Monitoring and Reviewing Phishing Campaigns
After you create a phishing campaign, you can monitor and review your campaign results from the Campaigns subtab of your KnowBe4 console. From this subtab, you can monitor your one-time phishing campaigns and ongoing phishing campaigns, view detailed user failure reports for each campaign, and more.
Click the jump links below to learn how to monitor and review your phishing campaigns. If you prefer video tutorials, see our Monitoring Phishing Campaigns video. For information about creating and managing a phishing campaign, see our Creating and Managing Phishing Campaigns article.
Monitoring Your Phishing Campaigns
To monitor an individual phishing campaign, log in to your KnowBe4 console and navigate to Phishing > Campaigns.
On the Campaigns subtab, you will be able to view a list of all your phishing campaigns and details about each campaign. These details include the groups enrolled in each campaign, when the last test email was sent in the campaign, the campaign’s status, and more.
If you’d like to view more information about one specific campaign, you can click on the campaign’s name. When you click on the campaign name, you’ll be taken to the campaign’s Overview page. On this page, you can view reports and information about the specific campaign.
The information available on the campaign’s overview page will vary depending on whether the campaign was a one-time phishing test or an ongoing or recurring phishing campaign. For details about monitoring a one-time phishing test or an ongoing or recurring phishing campaign, see the subsections below.
Monitoring a One-Time Phishing Test
If your campaign was a one-time test, the campaign’s Overview page will include the average Phish-prone Percentage for the campaign, the number of clicks in the first eight hours of the campaign, the number of clicks by day, where the clicks occurred, and more.
To learn more about the information available on the Overview page for a one-time phishing campaign, see the list below:
- Failures in the First 8 Hours: This graph shows how many failures occurred in the first eight hours and at what time they occurred.
- This Phishing Security Test: This chart shows information about your phishing security test including the campaign’s status, Phish-prone Percentage, number of users who received the phishing test, number of users who failed the phishing test, and the campaign’s end date.
- Failures by Day: This graph shows how many failures occurred on specific days during the campaign.
- Phishing Email: This chart shows information about the email used in the phishing test including the From address, To address, Reply-To address, Subject, included attachments, phish domain, and a preview of the landing page.
- Failures by IP Address Location: This map shows the locations of the IP addresses where the failures occurred. For more information about this map, see the Using the Failures by IP Address Location Map section of this article.
- Download Failures: Click this button to download a CSV file with information about these failures.
To monitor a specific user’s progress for this phishing test, click the Users subtab at the top of the page. For more information about the details available on the Users subtab, see the User Failure Reports section of this article.
Monitoring an Ongoing or Recurring Phishing Campaign
If your campaign is either recurring or ongoing, the campaign’s Overview page will include the average Phish-prone Percentage throughout the campaign, a list of the top 50 users that clicked on phishing links in test email, and more.
To learn more about the information available on the Overview page for an ongoing or recurring phishing campaign, see the list below:
- Phish-prone % Over Time (1 year): This graph shows how your users’ average Phish-prone Percentage for this campaign has changed over one year.
- Phishing Security Tests: On recurrent campaigns, you can click this tab to view an overview of each individual phishing test in your campaign. You can then click on the name of each individual phishing test for more information about that campaign. For more information, see the User Failure Reports section of this article.
- Download All Failures: Click this button to download a CSV file with information about all failures in the campaign.
- This Campaign: This chart shows the status of the campaign, the most recent Phish-prone Percentage, and the number of phishing security tests that had been run.
- Top 50 Clickers: This table shows the users who have clicked the most phishing links in the campaign. You can view the user’s name, email address, and the number of times they’ve clicked on a phishing link in the campaign.
- Download Top Clickers: Click this button to download a CSV file with information about the users who have clicked the most phishing links in the campaign.
Using the Failures by IP Address Location Map
On the Overview page for any individual phishing test, you can view a map of exactly where your phishing test failures occurred. This map is generated by determining where the IP address is located.
You can hover over any area on your map to view both the IP address and the number of failures in that area.
If your phishing test failures only occur in one country, you will only see a map of that country. For example, if your users are all located in the United States, they would see a map like the one shown below.
User Failure Reports
On the Users subtab of any individual phishing test in a campaign, you can see which users failed your phishing test. We track several types of failures, including clicking on links, opening attachments, enabling macros on attachments, and entering data on a landing page. If you've installed our Phish Alert Button, you can also see if your users reported the email as a phishing email.
To navigate to the Users subtab of a phishing test, follow the steps below:
- Log in to your KnowBe4 console and navigate to Phishing > Campaigns.
- Click the name of the campaign in which the simulated phishing test was sent.
- Click the Phishing Security Tests subtab.
- Click the simulated phishing test category that you’d like to view.
- Click the Users subtab.
For more information about the Users subtab, see the list below:
- Recipients: This column shows all users who will receive a simulated phishing email.
- Delivered: This column shows the number of simulated phishing emails delivered to your users.
- Opened: This column shows the number of users who have opened a simulated phishing email. When a user opens a simulated phishing email, this open is recorded using a small tracking image automatically placed in each email. When the image loads, we are able to track the open in our system. If you’d like, you can remove this tracking image from all phishing tests in your Account Settings.
Note: Opening the email is not considered a phishing test failure and does not contribute to a user's Phish-prone Percentage calculation.
- Clicked: This column shows the number of users who clicked a phishing link. You can click the column filter to view additional results, including the clickers in the campaign, the date and time they clicked, their browser, their operating system, their IP address, and more.
- Replied: This column shows the number of users who replied to a phishing email. You can click the column filter to view additional results, including all users who replied to a phishing email and the reply the user sent.
Note: To view users who replied to a phishing email and to view their replies, you must have enabled Track Replies to Phishing Emails and Keep reply content for later review when you created the campaign. For more information, see our Reply-to Phishing article.
- Attachment Open: This column shows the number of users who opened an attachment in the simulated phishing email. You can click the column filter to view additional results, including a list of any users who opened the attachment if you added attachments to the email.
- Macro Enabled: This column shows the number of users who enabled macros from the simulated phishing email. If you sent a simulated phishing email with an attachment that contains a macro, you can click the column filter to view more information about users who enabled the macro.
- Data Entered: This column shows the number of users who entered data into a landing page. You can click the column filter to view additional information about the users who entered data into a landing page.
- Vulnerable Plugins: This column shows the number of users who were determined to have a browser extension or plugin that contained a known exploit.
Note: The Vulnerable Plugins scan feature is now retired. If you used this feature for a past campaign, the results will still display in this column.
- Reported: This column shows the number of users who successfully reported this phishing test using the Phish Alert Button. You can click the column filter to view more information about these users.
- Bounced: This column shows the number of emails that bounced. If our simulated phishing test was not able to deliver to your mail server, it will bounce. You can click the column filter to view more information about the emails that bounced, including the email addresses affected by the bounce and the reason for the bounce.
- Email Preview: To preview the original phishing template the user received, click the envelope icon. From the preview window, you can also click the Send Me a Test Email button to view this phishing template in your inbox.
Note: If you click the phishing link while previewing the phishing template, your default landing page will open regardless of the landing page you selected for this phishing campaign.