Help Center

Everything you need to run your first phishing simulation in minutes

πŸ”
πŸš€ Quick Start β€” Be Live in 3 Minutes
No IT department needed. If you can send a spreadsheet, you can run PhishGuard.
1
Create an account at /auth using your work email and a secure password (8+ characters).
2
Set up your company. In the dashboard (Workflow tab), click Create Company, enter your company name and timezone.
3
Sign the consent declaration. Enter your name and email to confirm you are authorized to run phishing simulations on your employees. Required by law.
4
Upload employees. Download the CSV template, fill in email, name, and department columns, and upload it.
5
Launch a campaign. Pick a template, schedule the send time, and click Create Campaign. The scheduler takes care of the rest.
6
Review results. Check the Reports tab for Risk Score, department breakdown, and PDF export after the campaign runs.
πŸ‘€ Account Registration

Go to /auth and click Create Account. Enter your work email (this will be your admin login), choose a password of at least 8 characters, and submit.

You'll receive a verification email β€” click the link to activate your account. If you don't see it, check your spam folder. The link expires in 24 hours.

Forgot your password?

On the sign-in page, click Forgot password? Enter your email and we'll send a one-time reset link valid for 1 hour.

✍️ Consent Declaration
⚠️ This step is legally required. You cannot launch a campaign without a signed consent declaration.

The consent declaration confirms that you own or have written authorization to test the email domain(s) used by your employees. It is stored permanently against your account as a legal record.

In the Workflow tab, find the Consent Declaration section. Enter the signer's full name and email address, then click Sign & Submit.

Only one active consent record is required per company. If your authorization changes (e.g., new domain), submit a new declaration.

πŸ“‹ Uploading Employees

CSV Format

Your CSV file must have a header row with at least an email column. Optional columns: full_name, department.

Example:

email,full_name,department
[email protected],Alice Wong,Finance
[email protected],Bob Chan,Operations

Upload

In the Workflow tab, click Upload CSV and select your file. Duplicate emails are skipped automatically. Invalid rows are reported with error details.

Department names

Department names appear in the risk score report breakdown. Be consistent with capitalization (e.g., always "Finance" not "finance" / "FINANCE").

🎯 Creating & Launching Campaigns

Campaign Name

Choose a descriptive internal name, e.g., Q2 Finance Phish. This is only visible to you, not to employees.

Template

Select a localized phishing template. All templates simulate realistic scenarios common in Canada (CRA tax refund, courier delay, bank alert, etc.).

Schedule

Pick a date and time to send. We recommend weekday mornings (9–11am) for highest open rates. The APScheduler sends emails at the scheduled time.

Idempotency Key

Each campaign requires a unique key to prevent accidental duplicate sends. The UI generates one automatically β€” only change it if you deliberately want to retry with a fresh key.

Tip: Use Seed Demo Data in the Workflow tab to generate test campaigns and employees so you can explore reports before running a real campaign.
πŸ“Š Risk Score Reports

The Reports tab shows your company's overall phishing click risk score, department-by-department breakdown, and deliverability metrics.

Risk Score formula

Score = (employees who clicked Γ· total employees) Γ— 100. Higher = more at risk. Colour-coded: green (<20%), amber (20–50%), red (>50%).

Department breakdown

Shows which departments click most often. Use this to target awareness training to the highest-risk teams.

PDF Export

Click Download PDF Report in the Reports tab to generate a management-ready summary you can share with leadership or your IT security team. The report includes risk score, department table, and recommendations.

Shared report links

Click Generate Share Link to create a temporary (7-day) read-only link you can send to a stakeholder without giving them dashboard access.

☁️ Email Setup β€” AWS SES

Set EMAIL_PROVIDER=ses in your .env file and configure:

  • AWS_REGION β€” e.g. us-east-1
  • SES_FROM_EMAIL β€” a verified SES sender address
  • AWS credentials via AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY, or an IAM role if running on EC2/ECS

Verify your domain in SES

  1. Go to AWS SES Console β†’ Verified Identities β†’ Create Identity
  2. Choose Domain, enter your domain name
  3. Add the DKIM CNAME records to your DNS (provided by AWS)
  4. Wait for verification status to become Verified (usually <5 min)

Move out of sandbox

New SES accounts are in sandbox mode β€” you can only send to verified addresses. Submit a production access request in the SES console to send to any address.

πŸ“¨ Email Setup β€” SendGrid

Set EMAIL_PROVIDER=sendgrid and configure:

  • SENDGRID_API_KEY β€” create a key at sendgrid.com β†’ Settings β†’ API Keys
  • SENDGRID_FROM_EMAIL β€” your verified sender
  • SENDGRID_WEBHOOK_PUBLIC_KEY β€” for webhook signature verification (optional but recommended)

Domain authentication

In SendGrid β†’ Settings β†’ Sender Authentication, add your domain and follow the CNAME record instructions. This sets up SPF + DKIM automatically.

πŸ”“ Whitelisting PhishGuard Emails

Because PhishGuard sends realistic phishing simulations, corporate spam filters may block them. You need to whitelist the sending IP / domain before running a campaign.

In the dashboard β†’ Workflow β†’ Email Whitelist Guide, select your mail platform (Microsoft 365, Google Workspace, Proofpoint, etc.) for step-by-step instructions.

⚠️ Whitelist instructions must be applied by your IT administrator or the person managing your email platform. Do not share the whitelist details with employees being tested.
πŸ’³ Plans & Billing

See the Pricing page for a full comparison. Plans are billed via Stripe.

Upgrade

Go to Dashboard β†’ Settings β†’ Billing and click Upgrade Plan. You'll be redirected to Stripe's secure checkout.

Manage subscription / Cancel

Click Manage Billing in Settings to open the Stripe customer portal where you can update payment method, download invoices, or cancel.

Receipts

Stripe automatically emails invoices to your account email after each billing cycle.