.

  3. Response Team Heads Up
    If employees begin reporting an email as phishing, who’s responding? Give them notice about the tests and how to respond (ideally prior to each campaign). A template is available here.