Creating your own Data Entry Forms
You can now send phishing emails with a link to a customized landing page that prompts your users to enter sensitive information.
Important (Really READ)
We don't record any data entered by the user. No data is stored on our servers (including logs) or anywhere else when you follow the guidelines that follow:
In order to make sure the data is not logged on our servers, you must use, for the form field names, one of the following: password, password_confirmation, old_password, credit_card, ssn, social_security_number, domain_name, uname, number, verification_value, brand.
1. How does it work?
When the user clicks on a link in an email, they will be redirected to a customized landing page that has a form on it asking the user to enter sensitive data. When the user submits the form, it will be redirected to another page, either telling the user he/she failed the test or any other page. The click on the phishing link and the fact that the user entered data is recorded in the system and can be viewed or exported in the Phishing Security Test reports.
2. Using the built-in email templates
We built a handful of email templates that are using customized landing pages to entice the user to enter sensitive data. When you create a new phishing campaign, in the list of templates under System Templates, you can find a new category "Phishing for Sensitive Information". This category contains templates you can choose from, or you can just choose "Random" from that category so the system chooses a template for you when the phishing security test is sent.
3. Building your own email templates
In order to phish for sensitive information, you need:
- an email template containing a link the user will click.
- a landing page with a form to capture the user input.
- another landing page where the user will be redirected after they submit the form.
3.1 Creating the phishing landing page
This is the page that contains the form where the user will enter sensitive information. To do this, in the management console go to Phishing -> Landing Pages -> New Landing Page. You can choose any text, trying to trick your users, and you will need to switch to Source Mode to enter the form.
The code for the landing page can look like this:
<div style="background-color: #ccc">[[COMPANY_NAME]] IT portal<br />
<form action="http://www.yourdomain.com" method="POST”>
<input name="old_password" size="100" type="text" value="Enter your old password here" /><br />
<input name="password" size="100" type="text" value="Enter your new password here" /><br />
<input name="password_confirmation" size="100" type="text" value="Enter your password confirmation here" /><br />
<input name="commit" type="submit" value="Submit" />
Dear [[first_name]] [[last_name]], after you change your password, please send us an email confirmation at: it@[[domain]]! :) .
Thanks, IT Team.
You'll notice there are other replacement text areas (or 'macros') that will display even more personal information to the user. You can use any of the following:
All of this data can be updated in your account settings page.
We recommend adding these kinds of pages to a new category in your console ("My Data entry", "Emails with forms", etc.), so it is easier to spot these emails later when you are setting up simulated phishing campaigns.
3.2 Creating the final landing page (optional)
This is the page where the user will be redirected after the data is posted. This is the URL in the form "action" tag. <form action="http://www.yourdomain.com" ...
This landing page can be any web page, including another landing page created in your account, or you can use one of our standard landing pages.
3.3 Creating the phishing email to lure the user
This is the email that will be sent to the user with a link to the landing page you've chosen or created, and containing the form for the user to enter data. You can create any enticing email. Be sure to select the right landing page in the landing pages drop-down, and make sure you insert at least one link into the email body.
You should always send a test campaign to yourself or a limited number of users before sending it to a larger group. This ensures that everything looks and works the way you're expecting it to.