Phishing campaigns

Send realistic-but-fake phishing emails to your staff so they learn to spot real ones. TSNC ships templates that look exactly like the most common phishing patterns of 2026 โ€” Microsoft 365 password resets, fake invoices, tax notices.

๐Ÿ”’ thoushaltnotclick.com/campaignsTSNCDashboardStaffCampaignsCalendarTemplatesCampaignsSend simulated phishing to test your team+ Create CampaignMicrosoft 365 Password ResetSentCaught: 38/4781% catch rateVendor Invoice SpoofSentCaught: 41/4787% catch rateBank Account VerificationScheduledTax Refund NotificationDraft
The Campaigns page โ€” See what's been sent, what's scheduled, and how staff did

Why bother with phishing simulations?

Real phishing emails get more sophisticated every year. Lectures don't teach people what the current threats actually look like โ€” getting fooled by a safe simulated email does. It's the muscle memory equivalent of a fire drill: nobody's burning, but everyone practices the response.

๐Ÿ’ก
The point isn't to embarrass anyone
Some staff will click. That's not bad โ€” that's the entire reason you're running this. TSNC's landing page after a click is gentle: it tells them what they missed, gives a short lesson, and recognizes them for being honest. We don't name names. We don't shame.

Anatomy of a campaign

Every campaign has four parts:

  • Template โ€” the email content. We have 50+ pre-built templates; you can also build your own.
  • Sending domain โ€” the "from" address. TSNC owns 30+ domains that look like Microsoft, Google, banks, vendors, etc. Your school's real email isn't spoofed.
  • Recipients โ€” who gets it. Whole staff, a department, just one person, etc.
  • Schedule โ€” send now, send later, or send on a recurring cadence (auto-campaigns).

Sending your first campaign

  1. 1
    Send to yourself first
    Always pilot a new template on yourself and your IT admin before sending to the whole staff. You see what they'll see, you click through the landing page, and you can spot any context that looks weird for your specific school.
  2. 2
    Pick a template
    Browse Templates โ†’ Library. We sort them by realism and difficulty. Start easy (obvious typos and bad grammar) and work up to subtle (perfect-looking Microsoft 365 password reset).
  3. 3
    Choose a sending domain
    The default works fine โ€” TSNC picks based on the template. If you want to test a specific scenario (e.g., make sure your team spots an email that looks like it's from your bank), you can pick the matching domain manually.
  4. 4
    Review and send
    Hit Send. The campaign appears in the Campaigns list as "Sent." Results stream in over the next 24-48 hours as people open, click, or report.

Auto-campaigns (set and forget)

Most schools don't want to remember to send a campaign every month. Auto-campaigns send a fresh template at a cadence you set (default: 2/month). You configure them once, and they run year-round.

โš ๏ธ
Pause auto-campaigns during summer break
TSNC will happily send simulations to staff during summer when nobody's checking email. Pause auto-campaigns from the dashboard before summer break and resume in August. We've added a calendar view (Campaigns โ†’ Calendar) that shows you what's upcoming so you can avoid scheduling conflicts (parent-teacher conferences, finals week, etc.).

Reading the results

After a campaign sends, every staff member ends up in one of four buckets:

  • Caught โ€” they reported the email as suspicious. This is the goal.
  • Clicked โ€” they clicked a link in the email. They saw the landing page, learned what they missed.
  • Submitted โ€” they entered credentials on the fake landing page. (TSNC never stores what they typed; we just record that they did.)
  • Ignored โ€” they didn't open or interact with the email at all.

"Caught" is the only one that earns trust-score points. Clicks are not punished โ€” they're a learning event. Repeat clicks across multiple campaigns are when we suggest you check in with that person directly.

FAQ

Will my real email get marked as spam after I run campaigns?+
No. The fake emails come from TSNC-owned sending domains, which are warmed-up and SPF/DKIM/DMARC compliant. Your school's actual domain isn't involved.
Can I exempt specific staff?+
Yes. Each campaign has a recipient picker. Skip whoever you want. We don't recommend chronic exemptions โ€” the people who feel they shouldn't need this are often the highest-value targets for real attackers.
What does my staff see after they click?+
A short page that tells them "this was a TSNC simulation," identifies the specific red flags they missed, and offers a 2-minute training. No personal data is captured. No public shaming. The campaign report shows you who clicked but you decide whether to follow up.
How realistic should campaigns be?+
Match the threats your staff actually face. Most schools get hit hardest by Microsoft 365 password reset spoofs, vendor invoice spoofs, and gift-card scams aimed at the principal. Run those templates often. Save the highly sophisticated ones for staff who've already mastered the basics.
What's the Calendar view?+
A month/week view of upcoming auto-campaigns, holidays, and a no-fly list (e.g., "don't send during finals week"). It's how you keep simulation cadence sane without micromanaging.
โ† Previous
Managing staff
Next โ†’
Password manager