Phishing Security Test

Did you know that 91% of successful data breaches started with a spear-phishing attack?

Find out what percentage of your employees are Phish-prone™ with your free phishing security test.

IT pros have realized that simulated phishing tests are urgently needed as an additional security layer. Today, phishing your own users is just as important as having antivirus and a firewall. It is a fun and an effective cybersecurity best practice to patch your last line of defense: USERS

Free Phishing Security Test

Why? If you don't do it yourself, the bad guys will. 

Here's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page 
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management

The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Sign Up For Your Free Phishing Security Test

Find out now if your employees are properly trained not to click on just any email or link sent to them from outside (or inside!) your organization. The Phishing Security Test (PST) is a one-time free service with a limit of up to 100 employees. 

Download KnowBe4's free Phishing Security Test here:

What is the Best Method for Setting up a Baseline Phishing Test?

Recommendations for the Most Effective Baseline Phishing Test

Before you get started with training your users with KnowBe4's security awareness training modules, they strongly recommend that you conduct a blind baseline phishing test to all of your users.

This will show your organization’s initial phish-prone percentage. Consider this your starting point. Over time, you can use this initial phish-prone percentage to measure the success of using our integrated training and phishing platform.

Why Should the Test Be Blind?

KnowBe believes you will get the most accurate measure of your company’s vulnerability to phishing attacks by not announcing the baseline assessment to anyone other than your stakeholders. If this were a real phishing attack that made it through your email filters, you’ll see how many employees would actually fall for it. Brace yourselves, this can be a scary number sometimes!

To Prevent Help Desk Overload, Phish Your IT Team First!

Another option you may want to consider is to send two baseline assessments: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.

Recommended Settings for Baseline Test

You can set up your baseline phishing test beneath the Phishing tab of your console by clicking the "+Create Campaign" button. The recommended settings for an effective baseline test are below:

  • Name: Baseline Test
  • Deliver to: All Users
  • Frequency: One time
  • Start time: Select the day/time.
    • Time should be when users are actively checking emails.
  • Sending: Send all emails when the campaign starts.
    • This ensures that users will not have time to warn each other that a phishing test is being conducted.
  • Track Activity: Choose at least 3 days.
  • Track Replies: This setting is optional. For more information about reply-to phishing, see our Reply-To Product Manual.
  • Categories: IT --> select template 'Change of Password Required Immediately'
    • Don’t want to use this template? Make sure you use a template that is generic and will apply to each employee within your organization. See more tips here.
  • Phish Domain:, or another choice which looks "safe" to click on.
  • Landing Page: You have several options here. Review this article (How to Choose a Landing Page) before selecting your landing page.
  • Send email report: Checked
    • An email report will be sent to the admins on your account once the test is completed.


Setting up a Recurring Phishing Test

KnowBe4 recommends that after you train your users with your first security awareness training campaign, you begin an ongoing phishing campaign. Depending on your security awareness program, this recurring phishing test may be set to weekly, bi-weekly or monthly.

As a best practice, KnowBe4 recommends phishing your users at least bi-weekly. Why? Regular phishing tests will allow your employees to practice the skills they’ve learned in security awareness training. 

The recommended settings are shown below and will help you maximize the variety of phishing emails utilized and also spread the emails out over time. Through this fully random method, employees will not be able to warn each other about the phishing test taking place.

Set up your ongoing phishing campaign with the below settings:

  • Frequency: Weekly, Bi-weekly, or Monthly, depending on your security awareness program.
  • Sending: Send emails over at least three business days.
    • This way, users will not receive the emails all at once, and cannot warn each other about a phishing test taking place.
  • Track Activity: Track phishing test failures for at least three days.
  • Track Replies: You can turn this setting on if you wish to track user replies to phishing test emails.
  • Categories: Choose multiple template categories, and choose "Full Random" from template dropdown to choose a random template for each user.
  • Difficulty Rating: Optional
    • If you'd like, here you can choose to limit the difficulty of the templates you've selected to specific star ratings, from one to five.
  • Phish Link Domain: Leave as random.
  • Landing Page: Optional
    • Choose a particular landing page you'd like to use for all phishing templates, or leave as default.
    • For more information about landing page selection, see: What Landing Page Should I Choose?
  • Add Clickers: Here you can select your Clickers group.
    • Each time someone fails your phishing test, they will be added to the selected group. You can use this group for Remedial Training in the future if you'd like.
  • Check "Send an email report to account admins..." if you'd like to be notified when the phishing test is completed.