Creating a phishing simulation

Learn how to create and deploy a phishing simulation using the uPhish template library.

Jordan Daly avatar
Written by Jordan Daly
Updated over a week ago

Creating a phishing simulation using the uPhish template library

Creating and sending your phishing simulation is quick and simple. Here's how to launch a uPhish campaign in six simple steps:

Important note:

Please set up Message Injection in Microsoft 365 or Google Workspace to ensure your simulated phishing email will reach your end users.

Getting started

To get started, find the Create simulation page through the top menu in the usecure app.

uPhish -> Create simulation

Step One - Select your attack type

Before creating your simulation, you will need to select an attack type.

There are three attack type options to choose from for a phishing simulation:

  1. Landing Page

  2. Attachment Open

  3. Attachment Open + Landing Page

Landing Page attack type is an email with a link to a landing page. This attack type lures users into clicking a link within the email text.

Users become compromised when they interact with the landing page - which usually involves the user inputting details and then clicking a button which activates the compromise.

Attachment Open attack type allows you to create a phishing email with an attachment.

With the Attachment Open attack type, users become compromised when opening the attachment in the email.

Attachment Open + Landing Page attack type allows you to create a phishing email with an attachment containing a link to a landing page.

With the Attachment Open + Landing Page attack type users will be compromised when inserting their credentials after following a link found in an attachment.

Step Two - Choosing your landing page

For attack types Landing Page and Attachment Open + Landing Page, you will need to choose a landing page for your simulated phishing campaign. You will see pre-built uPhish templates on this page, but if you have created custom landing pages you can see them by scrolling down to the Your Saved Templates section.

You can filter landing pages by language and region to easily find the ones most suitable for your needs.

If you create a custom landing page for your simulation, please do not use real logos or mention the names of a real company in your template.

Step Three - Choosing your email

If you chose one of the uPhish landing page templates, you will see appropriate email templates to fit the landing page's theme. You will also be able to select from all your custom templates by scrolling down to the Your Saved Templates section.

Step Four - Configuring your simulation

Now you're able to configure your simulation by editing the following:

  • Simulation name

  • Subject line

  • Sender name and email address

  • Landing page domain

You can use the "Use a custom sender email address" toggle to use any email address you wish. However, using an unverified email address may reduce deliverability. Send a test email from the bottom of the page to check deliverability on your system.

  • Landing domain

The domain health check will let you know about any known issues associated with a domain. However, as domain accessibility may depend based on the browsers and network used, it's a good idea to test a domain on your own system first before launching a simulation. You can do this by launching a test simulation using the button at the bottom of the page.

  • Preferred delivery method

The Preferred delivery method option is available if you have configured Message Injection - please note if Message Injection fails, emails will fall back to regular mail via SMTP).


You'll also be able to quality check your campaign with the 'Send test email' option at the bottom of the page. You will be able to choose which delivery method you choose to test the email with (you'll most likely want to select the same one as what the email is planned to be sent out with).

Step Five - Selecting recipients & scheduling your simulation

You can now select your recipients and choose the send date and time of your simulation.

  • Send to All Users - this option will send the email to all active users on your account who have an associated email address

  • Select Recipients - you may choose individual recipients or groups

  • Choose a date and time to start sending out the emails - this option sets when the emails will start being sent out

  • How many hours should the emails be distributed over? - use this option to stagger the emails and ensure all users won't receive them simultaneously.

  • Only send between working hours? - you can use this option to ensure emails are only sent out during the working hours you have configured in your uPhish settings.

Step Six - Setting up inline training for compromised users

You can optionally choose to automatically send additional training modules to users who become compromised in the simulation. You can do this by selecting an Inline Training module in this step.

We recommend you use the Phishing Micro Training module which is specifically built for this purpose. It explains to users why they are receiving the additional training, why it's important to look out for phishing, and what signs they should look out for. You can, however, choose any uLearn module you wish - including custom ones you've created yourself.

Finally, click Create Simulation to deploy your campaign.


Next steps

Did this answer your question?