When most teams run their first phishing simulation, they fixate on one number: the click rate. The CISO sees 27%, and either panics or feels vindicated, depending on what they expected. Both reactions miss the point.
Click rate is a starting reading, not a verdict. The real value of phishing simulations is in the pattern they reveal over time and across teams.
The four numbers that matter
- Click rate. Percentage of recipients who clicked the link in the simulation email.
- Credential submission rate. Of those who clicked, how many actually typed credentials into the fake page. This is the real breach rate.
- Reporting rate. Percentage who reported the email as phishing. A reporting culture is more valuable than a low click rate.
- Time to first report. How quickly someone raised the alarm. In a real attack, minutes matter.
What good progress looks like
A first-time simulation typically produces a click rate between 25 and 40%, a credential submission rate of around 15%, and a reporting rate close to zero. Six months into a structured program, expect click rates under 10%, credential submission near 2%, and reporting rates above 40%.
The reporting rate is the most under-watched metric. A team that reports phishing quickly catches real attacks early. A team that never reports is operating blind.
Where the patterns live
Aggregate numbers hide what you need to act on. Slice the data by department, by tenure, and by phishing scenario type. You will typically find:
- Sales and customer support teams have higher click rates because their job is to open unknown emails.
- New hires within their first 90 days click at twice the rate of long-tenured staff.
- Invoice and HR-themed lures have the highest credential submission rates.
Each of these tells you where to spend training time. A single high-risk team improving from 35% to 8% changes your overall risk profile far more than another company-wide email.
What to avoid
Do not use phishing simulations to punish people. The moment staff fear retaliation, they stop reporting suspicious emails, including the real ones. The point is education, not embarrassment. Brief people that simulations are part of the security program, give them training when they click, and celebrate teams that improve.
Click rate is just the headline. The story is in the trend.