The new Phishing reports are designed to provide faster, more insightful, and consistent data, enabling you to better understand user behaviour, identify risks, and improve your phishing simulations. This guide will walk you through how to use the new Phishing reports effectively.
Accessing the Phishing reports
Log in to your account.
Navigate to the Admin menu.
Select "Phishing Reports" under the Reports section.
If you don't see this option, ensure the feature flag for your account is enabled. Contact your administrator if required.
Key features
The new Phishing reports are people-based rather than email-based, reflecting a shift towards understanding human behaviour. Key features include:
Overview page: View core metrics, such as the number of people who received, opened, clicked, or were phished. Identify trends over time with visual charts for phishing and reporting behaviours, and spot individuals with repeated high-risk behaviours.
Campaigns page: Explore metrics for specific phishing campaigns. View details such as the number of emails sent, actions taken by recipients (e.g., clicked, phished, reported), and overall campaign performance.
Groups page: Analyse phishing behaviours by user groups. View the number of phishing emails sent, group actions, and detailed group metrics.
People page: Access detailed metrics for individual users. See user-specific actions, group associations, and responses to phishing emails.
Activity log: A comprehensive log showing both user actions (e.g., clicks, reports) and delivery statuses (e.g., sent, bounced). Apply filters to focus on specific events, campaigns, groups, or date ranges.
How to use
Step 1: Analyse high-level metrics
Start on the Overview page to get a summary of key metrics. Look at:
How many people received phishing emails
How many people clicked, were phished, or reported phishing emails
Trends over time to identify patterns or spikes in risky behaviour
Step 2: Deep dive into campaigns
Go to the Campaigns page to assess the performance of specific phishing simulations. Examine:
Which campaigns had the highest phishing or reporting rates
The effectiveness of different phishing scenarios
Step 3: Assess group behaviour
On the Groups page, review how different groups within your organisation responded to phishing emails. Use this data to:
Identify high-risk groups that may need additional training
Compare group-level performance across different campaigns
Step 4: Review individual metrics
Navigate to the People page to drill down into individual user behaviour. This is useful for:
Identifying individuals with repeated risky behaviour
Providing targeted feedback or training to specific users
Step 5: Use the activity log
The Activity Log offers a detailed view of all actions and events. Use filters to:
Focus on specific time periods, campaigns, or user actions
Quickly identify and address delivery issues or anomalies
Understanding industry benchmarks
The phishing reports now include industry benchmarks so you can compare your organisation's phishing performance against the CybSafe average. You'll find these on the Overview page, displayed beneath the rate percentages for opened, clicked, phished, and reported metrics.
Where to find benchmarks
Benchmarks appear as a labelled row beneath each stat tile on the Overview page. Each benchmark sits directly below the corresponding metric, making it easy to spot how your rates compare at a glance.
How benchmarks are calculated
Benchmarks are people-based, consistent with how the rest of the phishing reports work. Each benchmark represents the percentage of people who performed a given action (opened, clicked, phished, or reported) across all CybSafe customers over a rolling six-month window.
Specifically, for any given day, the calculation is:
Benchmark rate = unique people who performed the action in the past 6 months ÷ unique people who received a phishing email in the past 6 months
For example, if the click benchmark is 12%, that means 12% of all people across CybSafe who received a phishing simulation in the last six months clicked on at least one.
A few things worth noting:
Rolling window: Benchmarks use a six-month look-back, so they reflect recent behaviour rather than all-time averages. This keeps the comparison relevant as the broader landscape shifts.
People, not emails: A person only needs to perform an action once in the six-month window to count. This matches how your own metrics work in the report.
Cross-customer average: The benchmark reflects the average across all CybSafe customers. It isn't filtered by industry or organisation size at this stage.
Daily refresh: Benchmark values update daily. The look-back window excludes the current day, so the number won't shift mid-session.
How to interpret benchmarks
Your rate compared to the benchmark tells you where you stand relative to peers:
Click or phished rate below benchmark: Your people are performing better than the CybSafe average. That's a strong signal your simulations and interventions are working.
Click or phished rate above benchmark: There's room to improve. Consider reviewing which campaigns or groups are driving the higher rate and targeting interventions there.
Reported rate above benchmark: Your people are more likely to flag suspicious emails than average. This is a positive indicator of a healthy reporting culture.
Reported rate below benchmark: You may want to reinforce the importance of reporting through communications or automated feedback using RESPOND workflows.
Each benchmark includes a coloured dot to give you a quick visual signal of how your rate compares:
Teal dot — your rate is better than the CybSafe benchmark, regardless of whether the number itself is higher or lower. For example, a click rate below benchmark or a reported rate above benchmark would both show teal.
Orange dot — your rate is worse than the benchmark. This highlights areas where there may be room to improve.
Grey dot — your rate is close to the benchmark, meaning you're broadly in line with the CybSafe average.
Best practices
⭐️ Monitor trends regularly: Use the Overview page to track trends over time and identify when behaviours improve or worsen.
⭐️ Target training efforts: Use data from the Groups and People pages to focus training resources where they're needed most.
⭐️ Leverage reporting metrics: Encourage users to report phishing emails and use the data to highlight positive behaviours.
⭐️ Compare campaign effectiveness: Use the Campaigns page to refine phishing scenarios and improve future simulations.
⭐️ Benchmark against industry averages: Use the industry benchmarks on the Overview page to set realistic targets and track progress. If your click rate sits above the benchmark, dig into the Groups and Campaigns pages to find where the gap is. If you're already outperforming, use it as evidence of programme effectiveness in your upward reporting.
Frequently asked questions
What's the difference between email-based and people-based metrics?
Email-based metrics (the older approach) count individual emails—how many were sent, opened, or clicked. People-based metrics (the new approach) count unique individuals who performed actions—how many people received, opened, or clicked on phishing emails.
This shift aligns with human risk management by focusing on behaviour patterns of individuals rather than raw email statistics. For example, if one person clicks on 10 different phishing emails, people-based metrics would count this as 1 person exhibiting risky behaviour, whilst email-based metrics would count it as 10 separate clicks.
How can I see who fell for phishing AND reported it?
To identify users who both fell for phishing AND reported it:
Navigate to the People page in the Phishing reports
Use the filters to show people who were "Phished"
Then apply a second filter for people who "Reported"
The resulting list will show individuals who both fell for phishing and later reported it
This data is valuable for identifying users who recognise their mistakes and take appropriate action afterwards.
How can I see all non-reporters?
To identify users who didn't report phishing emails:
Go to the People page in the Phishing reports
Apply a filter for the relevant time period and campaigns
Click on the filter button and select "Reported" = "No"
The resulting list will show all users who received phishing emails but did not report them
This information helps identify users who may need additional training on the importance of reporting suspicious emails.
How do I identify people who clicked but didn't report?
To find users who clicked on phishing links but didn't report the emails:
Navigate to the People page
Apply a filter for "Clicked" = "Yes"
Add another filter for "Reported" = "No"
The resulting list will show all users who clicked on phishing links but failed to report the suspicious email
This group represents a high-risk segment that requires focused training on recognising and reporting phishing attempts.
How do I connect phishing reporting to our existing systems?
CybSafe can integrate with your existing security systems to streamline phishing reporting. For detailed instructions on setting up integrations with your email client or security tools, please refer to our Report Phish Button Integration Guide. This guide covers API connections, email forwarding options, and how to set up seamless reporting workflows that connect to your existing security infrastructure.
How do I provide instant feedback when users report simulations?
To provide automatic feedback when users report phishing simulations:
Set up a workflow using our RESPOND feature that triggers when a user reports a phishing simulation
Configure the feedback message or learning content to be delivered immediately
Customise the response based on the user's actions (e.g., different feedback for users who reported without clicking versus those who clicked first)
For detailed instructions on setting up these automated feedback workflows, please refer to our Workflows and RESPOND Integration Guide.