# How to create a custom phishing template?

<figure><img src="https://2582414397-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDGGQ49Oui29Ft0kJjSm%2Fuploads%2F9orq3JxP38GvrrcmihTH%2FScreenshot%202026-04-09%20at%2014.29.34.png?alt=media&#x26;token=26926675-91c7-4f48-80ed-4c38086b8ff4" alt=""><figcaption></figcaption></figure>

#### Before you start

* You need the phishing admin permission (`canManageCyberTools`)
* The phishing module must be set up (see [Phishing module setup](https://docs.stoik.io/prevention-tools/what-is-the-phishing-module/phishing-module-setup))

#### Step 1. Access the template editor

1. Go to Phishing > Templates > Custom
2. Click Create a template

If you have no custom templates yet, you will see an empty state inviting you to create your first one.

#### Step 2. Name your template

Give your template an internal name (e.g. "Fake invoice Q2" or "IT password reset"). This name is only visible to you, employees will never see it.

#### Step 3. Select the template language

When creating a template, you must select the language it is written in. This template will only be sent to employees whose configured language matches the one you selected.

{% hint style="info" %}
**One template = one language**

If your employees speak multiple languages and you want them all to receive the same phishing scenario, you need to create a separate template for each language. For example, if your team includes French and English speakers, create one template in French and one in English, then add both to the same campaign.
{% endhint %}

#### Step 4. Configure the sender

Choose who the email appears to come from:

* From list: Select a pre-defined sender from Stoik's list
* Custom: Enter a custom sender name and email address

{% hint style="info" %}
**Tips for a realistic custom sender**

Real phishing emails often impersonate trusted brands or internal contacts. To make your simulation effective:

* Use a sender name that employees would trust, such as "IT Support", "Microsoft 365 Team", "HR Department", or the name of a real service your company uses
* Use an email address that looks plausible at first glance but contains subtle differences: for example `support@micros0ft-security.com` (zero instead of "o") or `noreply@1t-services.net` (digit instead of letter)
* Avoid obviously fake addresses: the goal is to train employees to spot small anomalies, not to trick them with completely random senders
  {% endhint %}

#### Step 5. Write the subject line

Enter the email subject. This is what employees will see in their inbox.

#### Step 6. Compose the email body

Use the visual editor to write the email content. The editor supports:

| Feature         | How to use                                                                                                                                                                                           |
| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Text formatting | Bold, italic, underline, text colour, alignment                                                                                                                                                      |
| Headings        | H1, H2, H3                                                                                                                                                                                           |
| Lists           | Bulleted and numbered lists                                                                                                                                                                          |
| Images          | Upload images (PNG, JPG). They can be resized and aligned                                                                                                                                            |
| Phishing link   | Use the link button in the toolbar to insert the phishing link. You must select a redirection page (e.g. Adobe, Microsoft, Google) -- this is the fake landing page employees will see if they click |
| Variables       | Type `$` in the editor to insert a dynamic variable                                                                                                                                                  |

{% hint style="danger" %}
**Important:** Every custom template must contain at least one phishing link. The editor will show an error if it is missing.
{% endhint %}

**Available variables**

| Variable           | Description              |
| ------------------ | ------------------------ |
| First name         | Employee's first name    |
| Last name          | Employee's last name     |
| Full name          | Employee's full name     |
| Email              | Employee's email address |
| Coworker name      | A colleague's name       |
| Day / Month / Year | Current date components  |

Variables are automatically replaced with real data when the email is sent.

#### Step 7. Send a preview

Click Send me a preview to receive a test email at your own address. This lets you verify the rendering before using the template in a campaign.

#### Step 8. Save

Click Save to add the template to your custom library. It will immediately be available for selection when creating campaigns.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stoik.io/prevention-tools/what-is-the-phishing-module/how-to-create-a-custom-phishing-template.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.