Try this first
- 1Track three numbers, not one: click rate (who clicks), report rate (who reports), and repeat offenders (who keeps clicking after training). Click rate alone drives panic or complacency.
- 2Compare over six months, not month-to-month. A hard simulation lifts click rate briefly, an easy one drops it, neither reflects real risk.
- 3Split by department. Finance, HR and execs see targeted phishing more often and deserve their own line in the report.
- 4Compute report rate as a percentage of people who saw the mail (not received). Most tools show this under Reach. A 30 percent report rate on a targeted phish is strong.
- 5Look at time-to-first-report. Under two minutes means your team is alert. Above the hour means nobody is watching or the report button is not visible.
When to bring us in
If numbers stagnate despite training, do not pile on more simulations, look at the actual mail stack. Weak spam filtering, no report button, no feedback after a report, these are structural blockers awareness cannot punch through.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.