PhishSim Frequently Asked Questions

PhishSim Frequently Asked Questions (FAQ)

What does Sent vs. Delivered email status mean?

Sent indicates that the message was successfully sent from our mail servers. Sent does not mean that the email was received or will be delivered.

Delivered means that the recipient’s email server received the message and will attempt to deliver the message to the user’s inbox. Note that security appliances can still intercept messages after the mail server sends an acknowledgment. Also, any user-defined rules can interfere with delivery. For example, if the user has all emails from exampledomain.com going to their junk folder then messages sent from exampledomain.com would still show as Delivered even though they would end up in the junk folder.

Additionally, recipient mail servers aren’t required to send a delivery acknowledgment. In other words, it is entirely possible for an email message to be received successfully without a Delivered status.

Return to Table of Contents

How do I configure a blind campaign so the learner doesn't receive a follow-up email notification?

Blind campaigns are configured in two parts, the education assets associated with the templates, and the follow up email setting in the campaign.

  1. Before configuring your blind campaign, ensure that all the templates have “blind education” selected. If you are using our pre-built Baseline Blind battery, those templates already have that education selected. If you are unsure how to change the education in an email template, follow the below steps:
    a. Navigate to PhishSim > Emails Templates
    b. Find the template and click Clone
    c. Under the Education setting, choose “Blind Education”
    d. Change the name of the template and click Save.

  2. Normally, after a learner interacts with a PhishSim email, they will be presented the education page, and then sent a follow-up email with this information. Since the goal of a blind campaign is to not inform the learner, you will want to disable that follow-up email notification. To do this, follow the below steps:
    a. Navigate to PhishSim > Campaigns
    b. Select New Campaign
    c. Identify the learners you would like to send this campaign out to
    d. Select the blind email templates/battery
    e. Scroll down to the schedule section and identify the start date and length
    f. Lastly, in the Phished Learner Action drop-down menu, select do nothing. By selecting do nothing this will disable that follow up email reminder.

Note: After a campaign is saved and scheduled, there is no way to turn off the follow-up notifications without stopping the campaign. Ensure that you have do nothing selected before saving and scheduling the campaign.

Return to Table of Contents

On weekly Infosec IQ Reports, why do blind campaigns show a “trained” status for learners?

Because the Blind Education is one of our Education assets, we are tracking that the learner visited this page, just like the static training pages. They still just saw the 404 Error page if the templates are configured as blind.

Return to Table of Contents

How do I re-send phishing training?

An admin can resend the phished learner notification to take them back to the training by:
  1. Navigate to PhishSim > Campaigns
  2. Click on the details icon for the specific campaign the learner is in
  3. Click on the bar graph button in the bottom right corner. If you have multiple runs, then click on the bar graph icon for the run the learner was phished in.
  4. Find the learner by using the search function
  5. Once you have located the learner, click on the envelope icon on the far right

Return to Table of Contents

How do you know when an email is "Opened"?

PhishSim messages contain a 1x1 tracking pixel that will get loaded when the message is opened. Each tracking pixel is stored on our server and has a unique file name that associates it with a specific learner. If the tracking pixel is requested from the server, Infosec IQ records the IP address from which the request originated.

Return to Table of Contents

Is an Opened email considered to be a negative event?

A user may not be able to tell if the message is malicious without looking at the body of the email. Some mail clients obscure the actual sending address, requiring the user to open the message to see more information. Learners shouldn’t be penalized for opening a message to hover over links, etc.

Return to Table of Contents

Why did I get marked as phished after forwarding an email?

The links in a PhishSim email are unique to the learner that originally received the message. If the link is accessed by someone else after the message is forwarded, then the original learner will get marked as phished. One way to avoid this is to report emails using Infosec IQ’s PhishNotify add-on.

Return to Table of Contents

Will learners get marked as phished from Out of Office responses?

Infosec IQ has logic to look for automatic replies and will not count those as phished events. The rules look for any of the following

  • X-Autoreply or X-Autorespond headers
  • The header auto-submitted with the values auto-replied or auto-generated
  • Subject lines containing out of office or automatic reply

If any of the above conditions are matched, Infosec IQ will ignore the email.

Return to Table of Contents

Why do learners get marked as phished when reporting PhishSim emails to other services?

When one of Infosec’s PhishSim emails is reported to another vendor, e.g. Google or Microsoft, the vendor will treat the email like a real phishing message and visit all links to determine if there is a threat. When this happens, the learner associated with the PhishSim message will get marked as “Phished” in Infosec IQ. For the best results it is recommended to only report messages with the Infosec IQ PhishNotify button.

Return to Table of Contents