How-to: test if your organisation is vulnerable to proven phishing attacks, with Skopos

“It’s Tuesday morning, your employees receive an urgent request by email to avoid missing a salary payment”. These attacks happen every day, everywhere. The incidence of phishing attacks in data breaches increased from 25% to 36%, according to Verizon. Will your employees share confidential information in a phishing attack?

The Skopos phishing module can be used to quickly mock up sophisticated phishing messages and landing pages. It is great input into a cyber awareness program. This article explains how you use Skopos to perform this test.

Step 1: What to test?

Think of a message that is relevant to your employees or your industry, like a salary payment or an upcoming event. There are different types of phishing attacks, generic approach or very specific. Attacks usually appeal to a financial worry: taxes, insurance, salary or more a scare around a virus infection or leaked messages. Always be transparent to your employees about the fact that the organisation performs phishing tests. Ensure that employees understand that phishing tests are one of the tools to secure both employees as well as the reputation of the organisation.

This article covers how to launch a custom attack. Skopos also offers templates for standard phishing attempts, these are covered on read the support site.

Step 2: Selecting the campaign

In Skopos under Phishing templates, Click “Add a New template”. In the subject line, type your convincing header, for example around issues with salary payment:

Use the tag {lastname} to have Skopos fill in the employee’s lastname, a dynamic field.

After that, continue finding a good text in the email message and enter it under “Email template”, for example:

Dear {firstname},

Our records have shown that some of your personal data is not complete for the use of the new salary portal. We would therefore like to ask you to complete the personal data in the new system. Unfortunately, if data is missing, we cannot make the payment before June.
Click here to update your details, this must be done by June 30th.


Payroll administration

Well done, that sounds like a good message.

Now Skopos also offers a way to launch a landing page. A landing page is the page we want the user to click. Normally attackers put here malware or forms to extract information. In this example we put a form on the landingpage. This page can we used to see if users actually enter credentials and even to collect them.

Let’s say you want a simple login form. Google for inspiration or make one here. This form is made to extract address information:

A simple trick is to copy the source code and paste in in the Landing page template as code. It should look something like this:

Now we need to put the link of the landingpage in the phishing message, this is easy. You can use the tag {link_url} for this:

Step 3: launch the campaign

Test the campaign, sit back, grab a coffee and watch the results come in. There it is:

Please share with us your most successful ones.

Interested in a demonstration of the Skopos platform? Read more here or contact us for more information via