How to Use Phish-prone Percentage
During a phishing campaign, your users will receive Phishing Security Tests (PST). Based on if they fail or pass the phishing security test, they will receive a Phish-prone Percentage. Users with a low Phish-prone Percentage are less likely to fall for real phishing attacks than those with a higher Phish-prone Percentage. If you’re interested in learning more about PST, see our What is a Phishing Security Test (PST) and How Does it Work? article.
What Is a Failure?
If a user interacts with the email in an unsafe way, that action is a failure and the user fails that test. Users can have multiple failures from a PST during a phishing campaign. The different types of failures are:
- Clicking the embedded link
- Entering data on a landing page
- Opening an attachment
- Enabling a macro on an attachment
- Replying to the simulated phishing email
- Calling the number and entering the callback code in a callback phishing email
- Entering personal information in a callback phishing call
How Phish-prone Percentage Is Calculated
A Phish-prone Percentage is the percentage of employees that are prone to click on a phishing link. It differs from a Phish-failure Percentage since it tracks the exact way a user fails. It is possible for a user to have many failures on one email and receive a Phish-prone Percentage that goes over 100 percent. For example, if a user opens an email, clicks on the link, and opens the attachment, they have two failures and one failed phishing test. As a result, this user will have a 200 percent personal Phish-prone Percentage, because the user failed two times in one test.
A higher personal Phish-prone Percentage indicates that the individual user may be more vulnerable to an email-borne social engineering attack. If a user opens a simulated phishing email and has many failures, then they are failing to spot red flags. Knowing the number and types of failures can help determine what training the user needs.
Campaign Phish-prone Percentage
A phishing campaign creates a Phish-prone Percentage from the number of total failures divided by the total number of emails delivered in that campaign.
If 100 people received emails, and 52 of them clicked a link in the email that would mean 52 percent of them failed. If eight of those 52 people also entered data into the landing page, that would increase the Phish-prone Percentage for that campaign to 60 percent.