Phishing That Teaches: Why "Click Rate" Is a Garbage Metric

Level: Beginner

The "Gotcha!" Game

We need to stop treating phishing simulations like a game of Whack-a-Mole.

You know the drill. The security team sends out a fake email: "Free iPhone! Click Here!" or "Your Password Expired, Reset Now." User clicks it. They get redirected to a scary landing page: "YOU HAVE BEEN PHISHED! Please report to mandatory training."

The user feels stupid. The security team feels smug. The "Click Rate" goes into a PowerPoint for the CISO. And absolutely nothing improves.

This approach is not only ineffective; it's toxic. It builds resentment between employees and the security team. It trains users to hide their mistakes rather than report them.

The Metric That Actually Matters

Click Rate (the % of people who clicked) is a vanity metric. It varies wildly based on the difficulty of the template. I can get a 0% click rate by sending an email from scammer@evil.com written in broken English. I can get a 40% click rate by spoofing the CEO asking for a quick favor during a crisis.

The metric you should be tracking is Report Rate.

Report Rate answers: "Of the people who received this suspicious email, how many used the 'Report Phish' button?"

  • A user who deletes the email is neutral.
  • A user who clicks is a negative.
  • A user who reports it is a hero. They just alerted the SOC to a potential campaign, allowing us to block the sender for everyone else.

Your Goal: Maximize the Report Rate. If 1 person clicks but 50 people report it within 5 minutes, you win. The attack is burned.

Building "High-Fidelity" Pretexts

If you want to train people for real attacks, you have to use real scenarios. "Prince of Nigeria" scams are 2005. Modern attackers use Contextual Phishing.

Example 1: The "Internal Tool Update"

  • Subject: Action Required: New HR Portal Enrollment
  • Sender: hr-support@company-internal-portal.com (Looks legit at a glance)
  • Context: Send it right before open enrollment season.
  • Payload: Link to a cloned login page capturing credentials.

Example 2: The "DocuSign" Lure

  • Subject: Completed: NDA for Project Alpha
  • Sender: docusign.net.mail.com
  • Context: Target the Sales or Legal team. They live in DocuSign.
  • Payload: "View Document" button leading to an O365 consent grant attack.

Example 3: The "Teams Message"

  • Method: Send a direct message in Microsoft Teams (if you have internal access) or a spoofed email notification.
  • Context: "Hey, I can't access the file you shared, can you check this permission?"
  • Technique: Relies on the inherent trust of internal communication platforms.

The "Teachable Moment"

When a user clicks, don't just slap them with a "Fail" screen. Use the moment to educate.

Bad Landing Page:

"YOU FAILED. You put the company at risk. Go watch this 15-minute video."

Good Landing Page:

"Whoops! This was a simulation.

You spotted that this email looked important, but here are the 3 Clues you missed: 1. The Sender: It came from micro-soft.com (hyphen), not microsoft.com. 2. The Urgency: It demanded action 'within 10 minutes'. Attackers create panic to bypass critical thinking. 3. The Link: Hovering showed a redirect URL.

Good news: This was just a test. Click here to report this email and protect your colleagues."

Psychological Safety

If employees are terrified of being fired for clicking a link, they will never tell you when they click a real malicious link.

You want a culture where, if someone realizes they messed up, they pick up the phone and call the SOC: "Hey, I think I just clicked something bad. Can you isolate my machine?"

That phone call saves the company. Fear prevents that phone call.

Golden Rule: Never punish the user for falling for a simulation. Reward the user for reporting it.

Technical Tips for Phishing Ops

If you are running the campaign (Red Team side):

  1. Bypass your own filters: Whitelist your sending IP in Exchange/IronPort. There is no value in testing your own spam filter (that's a different test). You are testing the human.
  2. Measure "Time to First Report": How many minutes from "Send" to "SOC Alert"? This tests your incident response speed.
  3. Avoid "Forbidden" Pretexts: Never promise bonuses/raises. Never threaten firing. Never use real tragedies (COVID, natural disasters). It destroys morale and makes you the villain.

Phishing exercises are about resilience, not trickery. Teach them to be your eyes and ears, not your victims.