Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Security Awareness ProgramsPhishing Simulations

Phishing Campaign Design

30 min
lab
+60 XP

Learning Objectives

  • Design effective phishing simulation campaigns
  • Measure and analyze security behavior metrics
  • Create adequate "teachable moments" for users

Phishing Campaign Design

Phishing simulations are a practical method to measure susceptibility to social engineering and reinforce training. However, poorly designed campaigns can damage trust and morale.

Goals of Simulation

The primary goal is to educate, not to catch people out. Simulations establish a baseline of vulnerability, reinforce prior training in a practical context, and measure actual behavioral change over time. They also help identify specific high-risk groups or topics.

Campaign Types and Difficulty

Campaigns vary in sophistication. Easy simulations use obvious scams with external senders and spelling errors, useful for baselining or fast wins. Medium difficulty involves plausible business scenarios like "Password Expiry" or "HR Update" which are good for regular testing. Hard simulations use sophisticated, context-aware lures targeting specific roles. Spear Phishing involves highly targeted, researched attacks (OSINT) and is typically reserved for high-value targets like Executives or Finance staff, often with prior warning.

Best Practices

DO align scenarios with recent training topics, use realistic but fair templates, and provide immediate constructive feedback ("Teachable Moment") if a user clicks. DON'T shame employees publicly, punish users for falling for a simulation, or use sensitive topics like disasters, bonuses, or layoffs, which can destroy morale.

Key Metrics

Click Rate measures the percentage of users who clicked the link (lower is better, but never zero). Report Rate tracks the percentage of users who reported the email using the "Report Phishing" button. This is the most important metric; a high report rate indicates a proactive defense. Credential Submission measures the percentage who actually entered data, representing the critical risk.

The Teachable Moment

When a user fails a simulation, they should be presented with a landing page that explains it was a test, points out the specific "Red Flags" they missed (e.g., mismatched URL, urgency), and links to a short training refresher.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

What makes phishing effective?

Format: *******(7 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What email header reveals the actual sender?

Format: ***********(11 chars)
Exact match required
📚 KnowledgeQuestion 3

What technical indicators reveal phishing?

Format: **********(10 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What open-source phishing framework is widely used?

Format: *******(7 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue