While CanIPhish strives to provide a fully white-labelled experience, there are some features and aspects of the platform that cannot be white-labelled. In this article, we'll walkthrough what features can be white-labelled, what some limitations of white-labelling are, and answer some frequently asked questions.
Table of Contents
White-Labelling Feature Support Table
For your benefit, a table outlining all CanIPhish features has been included below, along with a statement on whether white-labelling is or isn't supported.
Note: If you've setup white-labelling, any feature that is marked as "Supported" will be visible, even when the white-label is configured to "Not Show CanIPhish Resources". If a feature is marked as "Not Supported", and the white-label is configured to "Not Show CanIPhish Resources", it will be hidden from view for any user accessing the platform, EXCEPT for the "Platform Super Admin". We still show many of these features for Platform Super Admins as it's generally accepted that the Platform Super Admin is already aware of CanIPhish.
| Feature | Feature Description | White-Label |
| Simulated Phishing | ||
| Email Phishing Simulator | Strengthen your organization’s security by exposing employees to realistic, automated phishing threats. Through managed infrastructure and robust interaction tracking, you can schedule recurring campaigns and harness detailed reporting for powerful, actionable insights. | Supported |
| Configurable Phishing Content Library | Keep simulations relevant and engaging by selecting from a diverse library of phishing emails, each with a customized payload and sender profile. This flexibility allows you to mimic genuine threats that resonate with your audience, ensuring employees become adept at recognizing and reporting suspicious communications. | Supported |
| Advanced Payload Delivery | Simulate a comprehensive range of real-world phishing attacks by selecting from four payload types that cover the entire attack lifecycle. - Endpoint Compromise (Phishing Attachment) - Credential Compromise (Phishing Website) - Business Email Compromise (Information Request) - Voice Call Compromise (Callback Request) |
Supported |
| Automated Risk-Based Phishing | Focus your security efforts where they matter most by automatically targeting the employees who exhibit the highest phish-risk. This tailored approach ensures that those most susceptible receive simulations designed to heighten awareness, reducing the likelihood of real attacks succeeding across your organization. | Supported |
| Phish Reply Tracking | Gain deeper insight into risky user behavior by monitoring replies to simulated phishing emails. | Supported |
| AI-Powered Phishing Engine | Stay one step ahead of evolving threat tactics by deploying a proprietary engine powered by Generative AI (PhishAI) that is capable of engaging employees across both voice calls and email. This approach reflects sophisticated phishing scenarios, ensuring your workforce is well-prepared for increasingly advanced attacks. | Supported |
| Conversational Email Phishing | Immerse employees in realistic, ongoing email conversations that mimic social engineering tactics. By fostering trust through multiple AI-driven exchanges before attempting to deliver the phishing payload, this feature teaches users to recognize subtle cues of conversational phishing attacks. | Supported |
| Voice Phishing Simulator | Test your team’s phone-based social engineering defenses with automated, AI-powered voice calls. Simulate an authentic back-and-forth conversation before requesting information. | Not Supported |
| Hosted Phishing Websites | Give employees hands-on practice identifying malicious websites by using realistic, fully hosted phishing pages. These simulations replicate genuine credential capture attempts without storing any actual data. | Supported |
| Sender Domain Spoofing | Equip employees to spot deceptive emails by deploying domain spoofing and lookalike addresses that mirror genuine senders. This high-fidelity simulation enables users to recognize subtle red flags, reinforcing vigilance and reducing the success rate of impersonation scams. | Supported |
| Immediate Phishing Education | Deliver timely lessons at the most impactful moment—right after an employee clicks a phishing link. Immediate feedback helps your workforce internalize the warning signs and significantly reduces the chances of repeat errors. | Supported |
| Complete Multi-Language Phishing | Deliver phishing simulations in 75 languages, ensuring maximum participation and comprehension across a diverse workforce. | Supported |
| Phishing Compliance Reports | Demonstrate accountability and progress by pulling aggregated statistics from all phishing campaigns. These reports enable you to share clear, consolidated data with regulators, executives, and other stakeholders in just a few clicks. | Supported |
| Security Awareness Training | ||
| Advanced Learning Management System | A fully featured learning management system with extensive reporting, automated recurring campaigns, learner gamification, natively integrated phishing simulations, and built-in compliance tracking, streamlining security awareness training in one powerful platform. | Supported |
| Training Program Generator | Hit the ground running with effective, relevant training that engages learners from day one. Effortlessly launch a customized security awareness program built on industry expertise and real world benchmarks. Our program generator delivers a structured, comprehensive training plan that aligns with key standards and your organization's needs, ready for export as a Word document or direct deployment into your CanIPhish tenant. | Supported |
| Configurable Training Module Library | Keep your employees informed and ready for emerging threats by selecting from 45 comprehensive training modules. Covering everything from cybersecurity fundamentals to privacy regulations and compliance frameworks, these modules can be modified to fit your organization’s exact needs. | Supported |
| Automated Skill-Based Training | Cater to each employee’s knowledge level by automatically assigning relevant training content that matches individual skill gaps. This targeted approach ensures learners are neither bored by repetitive topics nor overwhelmed by advanced material, promoting better engagement and faster skill development. | Supported |
| Learner Gamification | Foster a culture of friendly competition with badge-earning challenges and a leaderboard for admins to track progress. By celebrating achievements and encouraging peer recognition, employees remain motivated to progress through training and adopt more secure behaviors. | Supported |
| WCAG 2.2 Level AA Conformant | Promote inclusivity and maintain accessibility standards by offering training that meets WCAG 2.2 Level AA guidelines. This commitment to equal access not only supports employees with disabilities but also demonstrates your organization’s dedication to equitable learning opportunities. | Supported |
| Export SCORM Training Packages | Utilize your own third-party learning management system to deliver security awareness training with SCORM compatible training modules. | Supported |
| Human Risk Management | Take control of your organization's security by quantifying and managing human risk at an individual level. Track each employee’s unique risk score, built from four key risk factors, and gain actionable insights to strengthen your defenses. | Supported |
| Complete Multi-Language Training | Empower a diverse global workforce to master cybersecurity fundamentals in their own language. With 75 available translations, your organization can effectively train all employees, fostering a consistent security culture across international teams. | Supported |
| Training Compliance Reports | Easily demonstrate the efficacy of your security awareness efforts with aggregated data from all training campaigns. These on-demand reports streamline audits, satisfy regulatory requirements, and offer clear insights into learner progress, making it simpler to maintain transparency with stakeholders. | Supported |
| Integrations | ||
| Microsoft Entra ID Directory Sync | Automatically sync employee information and groups from Microsoft Entra ID to ensure accurate, up-to-date data. Easily filter your synced lists directly within the platform. | Supported |
| Google Workspace Directory Sync | Automatically sync employee information and groups from Google Workspace to ensure accurate, up-to-date data. Easily filter your synced lists directly within the platform. | Supported |
| Outlook Report Phish Add-On | Empower employees to swiftly flag potential threats by adding a “Report Phish” button in Outlook. This streamlined process boosts awareness, and accelerates your ability to investigate and neutralize real phishing risks. | Not Supported |
| Gmail Report Phish Add-On | Empower employees to swiftly flag potential threats by adding a “Report Phish” button in Gmail. This streamlined process boosts awareness, and accelerates your ability to investigate and neutralize real phishing risks. | Not Supported |
| Third-Party Phish Report Add-On | Enable employees to report suspicious emails through a third-party phish report add-on (e.g. Microsoft Report Phish Button), with integrated support to track simulated phishing reports within CanIPhish. | Supported |
| Webhook Integration | Streamline your security ecosystem by automatically sending phishing and training event data to external platforms through Webhooks. This immediate exchange of information helps accelerate incident response and enhance threat analytics, bringing greater efficiency to your overall security posture. | Supported |
| API Integration | Use the CanIPhish API to programmatically pull reporting data on phishing campaigns, training campaigns, and employee profiles. | Not Supported |
| Vanta Integration | Maintain an audit-ready status by syncing phishing and training results with Vanta. This constant flow of compliance data eases the burden of preparing for audits, giving you a dynamic view of your organization’s security health without double handling. | Not Supported |
| Single Sign-On (SAML) | Simplify and secure access for all users with SAML-based Single Sign-On, eliminating the hassle of multiple credentials. This approach bolsters security while offering a seamless login experience that encourages consistent usage and fosters platform adoption. | Supported |
| Multi-Factor Authentication | Provide administrators with Multi-Factor Authentication (MFA) through the use of Software-Based TOTP Tokens. | Supported |
| General | ||
| Industry Benchmarking | Gain a clear perspective on your security posture by comparing your current, past, and projected human risk against similarly sized organizations. With these benchmarks in hand, you can pinpoint areas that need improvement and celebrate where you’re excelling, guiding strategic decisions for a stronger, more proactive defense. | Supported |
| Configurable Employee Lists | Fine-tune your targeting strategy by creating dynamic employee lists based on departments, roles, or risk levels. This personalization ensures each group receives relevant phishing simulations and training modules, boosting engagement and reducing overall vulnerability. | Supported |
| Scheduled Reporting | Keep every stakeholder informed without lifting a finger by automating report generation and delivery. Whether daily, weekly, or monthly, this effortless system ensures transparent communication of progress and risk status. | Supported |
| Customizable Notifications | Communicate effectively with your organization by customizing the language, wording and visuals of platform notifications. | Supported |
| Configurable Storage Locations | Align with regional regulations and organizational preferences by selecting from 10 global data storage locations. By keeping sensitive information within specific boundaries, you enhance data governance, reduce compliance risks, and maintain tighter control over privacy. | Supported |
| Dark Web Monitoring | Shield your team by automatically scanning for employee data on the dark web. If compromised information appears, you can swiftly implement corrective measures. | Supported |
| SOC 2 Type 2 Attestation Report | Gain assurance that the confidentiality, integrity, and availability of your data is maintained by reviewing CanIPhish's up-to-date SOC 2 Type 2 attestation report. | Not Supported |
| Support | ||
| Verbose Knowledge Base Articles | Accelerate adoption and troubleshoot confidently with detailed, frequently updated articles covering every aspect of the platform. This self-serve knowledge base empowers your team to resolve common issues and discover new features without waiting on support. | Not Supported |
| Detailed Video Walkthroughs | Master key features quickly by following step-by-step video tutorials. These interactive guides cater to diverse learning styles, reducing onboarding time and boosting overall platform effectiveness. | Not Supported |
| Premium Customer Support | Get expert help whenever you need it through live chat, email, or video conferencing. This hands-on approach ensures swift resolutions to technical challenges and provides tailored guidance for optimizing your phishing and training efforts. | Not Supported |
White-Labelling Limitations
Let's walkthrough each limitation and explain why the limitation exists.
Feature Limitations
Voice Phishing Simulator
Unfortunately, CanIPhish's Voice Phishing Simulator cannot be white-labelled for two reasons, both of which cannot be avoided due to the legal and regulatory frameworks that many countries impose. These reasons are outlined below:
- Agency Agreement: As non-corporate devices (i.e. personal mobile phones) are in-use, CanIPhish needs documented authorization from the organization that we're masquarading as to present ourselves as an official representative of that organization (purely for conducting simulated voice phishing at their direction). With voice phishing, we will only ever present ourselves as the learners employeer, never as another third-party brand (e.g. bank, telco, etc.). This is unfortunately a necessary requirement given the highly regulated nature of conducting outbound phone calls, and this agency agreement MUST be between CanIPhish and the end-user organization.
- Employee Double Opt-In Consent: As above, given non-corporate devices (i.e. personal mobile phones) are in-use, CanIPhish needs each participating employee to provide CanIPhish with double opt-in consent, officially noting that they authorize CanIPhish to call them for the purpose of conducting simulated voice phishing exercises. This is unfortunately a necessary requirement given the highly regulated nature of conducting outbound phone calls, and this consent MUST be between CanIPhish and the participating employee.
Outlook Report Phish Add-On
The CanIPhish Outlook Report Add-On is deployed through a .xml manifest file which contains many references to the CanIPhish brand, including imagery and API endpoints. While the imagery may be changed, the API endpoints will still reference a CanIPhish sub-domain. As such, white-labelling is not fully supported.
Gmail Report Phish Add-On
The CanIPhish Gmail Report Phish Add-On is a verified application that's available on the Google Workspace Marketplace. Unfortunately, Google do not allow for marketplace applications to be white-labelled. Because of this, any use of the Gmail Report Phish Add-On will clearly show the CanIPhish brand during the installation process.
Vanta Integration
The CanIPhish Vanta Integration uses a verified partner application that's available on the Vanta Integrations portal. Unfortunately, Vanta do not allow for partner integrations to be white-labelled. Because of this, any use of the Vanta Integration will clearly show the CanIPhish brand during the installation process.
SOC 2 Type 2 Attestation Report
The CanIPhish SOC 2 Type 2 Attestation Report cannot be white-labelled as it is an official document generated by CanIPhish's SOC 2 Auditors (AssuranceLab) based on an assessment of CanIPhish covering both our organizational processes, and product (i.e. the CanIPhish Cloud Platform).
Verbose Knowledge Base Articles
CanIPhish's Knowledge Base unfortunately cannot be white-labelled as our knowledge base provider (Zendesk) do not support native white-labelling capabilities. Additionally, many support articles have embedded videos and screenshots which clearly show the CanIPhish brand.
Detailed Video Walkthroughs
CanIPhish's Video Walkthroughs unfortunately cannot be white-labelled as they clearly show representatives of CanIPhish showcasing the CanIPhish Cloud Platform in its non-white-labelled form.
Premium Customer Support
CanIPhish's Customer Support unfortunately cannot be white-labelled as representatives of CanIPhish will always present themselves as coming from CanIPhish.
General Limitations
While CanIPhish strives to provide a fully white-labelled experience, we cannot guarantee that end-users will not discover the CanIPhish brand if motivated to do so. Activities by an end-user which may expose the CanIPhish brand can include, but are not limited to those outlined below:
- Viewing Page Source: If an end-user views the page source when accessing the CanIPhish Cloud Platform or CanIPhish Learner Dashboard, they may discover a reference to CanIPhish either in the form of Javascript variables, page comments, or API endpoints.
- Domain & IP Intelligence: If an end-user attempts to use DNS or IP intelligence tools or even Google Search they may come across indexed pages from the CanIPhish knowledgebase which references those IP Addresses or Domains. For example, CanIPhish's allowlisting support articles reference our mail server IP Addresses and Phishing Domains in many places.
Comments
0 comments
Please sign in to leave a comment.