Create a client or choose the built-in client (a client can be your own organization or the company who asked you to perform a phishing test). This is important because you can also create view only accounts which are associated with those clients.
New clients can be created under “clients”. In LUCY v. 2.5 and higher this is created under settings/clients.
You have different setup options like the Expert Setup, the Setup Wizard or a Start with predefined campaign Template (called sample campaign in LUCY < 3.0). We recommend using the Setup Wizard when used for the first time. Another optional is to set a Benchmark for a campaign.
Sometimes a remote Firewall, Spam filter or Virus Filter might automatically scan all the URL's within a link. As a result, you end up with false positives and LUCY will show all link clicked (success). To avoid such automatic link requests by some 3rd party application you can enable the antivirus/firewall protection and LUCY will ignore all GET requests for the first 30 or 60 seconds:
To make sure that the campaign runs as expected you may also enable the email tracking functionality.
Now you need to select one or multiple phishing scenarios. Please check out what different scenario types are available. Make sure you have downloaded all the latest scenarios first. If you allocate multiple scenarios in a campaign, you can still activate or deactivate them at a later point.
Please note: If you edit a scenario template within a campaign, the changes in the template will only apply to the campaign. If you change a scenario template in the generic settings, then the changes in the template are permanent.
You are able to preview every template before selecting it. In the Preview Mode you can test the site using all the features (just enter some random login to get to the next page).
Note: You can allocate multiple scenarios within one campaign and they can all be started simultaneously! Example: A company might want to split the employees into 2 or 3 groups. One group could get a phishing mail with a landing page that contains many obvious errors and should be easily detectable while the other scenario is almost perfect. This way the client can identify the variables that drive the awareness in one single campaign.
STEP 5: For this tutorial, as an example, we select the “Encrypted Email Scenario”, where the user will be asked to login with their Windows username and password to access an encrypted email message.
Once you have selected the scenario, you need to configure the Base Settings of the campaign. First, give your campaign a name and then choose how your recipients will be able to access LUCY by defining the Domain. Finding the appropriate domain name is a very important step for the success and it depends very much on your campaign scenario. If you plan to create a fake web mail login you might try to reserve a domain like “webmail-server365.com” and point it to LUCY.
There a few Optional Settings that you can apply within the Base Settings. Lucy comes with certain Default Settings. You can change these settings as you like. The settings are:
After saving the Base Settings, you can now Edit the Landing Page, Upload Your Own Webpage or simply copy any website on the internet. The Landing Page is the webpage that the users will see when they click on the link in the email they receive. First, select the drop-down menu at the top the page where you want to edit. Please note that the same landing page may be available in different languages. So make sure you edit the correct language.
Note: If you edit a Landing Page which is based on a pre-defined scenario template in a campaign, it won't affect the default scenario templates. Only if you go into Settings/Scenario templates and start editing the templates outside the campaign will all changes be stored permanently to this specific scenario.
Let’s assume that you want to replace the logo on the Landing Page: Just double click on the existing logo (1). Select your own image (2), upload it (3) and save the changes by clicking “OK”.
It’s time to setup email communication (if you want you can also use SMS as an alternative).
Please make sure the link variable is set in the HTML code, if you hide it behind another Link. If you type a hyperlink instead of a word, the editor will automatically detect that, and create the link in the code. But this link will be wrong: If you type http://www.example.com in the editor, LUCY will automatically create a hyperlink to http://www.example.com in the HTML code (1) and underline the URL. But if you want http://www.example.com pointing to your LUCY URL, please remove the link pointing to http://www.example.com in the source code directly, or remove it by clicking on the “unlink” symbol (2), and then select the text “http://www.example.com” and click on the link symbol again and insert %link% in the HTML code (3).
For all other settings please read the Mail Settings Chapter.
You can define the mail delivery method globally within the settings menu. If you do so, it will overwrite all individual settings in a campaign. The second possibility is to configure the delivery methods within a campaign:
In LUCY the default delivery method for mails is using the build-in Postfix mail server. As many SPAM filters will block mails coming from a new IP-address that has no reputation, the administrator can decide to configure an external mail relay.
You need to create the Recipients List in the Menu item “Recipients”.
This is the list of users that will get the phishing emails. You can add them manually, import a file with all your recipients or even search them on the internet. Once you have created that group, you can select it in your campaign and map them to a specific scenario. You can also define if they should be used only for the Landing Page link, the Awareness site link (e-learning) or both.
Please read the Recipients Settings Chapter for more configuration options.
If you want, you can create a schedule to run the campaign using a delay or customized time delays between campaign phases. If you are new to the system, we'd recommend that you go with the Default Timing Settings and skip this step. Please read the Schedule Settings Chapter for more configuration options.
You have the ability to provide the user with some awareness training in case he fails the phishing simulation. A failure to pass the phishing simulation is considered as a successful attack in LUCY. Therefore, it is very important that you define what you consider as an successful attack (because only those who have been successfully tested, will receive an awareness training). The awareness training can be done in two ways:
Now you are ready to start. Although we recommend performing a test run with a single recipient before you start attacking all users, additionally it is a good idea to use the LUCY SPAM Checker. Just click “Real Attack” and LUCY will test your settings before starting the campaign. If you want to skip the checks, press “Skip Checks”. Your first recipients should receive the emails within seconds. Please read the Start Campaign Settings Page for more configuration options. If you experience any problems with starting/running your campaign, please Consult the Troubleshoot Section first.
The progress of the campaign can always be monitored in Real-Time. Click “Statistics” within your campaign. Please read the Statistics Chapter for more configuration options.
Once you have finished the campaign, you may either export the raw data (CSV export) or create different types of reports (PDF, HTML or raw export). Please read the Creating Reports Chapter for more configuration options.
If you experience problems with your campaign please use this WIKI with the free text search option or contact us under support (at) lucysecurity.com