Tartan App Frequently Asked Questions

Will all recipients I upload to Tartan App receive phishing simulation emails?

All recipients you upload will be added to the campaign. If you do NOT want a recipient to receive phishing simulation emails they must be removed from the recipients list.

How do I start a campaign?

Simply click the "Launch Campaign" button in your admin dashboard. Once you do this, our system automatically begins creating personalized emails for each person on your recipient list.

How are the emails created?

Our AI engine analyzes your recipient list and creates unique, personalized emails for each person. Here's what happens:

1. Categorization: The system groups your recipients by department (Teachers, Students, Security/Safety, Vice Principal/Dean, Facilities/Maintenance, etc.)
2. Service Selection: For each department, the system randomly selects an appropriate service from your school's settings (like IT support, HR, facilities, etc.)
3. Scenario Assignment: Each email gets a realistic scenario that matches the selected service
4. Personalization: The system uses your school's information (name, website, address, phone) and the recipient's details to create a custom email
5. Template Application: A professional email template is applied to make the message look authentic

How does Tartan choose which simulation someone receives?

Tartan App does not simply pick the same simulation for everyone. It looks for simulations that fit the recipient's role, department, student/staff status, or broad "everyone" scenarios. It also avoids repeating the same template too often and gives more weight to simulations that are relevant, fresh, and historically effective. The final choice still includes randomness, so campaigns stay varied and realistic.

Why did Tartan send a simulation for a service I did not select?

Some simulations use common consumer services that can apply to almost anyone, such as social media, package delivery, file sharing, password alerts, or account notifications. These are included because real attackers often impersonate everyday services, not just school-specific tools. Your selected services guide school-specific simulations, but universal scenarios may still be used for general phishing practice.

How are the emails sent?

Tartan App uses the delivery setup configured for your account. Google Workspace customers can use Direct Message Injection (DMI), Microsoft 365 customers can use Microsoft Defender Advanced Delivery Policies (ADP), and other environments can use domain whitelisting. We recommend the most direct supported setup for your email platform because it improves deliverability and reduces filtering issues.

When are the emails sent?

Emails are not sent to everyone at once. Tartan App sends phishing simulations in small batches so the campaign feels more realistic and avoids a sudden spike of messages. Your account setting controls the cadence: one email every 15, 30, 60, or 90 days. During each cycle, sends are spread randomly across the first 10 days and are sent between 7 AM and 6 PM, Monday-Friday, in the school's timezone.

What interval should I use?

Most schools find success with ongoing campaigns rather than one-time tests. Regular phishing simulations (every 30-90 days) help maintain awareness and catch new staff or students who may need training. 30 or 60 days are the most common selections.

How does email difficulty work?

Starting Point: Everyone begins receiving "High" difficulty emails (the most sophisticated phishing attempts).

Difficulty Reduction: When someone clicks a malicious link, their next email becomes easier, to a minimum of "Easy".

High → Medium → Easy

Difficulty Increase: When someone successfully doesn't click a link, their next email becomes harder, to a maximum of "High".

Easy → Medium → High

Why This System: People who fall for sophisticated phishing attempts get easier-to-spot emails in future tests, helping them build awareness gradually.

What happens if someone clicks late?

Timing Matters: Let's say your campaign sends emails every 30 days:

1. Batch 1 emails are generated and sent
2. 30 days later, Batch 2 emails are generated and sent
3. If someone clicks a Batch 1 email after Batch 2 is already generated, it won't affect their Batch 2 difficulty (since it\'s already been created)
4. However, late clicks are still counted in your reports

Key Point: Clicks only affect future emails that haven't been generated yet.

What happens if a recipient marks an email as spam?

If you are using DMI and a recipient marks an email as spam it will not impact deliverability of future emails.

How is the phishing risk score calculated?

Your risk score shows how vulnerable your organization is to phishing attacks. Here's the formula:

Risk Score = (Total Clicks) ÷ (Total Emails Sent) × 100

The system weights different email difficulties:

• Easy emails: Clicks count more heavily (×2 weight)
• Medium emails: Standard weighting (×1.5 weight)
• High emails: Lower weighting (×1 weight)

Example: If 100 people receive easy emails and 20 people click the links, your risk score is 20%.

How can I track progress?

The system provides detailed reports showing:

• Who clicked on malicious links
• Overall risk scores and trends