Best Practices: Creating Effective Phishing Templates in the KB4 Console

(Lauren Ashley) #1

To successfully simulate-phish your users and better prepare them for real phishing attempts you can create perfect email templates for your organization in the KnowBe4 console. Whether you want to create a replica of an email your users frequently come across or spoof a well-known company, you have an abundance of creative freedom to take advantage of in efforts to better deceive, ahem, test your users.

In our WYSIWYG (What You See Is What You Get) editor, the first area of customization is Sender’s Email Address. You can put anything in this field so long as it follows the standard email address format. If you use the [[domain]] placeholder, your own domain will be spoofed, giving you the ability to spear phish your users by replicating internal emails they frequently interact with. Depending on which mail client you use, the sender’s name will replace the sender’s email address so you can also take advantage of the Sender’s Name field in the template editor to make your templates look more sophisticated.

The subject line of the email you are creating can be whatever you like; this is another key area for persuasion and credibility. If you add “RE:” or “FW:” you can make the email appear as a reply or as if it was forwarded to you, enhancing legitimacy in some (theoretical) situations.

You can also take advantage of our “Placeholders” to make the email template more personalized and realistic. We have placeholders such as First Name, Last Name, Email, Job Title, Manager Name, and Manager Email–think of all the possibilities!

You can add any image you would like to a template by pasting the URL of the image’s location into the Image Properties form. You can also resize the image here. Simply adding a company’s logo to an email template makes the email’s legitimacy more plausible.

Adding specific words to email templates such as “secure” can intend to ease a user’s mind regarding any hesitation of clicking on links in an email. For example, you can highlight any text to turn it into a “Phish Link,” therefore if you used verbiage such as “Be sure to use this secure link to confirm your information was NOT compromised,” a user might fall for this simulated phishing test.

Some Things to Avoid:

Out of respect for the agencies that you may be spoofing, we believe it is best practice to not include any legitimate contact information such as addresses, phone numbers, employee names, etc.

When creating phishing emails that spoof an internal person or department, we would suggest granting them a warning and receiving their approval before the phishing campaign goes live. Therefore, they will be prepared for questions they will undoubtedly receive (or so they can hide while the test is taking place!).

If you make a phishing template that you think others may benefit from in their own phishing campaigns, please forward it to our Community Templates page so we can share it with all KnowBe4 users!

If you would like more information about creating custom templates, be sure to sign up for our weekly webinar on this topic!
Live Webinar - every Wednesday at 1:30 PM Eastern - Customizing Phishing Templates, Landing Pages, & Training Notifications. Sign up at this link:

Lauren Ashley
Technical Writer