Frequently Asked Questions

Note: Email addresses on ISP or public domains (example:,,, etc.,) are restricted and cannot be used within the Securecast service. User account and target email addresses must be valid company or organization addresses. On sign up, you will receive a welcome email with a validation link to enable your account to run a simulation. For evaluation purposes, you can send simulations to your own validated email without purchasing credits.

Some spam filters may bounce mail coming from Securecast which is both good and bad. Good for proving that your spam filter is working but bad for phishing awareness purposes. If mail does bounce from Securecast you may need to white-list the Securecast send mail server by IP address or server name or you can also white-list the sending domain. To do so log into your email gateway/spam filter and add a white-list for either:

  1. Securecast IP Address:
  2. Securecast Mail Server: ( [])
  3. Securecast sending domain(s): use sending domain you setup/choose
Securecast was created by two co-founders from Oregon, USA, each with 15+ years experience in technology including web development, solution design, and information security. The solution was designed with security in mind including the following features:

  • Securecast sanitizes lure pages on the client side to ensure that credentials (usernames/passwords) are never sent to or seen by our servers.
  • Securecast ensures that simulations can only be launched against targets on your validated domains.
  • Securecast restricts launching simulations against public ISP domains.
  • DigitalOcean App Hosting
  • AWS hosted MongoDB Database
  • SendGrid Transactional Email Relay
  • Developed using Angular JS by Google
  • Stripe Payments Processing
As our client, you will be able to build your phishing simulations through our easy to use Simulation Wizard. Through the wizard steps, you will:

  1. Import your company’s email target list
  2. Add your bait email and lure page by either choosing from our pre-canned templates, or writing your own content
  3. Send a test email to test the simulation.
  4. Schedule and launch your simulation against your targets.
  5. Watch reports in real-time
    • Email processing and delivery
    • Email opens and clicks
    • Data post attempts to the lure page
Real-world phishing attacks can be devastating. Securecast only simulates a phishing attack. Our service can only collect action statistics on your user’s interaction with the simulation to help you identify your organization’s ability to spot phishing attacks. Securecast alters simulated emails and lure pages to ensure that data such as usenames, passwords or any other sensitive data never leaves the user’s device, and is never seen by our servers. Also, simulation emails and lure page code are sanitized on the server to ensure users cannot add custom scripts, links or forms to emails or lure pages. This ensures only action statistics are collected.
There are two types of email addresses that you enter into Securecast:

  1. Authorized Domain Address: This is your own address on your company’s or organization’s domain. When you add an Authorized Domain address, you will be sent a validation link to your inbox. Click on that link to verify that you are the owner of the email box, and have an account on your company’s/organization’s domain. This will allow you to import target email addresses on that domain.
  2. Target Email Addresses: These are your company’s or organization’s employee’s or member’s email addresses that you will target your simulation toward. These are needed by the simulation in order to deliver the bait email.

We do not share any of our client’s email addresses that are entered into Securecast, period. We will never sell or share email addresses in our system with any non-Securecast person or group, nor do we use any of your target addresses for ourselves. You can easily purge your data from Securecast if you ever choose to do so.

By default, phishing simulations are only available to launch against your authorized domains. You will not be able to target email addresses outside of your authorized domains list. These types of tests are generally ran by your company IT or security team. Before running any simulations against your organization, you should consult with your company’s IT and/or security team to make them aware of the tests, and maximize the success of your simulation. If you are a security consultant, you can contact us to become a verified security consultant to launch campaigns for your clients.

Note: Email addresses on ISP or public domains (example:,, etc.,) are restricted and cannot be used within the Securecast service. Target email addresses must be valid company or organization addresses.

You will be able to see data about the following types of email events in the Email Activity Feed:

  • Processed – Requests from your website, application, or mail client via SMTP Relay or the API that the emailer processed.
  • Clicks – Whenever a recipient clicks one of the Click Tracked links in your email.
  • Delivered – An email that was delivered to a recipient.
  • Opens – Whenever an email is opened by a recipient.
  • Deferred – The recipient mail server asked the emailer to stop sending emails so fast.
  • Drops – The emailer will drop an email when the contact on that email is in one of your suppression groups, the recipient email previously bounced, or that recipient has marked your email as spam.
  • Bounces – When an email is attempted to be delivered, but the recipient mail server rejects it.
  • Spam Reports – Whenever a recipient marks your email as spam and their mail server tells us about it.
Securecast tracks nearly all activity associated with a phishing campaign including; number of messages sent and delivered, number of messages opened and clicked, number of individuals who post data along with who the individuals are. Reports are presented in graphically pleasing donut and line charts directly within the solution. Reports can be exported simply by printing the report or saving as PDF direct from your browser.