Tartan App Frequently Asked Questions

Will all recipients I upload to Tartan App receive phishing simulation emails?

All recipients you upload will be added to the campaign. If you do NOT want a recipient to receive phishing simulation emails they must be removed from the recipients list.

How do I start a campaign?

Simply click the "Launch Campaign" button in your admin dashboard. Once you do this, our system automatically begins creating personalized emails for each person on your recipient list.

How are the emails created?

Our AI engine analyzes your recipient list and creates unique, personalized emails for each person. Here's what happens:

1. Categorization: The system groups your recipients by department (Teachers, Students, Security/Safety, Vice Principal/Dean, Facilities/Maintenance, etc.)
2. Service Selection: For each department, the system randomly selects an appropriate service from your school's settings (like IT support, HR, facilities, etc.)
3. Scenario Assignment: Each email gets a realistic scenario that matches the selected service
4. Personalization: The system uses your school's information (name, website, address, phone) and the recipient's details to create a custom email
5. Template Application: A professional email template is applied to make the message look authentic

How are the emails sent?

Emails can either be sent using DMI or domain whitelisting.

We recommend DMI because it is the most reliable way of delivering emails into your recipients inboxes.

When are the emails sent?

Emails are sent in batches over time, not all at once. The timing depends on your account settings:

• Emails are spread randomly over the first 10 days of any time interval
• Then sent at intervals you choose: every 15, 30, 60, or 90 days
• This creates a realistic, ongoing simulation

What interval should I use?

Most schools find success with ongoing campaigns rather than one-time tests. Regular phishing simulations (every 30-90 days) help maintain awareness and catch new staff or students who may need training. 60 or 90 days are the most common selections.

How does email difficulty work?

Starting Point: Everyone begins receiving "High" difficulty emails (the most sophisticated phishing attempts).

Difficulty Reduction: When someone clicks a malicious link, their next email becomes easier, to a minimum of "Easy".

High → Medium → Easy

Difficulty Increase: When someone successfully doesn't click a link, their next email becomes harder, to a maximum of "High".

Easy → Medium → High

Why This System: People who fall for sophisticated phishing attempts get easier-to-spot emails in future tests, helping them build awareness gradually.

What happens if someone clicks late?

Timing Matters: Let's say your campaign sends emails every 30 days:

1. Batch 1 emails are generated and sent
2. 30 days later, Batch 2 emails are generated and sent
3. If someone clicks a Batch 1 email after Batch 2 is already generated, it won't affect their Batch 2 difficulty (since it\'s already been created)
4. However, late clicks are still counted in your reports

Key Point: Clicks only affect future emails that haven't been generated yet.

What happens if a recipient marks an email as spam?

If you are using DMI and a recipient marks an email as spam it will not impact deliverability of future emails.

How is the phishing risk score calculated?

Your risk score shows how vulnerable your organization is to phishing attacks. Here's the formula:

Risk Score = (Total Clicks) ÷ (Total Emails Sent) × 100

The system weights different email difficulties:

• Easy emails: Clicks count more heavily (×2 weight)
• Medium emails: Standard weighting (×1.5 weight)
• High emails: Lower weighting (×1 weight)

Example: If 100 people receive easy emails and 20 people click the links, your risk score is 20%.

How can I track progress?

The system provides detailed reports showing:

• Who clicked on malicious links
• Overall risk scores and trends