> For the complete documentation index, see [llms.txt](https://docs.stoik.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stoik.io/prevention-tools/what-is-the-phishing-module/how-to-create-a-custom-phishing-template.md).
# How to create a custom phishing template?
{% hint style="warning" %}
Prerequisites:
* You need the phishing admin permission (`canManageCyberTools`)
* The phishing module must be set up (see [Phishing module setup](/prevention-tools/what-is-the-phishing-module/phishing-module-setup.md))
{% endhint %}
{% stepper %}
{% step %}
## Step 1. Access the template editor
1. Go to `Simulations` > `Templates` > `Custom templates`.
2. Click `Create a template`.
If you have no custom templates yet, you will see an empty state inviting you to create your first one.
{% endstep %}
{% step %}
## Step 2. Name your template
Give your template an internal name (e.g. "Fake invoice Q2" or "IT password reset"). This name is only visible to you, employees will never see it.
{% endstep %}
{% step %}
## Step 3. Select the template language
When creating a template, you must select the language it is written in. This template will only be sent to employees whose configured language matches the one you selected.
{% hint style="info" %}
**One template = one language**
If your employees speak multiple languages and you want them all to receive the same phishing scenario, you need to create a separate template for each language. For example, if your team includes French and English speakers, create one template in French and one in English, then add both to the same campaign.
{% endhint %}
{% endstep %}
{% step %}
## Step 4. Configure the sender
Choose who the email appears to come from:
* **From list:** Select a pre-defined sender from Stoïk's list
* **Custom:** Enter a custom sender name and email address
{% hint style="info" %}
**Tips for a realistic custom sender**
Real phishing emails often impersonate trusted brands or internal contacts. To make your simulation effective:
* Use a sender name that employees would trust, such as "IT Support", "Microsoft 365 Team", "HR Department", or the name of a real service your company uses
* Use an email address that looks plausible at first glance but contains subtle differences: for example `support@micros0ft-security.com` (zero instead of "o") or `noreply@1t-services.net` (digit instead of letter)
* Avoid obviously fake addresses: the goal is to train employees to spot small anomalies, not to trick them with completely random senders
{% endhint %}
{% endstep %}
{% step %}
## Step 5. Write the subject line
Enter the email subject. This is what employees will see in their inbox.
{% endstep %}
{% step %}
## Step 6. Compose the email body
Use the visual editor to write the email content. The editor supports:
| Feature | How to use |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Text formatting | Bold, italic, underline, text colour, alignment |
| Headings | H1, H2, H3 |
| Lists | Bulleted and numbered lists |
| Images | Upload images (PNG, JPG). They can be resized and aligned |
| Phishing link | Use the link button in the toolbar to insert the phishing link. You must select a redirection page (e.g. Adobe, Microsoft, Google): this is the fake landing page employees will see if they click |
| Variables | Type `$` in the editor to insert a dynamic variable |
{% hint style="danger" %}
**Important:** Every custom template must contain at least one phishing link. The editor will show an error if it is missing.
{% endhint %}
**Available variables**
| Variable | Description |
| ------------------ | ------------------------ |
| First name | Employee's first name |
| Last name | Employee's last name |
| Full name | Employee's full name |
| Email | Employee's email address |
| Coworker name | A colleague's name |
| Day / Month / Year | Current date components |
Variables are automatically replaced with real data when the email is sent.
{% endstep %}
{% step %}
## Step 7. Add attachments (optional)
Attackers often hide their payload in an attachment (fake invoice, HR letter, shared document). You can reproduce this in your custom template:
1. In the `Attachments` section below the email body, drag and drop your files, or click **Select files** to browse.
2. Each attached file is listed with its name and size. Click the bin icon to remove one.
3. Attachments are saved with the template and sent as part of every simulation that uses it.
{% hint style="info" %}
Limits: up to 5 files per template, 10 MB each. Files that are rejected (too large, unsupported type) are flagged inline with a clear error.
{% endhint %}
Your attachments appear in the template preview and in campaign results, so you can verify the rendering exactly like an employee would see it.
{% endstep %}
{% step %}
## Step 8. Send a preview
Click `Send me a preview` to receive a test email at your own address. This lets you verify the rendering before using the template in a campaign.
{% endstep %}
{% step %}
## Step 9. Save
Click `Save` to add the template to your custom library. It will immediately be available for selection when creating campaigns.
{% endstep %}
{% endstepper %}
## Manage your custom templates
### Editing a custom template
You can edit a custom template to fix mistakes or update the content.
1. Go to `Simulations` > `Templates` > `Custom templates`.
2. Click on the template you want to edit.
3. Make your changes and click `Save`.
{% hint style="warning" %}
A template can only be edited if it has not been used in any campaign (active or past). Once a template has been sent to employees, it becomes read-only to preserve the integrity of campaign results. If you need a modified version of a template that has already been used, create a new template instead.
{% endhint %}
### Archiving a custom template
You can archive a template at any time, even if it has been used in campaigns.
1. Go to `Simulations` > `Templates` > `Custom templates`.
2. Open the template menu and click `Archive`.
3. Confirm the archiving.
When you archive a template:
* It is removed from the template library and from the campaign creation page.
* It is automatically removed from any active campaign that was using it.
* Past campaign results and employee email history that reference this template remain intact: you can still view the email content in historical reports.
Archiving is permanent from the user's perspective. If you need the same content again, you will need to create a new template.
### Browsing and searching templates
Use the search bar at the top of the `Custom templates` tab to find templates by name. Templates are displayed as cards showing the template name and a preview.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.stoik.io/prevention-tools/what-is-the-phishing-module/how-to-create-a-custom-phishing-template.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.