How To Run A Phishing Campaign In 3 Steps

Learn about the 3 step process any business can follow to run a simulated phishing campaign.

How to run a phishing campaign banner.
Sebastian Salla, Chief Executive Officer at CanIPhish
Sebastian Salla May 19, 2022 (Last Updated: September 13, 2023)

Before we delve into the steps involved in running a phishing campaign, let's understand what phishing campaigns are and why it's important that we run them.

Jump To How To Run A Phishing Campaign

What You'll Learn In This Article.

  • What phishing campaigns are and why they're dangerous.
  • How to run a phishing campaign by following a simple 3-step process.
  • The benchmark employees should be held to, depending on the difficulty of phishing material received.
  • The tools at your disposal to run your own phishing campaigns.

What Is A Phishing Campaign?

Phishing campaigns are a form of cyber-attack typically run by cyber criminals in an effort to socially engineer victims towards the common goal of harvesting their account credentials, installing malware on their computers, blackmailing them, or stealing money through other types of trust scams.

Why Is It Important To Run Phishing Campaigns?

Cyber criminals are constantly sending phishing emails, and are constantly looking for ways to ensure their emails land in victims' inboxes. All it takes is a single employee to fall victim to a phishing attack for a business to potentially end up with a data breach.

In an effort to protect businesses and their employees from phishing attacks, cyber defenders will commonly look to run simulated phishing campaigns. A key difference with simulated campaigns is that they're performed in a controlled environment where employees can learn without risk.

Image depicting cyber defenders fending off cyber attacks.

Now that we understand what phishing campaigns are and why they're important, let's talk about how you can run them.

How To Run A Phishing Campaign

Running phishing campaigns is often viewed as a complex and time-consuming task.

The main reason for this perception is largely that information on how to run phishing campaigns is typically guarded and held by information security specialists, making it difficult for those who don't work in the industry to know if they're on the right track.

In this article, we've simplified the process into 3 distinct steps.

Step 1. Campaign Setup

As part of the campaign setup, there are a number of small tasks that we need to address, namely:

  • Email Allowlisting: To run a successful simulated phishing campaign, we must ensure that allowlisting has been configured on any email or web filters. Without allowlisting, there's no way to guarantee delivery, which could compromise the integrity of campaign statistics.
  • Target Selection: It's important to ensure that the targets of a phishing campaign have one or more attributes in common. This could be the company they work for, the division they work within, the type of role they have, or other personal traits and hobbies. This will help with the next task during the campaign setup.
  • Phishing Content Selection: Content needs to be highly relevant and personalized to the targets of the phishing campaign. The more convincing and relatable the phish, the more likely it is that targets will interact with it.
  • Campaign Scheduling: Campaigns should be scheduled during the business hours that the targets operate within. Additionally, depending on the number of targets, email delivery should be staggered over one or more days.
  • Campaign Execution: To ensure campaign success, we need to ensure that targets are actually able to receive phishing emails. It's advisable to always run a series of tests prior to final delivery.

Step 2. Campaign Management

Once a phishing campaign has been scheduled and delivery is underway, we need to ensure the infrastructure we're using as part of the campaign is maintained and ready.

This includes the mail server delivering phishing emails, the web server hosting any phishing websites, and the back-end infrastructure used to capture and store any interactions detected.

If you're using a managed phishing solution such as CanIPhish, this is taken care of for you. If you're using an open-source or self-hosted tool such as GoPhish, then the responsibility for maintaining this infrastructure is on you.

If users report phishing material, your infrastructure may stop functioning prior to campaign completion. For this reason, you need to monitor your infrastructure throughout the campaign and potentially implement evasion techniques to prevent any phishing websites from being blocked.

Step 3. Campaign Reporting

We need to closely monitor phishing interactions to understand what portion of the business is vulnerable to phishing attacks. Trackable interactions include:

  • Emails Delivered: Did the email end up in the target inbox, or was it bounced/rejected?
  • Emails Viewed: Did the target view the email? Was the email subject or sender name engaging enough?
  • Payloads Clicked: Did the target click on any links or download any attachments?
  • Targets Compromised: Did the target enter their credentials into a phishing website or execute a file on their computer?
  • Emails Reported: Did the target report the suspected phishing email?

You may have varied results depending on how personalized and engaging the phishing emails were. We typically find that you'll have the following statistics across the general employee base of a business:

  • Unpersonalized Emails: Typically have a click rate between 0% and 19%. These emails do not include personal information relating to the target, such as First Name or Last Name, and may also not be relevant to the services the target uses on a day-to-day basis.
  • Personalized Emails: Typically have a click rate between 20% and 29%. These emails are personalized with information such as the target's First Name or Last Name but may not necessarily be relevant to the services the target uses on a day-to-day basis.

Image depicting an employee receiving numberous cyber attacks.

  • Personalized & Relevant Emails: Typically have a click rate between 30% and 50%. These emails are personalized and relevant to individual targets. They're designed to trick the most experienced employees and can even trick trained cyber security professionals.

Tip: Use the phishing email library provided by CanIPhish as inspiration for your own phishing emails.


Running phishing campaigns can be a daunting task, but with the right approach, it's a simple activity.

The team at CanIPhish has developed the CanIPhish Cloud Platform with this in mind. Our aim is to empower every business owner or IT professional to feel comfortable with establishing their phishing awareness program and using a mixture of phishing simulations and formal training modules to educate employees.

If you have any questions, please don't hesitate to contact the team at CanIPhish. We're here to help!