Overview
The Account Settings page is where you can configure default settings for campaigns, account notifications, portal user password policy, portal SSO, EVENTS, and MFA settings.
To navigate to Account Settings, expand Administration > Settings > Account Settings.
Use the links below to jump to a section:
General
The General tab lets you specify certain default settings on your account.
- Default Test Length - How long you want your tests to run. This value will be populated in the campaign wizard but can be modified during campaign setup.
- Default Time Zone - Will be automatically set in the date/time drop-downs in the campaign wizard. This value can be modified during campaign setup.
- Default Email Rate Limit - The rate of emails per hour that will be sent out for the Immediate Test type. The minimum send rate is 10 emails per hour. There is not an upper limit to the sending rate; however, some firewalls will block phishing emails if you attempt to have too many sent over a short period of time. If this is a concern in your environment, then we recommend starting out with a relatively low sending rate - 300 per hour - and gradually increasing this as you run more tests.
-
Group Import Type - This specifies how the system will handle imports when you attempt to import more targets than your account has available seats to hold. There are three options to choose from:
- Stop and do not import - The import will fail entirely. No targets will be imported.
- Import up to the available amount - Imports up to the available amount of seats and stops importing emails.
- Import all and send a bill for the overage - Imports all the targets. If you go over your seat limit, then you will be billed for the excess.
- Department Mapping - When enabled, the targets with departments will be mapped to a system defined department category. This mapping will be used in the campaign wizard for template suggestions.
- Default Date Format for Reports - The default date format displayed in Report Generator and Report Generator BG.
- Default Time Format for Reports - The default time format displayed in Report Generator and Report Generator BG.
- Generated Report Storage Period -The number of years that reported generated and saved to the platform will be kept.
Notifications
The Notifications tab allows you specify an account manager and provides several notification options you can enable/disable.
-
Group Sync Notification - A
group_sync_completesystem email is sent to all admins on the account letting them know when integrated groups (such as Entra ID, LDAP or Litmos) are synced. - Failed Auto Sync Notification - An email that is sent to the account manager email address when an integration's automatic sync fails.
- Flagged Domain Notification - An email is sent to the account manager email address when a domain that is being used in active tests is flagged (a domain may become flagged if it is marked as malicious by third party security software).
- Account No Usage Reminder - An email is sent to all admins to remind them to run a Phishing Campaign after 90 days of inactivity.
- Report Generated Notification - An email is sent to the user who queued for the report when their report is generated.
NOTE: Campaign notifications can be configured on the Review tab of the campaign wizard.
Passwords
The Passwords tab lets you specify the requirements that users must meet when creating/setting a new password.
SSO
The SSO tab lets you configure single sign on for your PhishingBox portal account (School SSO can be configured in School Settings). You can choose from the available different SSO solutions (OneLogin, Okta, PingOne, Azure, and Google Workspace).
NOTE: If a user is provided access to the phishing portal via your organization's SSO IDP and does not already have an account in the phishing portal (in Administration>Manage Portal Users), an account will automatically be created with a role of "Admin" when the user accesses the phishing portal via SSO.
-
SSO Lock - If enabled, administrators can log in to the portal via SSO only. If the SSO configuration fails and administrators can no longer log in, you will have to contact PhishingBox support to disable this feature.
NOTE: Portal MFA lock must be disabled to use SSO portal lock.
- App embed link - Input your SSO app's access URL here. When a URL is provided here, a link to this URL will be included in system emails. If there is no URL provided, the system email will just include plain text stating they must login via SSO.
- Signed Logout - Set this to 'Yes' if your IDP requires signed single log out requests.
-
Attribute Mappings - Specify users provisioned via SSO to be set with User privileges (users provisioned via SSO will have Admin privileges by default). This is done by specifying an attribute name and value to identify the user. If a name is duplicated, it will be treated as an array. The array will be parsed for the given value to determine how the field should be assigned. You have the following Field options:
- First Name - Specify an attribute Name whose Value will be used as the created user's first name.
- Last Name - Specify an attribute Name whose Value will be used as the created user's last name.
- Admin - Specify an attribute key-value pair that when matched will assign the admin role.
-
User - Specify an attribute key-value pair that when matched will assign the user role.
NOTE: Attribute mappings are optional. They are not required for SSO to function.
MFA
The MFA tab contains MFA Lock toggles to enable/disable required MFA for all users. When "MFA Lock Portal" is enabled, it will require all portal users to configure MFA. When "MFA Lock School" is enabled, it will require all students to configure MFA.
Webhook
The Webhook tab provides access to all account settings related to webhooks.
- Default Webhook (Deprecated) - When any action (verified or not) is recorded, the system sends a JSON response to the Default Webhook (Deprecated) URL. If a specific Webhook URL (Deprecated) is defined for a campaign, this URL will override the default and receive the response instead.
- Default Verified Action Webhook - When a verified action is recorded, the system sends a JSON response to the Default Verified Action Webhook URL. If a specific Verified Webhook URL is defined for a campaign, this URL will override the default and receive the response instead.
- Custom HTTP headers - Add custom HTTP headers to webhook requests.
AI
Configure an AI provider
Opens the Integration Store, where you can add OpenAI or Anthropic configurations. You must configure a connection before other options are displayed.-
Default Model
If you have an AI provider configured, the dropdowns will include any models associated with your API key. The selected model will be the default used by the feature.
Save
Saves your selected model settings.
Departments
Departments are a target field that can be used to help suggest templates in the campaign wizard. To access the Departments tab, turn on the Department Mapping setting on the General Tab. The table will list all the custom departments assigned to targets in your account. Clicking the actions dropdown allows you to delete or edit the department mapping. Editing the department will allow you to assign a best match to the targets department. To make best use of the template suggestion feature make sure map all the custom departments to our standardized list of departments. See the full list of departments below:
Accounting, Administration/Executive, All Staff, Business Development, Communications, Compliance, Customer Service, Data Analyst, Engineering, Facilities (physical plant), Finance, Human Resources (HR), Information Technology (IT), Legal, Logistics, Marketing, Operations, Payroll, Product Development, Project Management, Public Relations, Purchasing, Quality Assurance, Research and Development (R&D), Sales, Supply Chain, Technical Support.