Launching a first phishing campaign is a key milestone.
It allows you to measure how exposed your organization may be to security risks stemming from a lack of employee training.
No need for concern — the goal is not to penalize employees, but to help them improve through repeated exposure, using three essential learning levers:
1️⃣ Theoretical lever: Assess whether employees understand the threat and can identify phishing indicators.
2️⃣ Heuristic lever: Evaluate their ability to apply this knowledge when facing manipulation and social engineering attempts.
3️⃣ Cultural lever: Strengthen awareness of individual responsibility and the security implications of everyday actions.
1 – Objectives
Learn how to launch a phishing campaign:
Manage campaign types
Select employees to target
Choose appropriate scenarios
Define a sending schedule
2 – Prerequisites
Proper permissions to configure a campaign
3 – Choose the campaign name and type
3.1 – Access campaign creation
Click + New Campaign from the Campaigns section of the Phishing module.
3.2 – Select the campaign type
Choose between:
Phishing Assessment Campaign
Awareness Training Campaign
Then select:
Credential Harvesting
Click-Only
3.3 – Name the campaign
Enter the desired campaign name.
4 – Select campaign targets
4.1 – Understand selection options
Select employees either by:
Filtering employees directly
Selecting employee groups
4.2 – Filter employees
4.2.1 – Use the available filters
Security Score Range: display employees based on security score
Campaign Count Range: filter by the number of campaigns received
Only show untrained employees: display employees who never received a campaign
Search Employees: search by name
4.2.2 – Select all results
Click Select All.
4.3 – Select groups
Click Groups to choose one or more groups at once.
4.4 – Confirm targets
Click Continue.
5 – Choose scenario(s)
5.1 – Use library filters
Search among Arsen-provided or custom scenarios.
Click here to know more about the library filters.
5.2 – Validate scenarios
Select one or more scenarios, then click Continue.
If multiple scenarios are selected, the campaign becomes a multi-scenario campaign.
6 – Define the campaign schedule
6.1 – Select the sending mode
Two options:
One-Time Campaign
Recurring Campaigns
Select One-Time Campaign.
6.2 – Choose the sending method
6.2.1 – Send immediately
Check Send it now.
📚 Note
Arsen sends several dozen emails per minute. Total duration depends on target volume
6.2.2 – Schedule the campaign
Check Schedule for a specific time to choose a date and time.
6.3 – Using the scheduling calendar
6.3.1 – Select dates
Click on each date individually.
⚠️ Warning
You cannot select a date range by clicking two dates.
Each date must be selected manually.
🔍 Example
Selecting the 26th and 28th means emails are sent only on those two dates.
6.3.2 – Maximize discretion
For a more discreet campaign:
Spread out send dates
Use multiple scenarios (assessment campaigns work best)
6.4 – Define time settings
Start Date and Time: when emails begin sending
End Date and Time: after this time, no emails will be sent
Time Range: restrict sending to specific working hours. Helps respect work policies and avoid out-of-hours delivery.
7 – Launch the campaign
7.1 – Review campaign settings
The scheduling page shows a full summary before sending.
7.2 – Launch the campaign
Click 🚀 Launch Campaign when everything is ready.
Launching your first phishing campaign to test your employees is a key moment. This is when you realize that the security of your IT infrastructure, data, and production tools may be at risk due to insufficient employee training.
Don’t worry! The goal is to improve employee behavior through repeated campaigns by acting on three levers:
1️⃣ Theoretical Lever: Do my employees understand the risk and how it manifests?
2️⃣ Heuristic Lever: Can my employees apply their knowledge when facing a threat that manipulates them via social engineering?
3️⃣ Cultural Lever: Are employees aware of their responsibilities and the security implications of their actions?
Table of Contents
Prerequisites
To launch a phishing campaign with Arsen, the following conditions must be met:
🟢 Your domains must be validated in the platform.
🟢 Phishing simulations must be authorized in your filtering solution.
🟢 Employees must be imported into the platform.
🟢 You may have created a custom scenario.
Step 1: Choose Campaign Name and Type
To create a campaign, click + New Campaign under the Campaigns section in the phishing module.
The first step is to choose the campaign name and type. (For a reminder on the difference between Assessment and Training campaigns, see this article.)
Then, give your campaign a name.
Step 2: Select Campaign Targets
The second step is selecting employees who will receive the phishing campaign.
You can select targets using two methods:
Filter employees already in the platform
Select employee groups
🔀 If you filter employees, you can use several filters:
Security Score Range - Use the sliders to show employees within a specific security score range. Lower scores indicate higher vulnerability.
Campaign Count Range -Filter employees by the number of campaigns they have received.
Untrained employees - Check this box to display only employees who have not yet received a campaign.
Use Search Employees to target specific individuals.
You can also click Select All to select all filtered results or all employees by default.
🔁 If you select targets by group, click Groups to pick an entire employee group with a single click.
Then click Continue.
Step 3: Choose Scenario(s)
To select one or more scenarios to send, use the filters in the scenario library. This library includes scenarios designed by Arsen or your custom scenarios.
Click Continue once you have selected your scenario(s).
If you choose multiple scenarios simultaneously, this is considered a multi-scenario campaign.
Step 4: Set Campaign Schedule
You have two options:
One-Time Campaign for standard, single campaigns
Recurring Campaigns for automated, recurring campaigns
Select the One-Time Campaign option.
2 options:
☑️ Send it now: The campaign will be sent immediately.
Note: Arsen sends dozens of emails per minute, so the full campaign may take some time depending on the number of targets.
☑️ Schedule for a specific time: Set fully customizable dates and times.
You can select multiple dates from the calendar.
⚠️ You cannot select a date range by clicking only two dates—you must select each intended sending date individually.
Example: You select October 26 and 28. No emails are sent on October 27.
💡 To increase campaign discretion, choose spaced-out sending dates and consider using multiple scenarios in an Assessment Campaign.
You can also schedule:
Start date and time for the first emails
End date and time after which no more emails are sent
Finally, you can set a Time Range, defining hours during which emails can be sent.
This respects work-life balance by ensuring emails are not sent outside of working hours.
Step 5: Launch the Campaign
The Schedule page is where you launch your campaign. Review the campaign summary before sending.
When ready, click 🚀 Launch Campaign to start your phishing campaign.