PhishDeck as a platform aims to provide the most valuable phishing simulation campaigns that it can with the least amount of configuration required by the user to achieve their goals. With that in mind, the following is a short Quickstart Guide that can help you get on your feet quickly.
1. Allowing PhishDeck to Send Emails
While PhishDeck emulates a real phishing attack, it is ensured that this is conducted with traceability and governance in mind. To such an extent, unlike real attackers using illegal botnets or other illicit methods of sending large volumes of phishing emails, all of PhishDeck’s phishing simulation emails originate from a single IP. This is done not only to be easy to allow (some mail filters only allow IP allow listing), but it’s also to ensure that it’s quick and easy to distinguish phishing simulation emails from real ones in the event of an investigation.
Naturally, IPs which only send phishing simulation emails are bound to be blocked, and to such an extent, we strongly suggest explicitly allowing PhishDeck’s IP addresses to avoid issues with your phishing simulation Campaigns – this process only needs to be set-up once.
For information on how to add PhishDeck to your provider’s allow list, refer to the following documentation.
- Allowing PhishDeck in Google Workspace (G Suite)
- Allowing PhishDeck in Office 365 / On-premise Exchange
- Allowing PhishDeck in Proofpoint
- Other (let us know)
2. Domain Verification
PhishDeck is a phishing simulation platform, and as such, we take great care and responsibility as to who we engage phishing simulations with. Before you can start sending out phishing emails to a given domain, we will need to verify that you are authorized to do so.
To verify a Domain, navigate to your Account settings (🅐), then click on the “Add Domain” button (🅑).
When adding a Domain, you are provided with two options on how to verify ownership and authorization explained below.
Email Domain Verification
Email domain verification is a quick method of verifying your domain. It involves receiving an email with a magic link that can only be sent to a predefined administrative email address of your choice that PhishDeck allows. Once you follow the confirmation link via email, your domain will be verified for 1 year.
DNS Domain Verification
DNS domain verification involves adding a TXT record to your domain that does not expire and will remain valid as long as the TXT record on your domain is present. This is the more ideal option as it only needs to be setup once per domain.
Please note that in some cases, DNS may take up to 48 hours to propagate.
Create Targets and Lists
With your Domain verified, you may now begin adding your Targets into PhishDeck and logically grouping them into Lists.
To manage your Targets and Lists, you may head to the Targets and Lists menu respectively. If you have neither setup yet, you will be asked to create a new Target.
After clicking “New” or “Create Target”, you will be able to input the details of your first Target. If you already have a List set up, you can immediately allocate the Target to that List as well.
Similarly, setting up a List can be achieved by navigating to the Lists menu, clicking on “New” and inputting the details. In this example, we will immediately add the Target, “John Doe” to that List upon creation.
- Create a Campaign With our Domain(s) set up, as well as our Targets and Lists, we may now create our first phishing campaign using PhishDeck.
Navigate to the “Campaigns” menu and click “New” to begin setting the Campaign up. Start by adding a Title and Description for your Campaign.
We can then click “Next” to proceed to the next step, allocating Targets and Lists. In this step, we can add our newly created List, so that in the future, should we add more Targets, it will automatically reflect in that List.
We can now click “Next” to pick our Phishing Template of choice. All phishing templates are pre-configured for you and designed to mimic effective engaging phishing emails. Click on the phishing template of choice and then click “Next”.
Which brings us to the last step of setting up our first phishing Campaign, the campaign’s schedule. Given that this is a quickstart guide, we can simply set the Campaign to, “Start now” and click on “Submit”.
4. Next Steps, Results & Reports
After setting up more advanced Campaigns in PhishDeck, you can view your Campaign results with high-level trends, as well as granular per-Target event timelines.
You can also export your results as a report, by clicking on the “Download Report” button and selecting the export format of choice (i.e. HTML, CSV).