Creating Effective Phishing Email Templates
Last updated April 8, 2026
Email templates are the core of your phishing simulation. This guide covers how to create, customize, and test templates in GoPhish Cloud.
Creating a New Template
- Go to Email Templates in the sidebar.
- Click New Template.
- Fill in:
- Name — a descriptive label (e.g., “Password Reset - IT Department”).
- Subject — the email subject line.
- Content — the email body (HTML or plain text).
- Use the Import Email button to import a real email as a starting point.
- Click Save Template.
Using Template Variables
GoPhish supports variables that personalize each email for the recipient:
| Variable | Description | Example Output |
|---|---|---|
{{.FirstName}} |
Recipient’s first name | John |
{{.LastName}} |
Recipient’s last name | Smith |
{{.Email}} |
Recipient’s email address | john.smith@example.com |
{{.Position}} |
Recipient’s job title | IT Manager |
{{.From}} |
Sender address from the sending profile | helpdesk@example.com |
{{.URL}} |
The unique phishing URL for tracking | https://… |
{{.TrackingURL}} |
Invisible tracking pixel URL | https://… |
Important: Always include {{.URL}} as the link you want users to click, and {{.TrackingURL}} in an <img> tag to track email opens:
<img src="{{.TrackingURL}}" style="display:none" alt="" />
Importing Real Emails
The easiest way to create realistic templates is to import actual emails:
- Open a real email in your email client (e.g., a password reset notification).
- View the email source / raw HTML.
- Copy the HTML content.
- In GoPhish, click Import Email and paste the raw content.
- Replace links with
{{.URL}}and add the tracking pixel. - Remove any real tracking pixels or external references that could trigger alerts.
Template Best Practices for Security Awareness
- Match your organization’s real communication style — use the same branding, tone, and formatting your employees expect.
- Vary difficulty levels — start with obvious phishing indicators, then gradually increase sophistication over time.
- Include realistic pretexts — password resets, shared documents, IT maintenance notices, and delivery notifications are common.
- Add phishing indicators — for training purposes, include subtle red flags that observant employees can spot (slight misspellings in URLs, generic greetings, urgency language).
- Test before launching — always send a test email to yourself first to verify formatting, links, and tracking.
Common Template Scenarios
| Scenario | Subject Line Example | Pretext |
|---|---|---|
| Password reset | “Action Required: Password Expires in 24 Hours” | IT policy requires password rotation |
| Shared document | “Document Shared With You: Q4 Budget Review” | Colleague sharing a file |
| IT maintenance | “Scheduled System Maintenance — Action Required” | Users need to verify their account |
| Delivery notification | “Your Package Could Not Be Delivered” | Shipping notification with tracking link |
Troubleshooting
Template variables not rendering
Ensure you are using the exact variable syntax: {{.FirstName}}, not {{FirstName}} or {FirstName}. Variables are case-sensitive.
HTML rendering issues Use the Preview button to check how the email looks. Avoid complex CSS — many email clients strip styles. Inline CSS works most reliably.
Images not loading Host images on a publicly accessible URL. GoPhish does not serve embedded images. Avoid base64-encoded images as they trigger spam filters.
Still need help? Open a ticket at support.hailbytes.com.