Phishing Security Tests

Monitor and Review Phishing Campaigns

Note:We’re updating the look of phishing templates! We’ll be migrating to this new experience by October 2024. For more information, see the Phishing Templates Guide.

After you create a phishing campaign, you can monitor and review your campaign results from the Campaigns subtab of your KnowBe4 console. From this subtab, you can monitor your one-time phishing campaigns and ongoing phishing campaigns, view detailed user failure reports for each campaign, and more.

For information about creating and managing a phishing campaign, see our Create and Manage Phishing Campaigns article. If you prefer video tutorials, see our Monitoring Phishing Campaigns video. 

Monitoring Your Phishing Campaigns

To monitor an individual phishing campaign, log in to your KnowBe4 console and navigate to Phishing > Campaigns. To monitor a callback phishing campaign, navigate to Phishing > Callback Phishing > Campaigns.

On the Campaigns subtab, you will be able to view a list of all your phishing campaigns and details about each campaign. These details include the groups enrolled in each campaign, when the last test email was sent in the campaign, the campaign’s status, and more.

For more information about the Campaigns subtab, see the Managing Phishing Campaigns section of our Create and Manage Phishing Campaigns article. For more information on callback phishing campaigns, see the Managing Callback Phishing Campaigns section of our Create and Manage Callback Phishing Campaigns article

Note: If you see an icon that says Managed next to your campaign, that means that the phishing campaign was created by your account's managed service provider. Changes to this campaign will break the link between this campaign and the parent-managed phishing campaign. If the campaign has editing disabled, there will be a lock icon next to the managed icon.

If you’d like to view more information about one specific campaign, you can click on the campaign’s name. When you click on the campaign name, you’ll be taken to the campaign’s Overview page. On this page, you can view reports and information about the specific campaign.

The information available on the campaign’s overview page will vary depending on whether the campaign was a one-time phishing test or an ongoing or recurring phishing campaign. For details about monitoring a one-time phishing test or an ongoing or recurring phishing campaign, see the subsections below.

Monitoring a One-Time Phishing Test

If your campaign was a one-time test, the campaign’s Overview page displays the average Phish-prone Percentage for the campaign, the number of clicks in the first eight hours of the campaign, the number of clicks by day, where the clicks occurred, and more.

To learn more about the information available on the Overview page for a one-time phishing campaign, see the list below:

Note: Callback phishing campaigns are always one-time tests.

  1. Preview Status Report Email: You can click this button to open a window that displays the current report for the phishing campaign. At the bottom of the window, you can also enter an email address to send the current report to.
  2. Download Failures: You can click this button to download a CSV file with information about these failures.
  3. Failures in the First 8 Hours: You can click this button to display a graph that shows how many failures occurred in the first eight hours and at what time they occurred.
  4. This Phishing Security Test: You can click this button to display a chart that shows information about your phishing security test. The chart will display the campaign’s status, Phish-prone Percentage, number of users who received the phishing test, number of users who failed the phishing test, the campaign’s end date, and more. The campaign’s end date is a combination of three values: the date of the first email, the sending duration, and the tracking duration.
    • Date of the first email: This represents the date, in Pacific Standard Time (PST), of the first email sent during the phishing campaign. 
    • Sending duration: This represents the period of time when your phishing campaign emails were all sent out.
    • Tracking duration: This represents the period of time you track emails from your phishing campaign.
  5. Failures by Day: You can click this button to display a graph that shows how many failures occurred on specific days during the campaign.
  6. Phishing Email: You can click this button to display a chart that shows information about the email used in the phishing test including the From address, To address, Reply-To address, Subject, included attachments, phish domain, and a preview of the landing page.
  7. Failures by IP Address Location: You can click this button to display a map that shows the locations of the IP addresses where the failures occurred. For more information about this map, see the Using the Failures by IP Address Location Map section of this article.
  8. Callback Settings: This chart shows information about your callback settings, including the phone number used and a preview of the greeting template and response template used.
    Note:This chart will only appear for callback phishing campaigns. 

To monitor a specific user’s progress for this phishing test, click the Users subtab at the top of the page. For more information about the details available on the Users subtab, see the User Failure Reports section of this article.

Monitoring an Ongoing or Recurring Phishing Campaign

If your campaign is either recurring or ongoing, the campaign’s Overview page will include the average Phish-prone Percentage throughout the campaign, a list of the top 50 users that clicked on phishing links in test email, and more.

To learn more about the information available on the Overview page for an ongoing or recurring phishing campaign, see the list below:

  1. Phish-prone % Over Time (1 year): This graph shows how your users’ average Phish-prone Percentage for this campaign has changed over one year.
  2. Phishing Security Tests: On recurrent campaigns, you can click this tab to view an overview of each individual phishing test in your campaign. You can then click on the name of each individual phishing test for more information about that campaign. For more information, see the User Failure Reports section of this article.
  3. Download All Failures: Click this button to download a CSV file with information about all failures in the campaign.
  4. This Campaign: This chart shows the status of the campaign, the most recent Phish-prone Percentage, and the number of phishing security tests that had been run.
  5. Top 50 Clickers: This table shows the users who have clicked the most phishing links in the campaign. You can view the user’s name, email address, and the number of times they’ve clicked on a phishing link in the campaign.
  6. Download Top Clickers: Click this button to download a CSV file with information about the users who have clicked the most phishing links in the campaign.

Using the Failures by IP Address Location Map

On the Overview page for any individual phishing test, you can view a map of exactly where your phishing test failures occurred. This map is generated by determining where the IP address is located.

You can hover over any area on your map to view both the IP address and the number of failures in that area.

If your phishing test failures only occur in one country, you will only see a map of that country. For example, if your users are all located in the United States, they would see a map like the one shown below.

User Failure Reports

On the Users subtab of any individual phishing test in a campaign, you can see which users failed your phishing test. We track several types of failures, including clicking on links, opening attachments, enabling macros on attachments, and entering data on a landing page. If you've installed our Phish Alert Button, you can also see if your users reported the email as a phishing email.

To navigate to the Users subtab of a phishing test, follow the steps below:

  1. Log in to your KnowBe4 console and navigate to Phishing > Campaigns.
  2. Click the name of the campaign in which the simulated phishing test was sent.
  3. Click the Phishing Security Tests subtab.
  4. Click the simulated phishing test category that you’d like to view.
  5. Click the Users subtab.
Important:If you need to remove a phishing test failure from your reports, see our Remove Failures from Phishing Reports article.

For more information about the Users subtab, see the list below:

  1. Recipients: This column shows all users who will receive a simulated phishing email.
  2. Delivered: This column shows the number of simulated phishing emails delivered to your users.
  3. Opened: This column shows the number of users who have opened a simulated phishing email. When a user opens a simulated phishing email, this open is recorded using a small tracking image automatically placed in each email. When the image loads, we are able to track the open in our system. If you’d like, you can remove this tracking image from all phishing tests in your Account Settings.
    Important:Opening the email is not considered a phishing test failure and does not contribute to a user's Phish-prone Percentage calculation.
  4. Clicked: This column shows the number of users who clicked a phishing link. You can click the column filter to view additional results, including the clickers in the campaign, the date and time they clicked, their browser, their operating system, their IP address, and more.
  5. QR Code Scanned: This column shows the number of users who scanned a QR code. You can click the column filter to view additional results, including the date and time they scanned, their browsers, their operating system, their IP address, and more.
  6. Replied: This column shows the number of users who replied to a phishing email. You can click the column filter to view additional results, including all users who replied to a phishing email and the reply the user sent.
    Note:To view users who replied to a phishing email and to view their replies, you must have enabled Track Replies to Phishing Emails and Keep reply content for later review when you created the campaign. For more information, see our Reply-to Phishing Guide.
  7. Attachment Open: This column shows the number of users who opened an attachment in the simulated phishing email. You can click the column filter to view additional results, including a list of any users who opened the attachment if you added attachments to the email.
  8. Macro Enabled: This column shows the number of users who enabled macros from the simulated phishing email. If you sent a simulated phishing email with an attachment that contains a macro, you can click the column filter to view more information about users who enabled the macro.
  9. Data Entered: This column shows the number of users who entered data into a landing page. You can click the column filter to view additional information about the users who entered data into a landing page.
  10. Reported: This column shows the number of users who successfully reported this phishing test using the Phish Alert Button. You can click the column filter to view more information about these users.
  11. Bounced: This column shows the number of emails that bounced. If our simulated phishing test was not able to deliver to your mail server, it will bounce. You can click the column filter to view more information about the emails that bounced, including the email addresses affected by the bounce and the reason for the bounce.
  12. Bulk Update: Click this button to open the Bulk Update Users pop-up window. You can upload a CSV file that lists specific users in order to remove phishing test failures and add PAB report events for multiple users at once.
  13. Download CSV: Click this button to download a CSV file with information about all users in the campaign.
  14. Email Preview: To preview the original phishing template the user received, click the envelope icon. From the preview window, you can also click the Send Me a Test Email button to view this phishing template in your inbox.
    Note:If you click the phishing link while previewing the phishing template, your default landing page will open regardless of the landing page you selected for this phishing campaign.

Can't find what you're looking for?

Contact Support