Why do some of my users have a Phish-prone Percentage greater than 100%?

We count all of the different “failure points” in an email template as separate tests.  The failure points include the following actions: 

• Clicking the embedded link
• Entering data on a landing page
• Opening an attachment
• Enabling a macro on an attachment
• Replying to the simulated phishing email 

If a user receives one of our Simulated Phishing Email templates and clicks the embedded link, they have failed a link test.  If there is an attachment on the same simulated phishing email and they choose to open the attachment, they have failed a second test in the same email template. As a result, this user will have a 200% Personal Phish-prone Percentage, because the user failed two tests. 

A PST (Phishing Security Test) can actually contain all of these tests in a single email template. If a user clicks on a link, enters data on a landing page, opens an attachment and enables the macro, and then replies to the email, the user has a 500% Phish-prone Percentage on this one email.

As our attachments also contain links, even on templates with only attachments, you may see "clicks" recorded as well. This means your users clicked the phishing link embedded in the attachment.

A higher Personal Phish-prone Percentage indicates the individual user may be more vulnerable to an email-born social engineering attack.  Consider this: If a user opens a simulated phishing email and clicks the embedded link, then also opens an attachment, or enters data, this user is not spotting what should be “red flags” to them and needs some additional training.  

Campaign Phish-prone Percentage

 A phishing campaign's Phish-prone Percentage is calculated based on the number of total failures (clicks, attachment opens, data entry, enabling macros on attachments, replying) divided by the total number of emails delivered in that campaign.

For example, if 100 people received emails, and 52 of them clicked a link in the email and eight of those users also entered data into the landing page, the Phish-failure Percentage for that campaign would be 60%.