What a Phishing Simulation Actually Reveals
Most businesses are surprised by the results. Here is what click rates, report rates, and credential submissions tell you about your real security posture.
You can deploy firewalls, endpoint protection, and SIEM dashboards, but none of it matters if an employee clicks a link and hands over their credentials. Phishing remains the number-one initial attack vector for data breaches, and small to mid-sized businesses are disproportionately targeted because attackers know their defenses are thinner.
A phishing simulation tests your human layer by sending realistic but harmless phishing emails to your staff and measuring who clicks, who reports, and who enters credentials on a fake login page. The results are rarely what leadership expects. Here is what they typically reveal and what you should do about it.
Click Rate Is Not the Only Metric That Matters
Most organizations fixate on the click rate: the percentage of employees who clicked the simulated phishing link. Industry benchmarks for first-time simulations land between 20% and 35% for organizations under 250 employees. That number drops significantly after repeated testing, but only if the testing is paired with targeted training.
The more telling metric is the report rate — the percentage of recipients who flagged the email as suspicious using their email client's "Report Phish" button or by forwarding it to IT. In a mature security culture, the report rate should exceed the click rate. In most first-time simulations, it is below 5%. That gap is your real exposure: people who neither clicked nor reported the email simply ignored it, which means a real attack would have sailed past your human detection layer unnoticed.
What This Tells You
A low report rate means your employees do not have a clear, practiced mechanism for escalating suspicious emails. Before running another simulation, make sure a "Report Phish" button is deployed to every inbox and that employees know exactly what happens when they click it.
Credential Submission Is the Real Red Flag
Clicking a link is concerning. Entering credentials on a fake login page is a breach waiting to happen. In our assessments, between 8% and 15% of employees who click a phishing link will go on to enter their username and password on a convincing login page. For organizations without multi-factor authentication, those credentials give an attacker direct access to email, file shares, and cloud applications.
This is also where the conversation shifts from awareness training to technical controls. Even with perfect training, some employees will always fall for a well-crafted phish. MFA, conditional access policies, and enterprise password management provide the safety net that catches what training misses.
Why Organizations Under 50 Employees Are Most Vulnerable
Smaller organizations consistently show higher click rates in our simulations. The reasons are structural, not personal. In a 30-person company, most employees know each other and trust internal communications implicitly. A phishing email that impersonates a coworker or the CEO carries more weight because the recipient thinks they know the sender. There is no anonymous IT department to verify with — the "IT person" is often someone wearing three other hats.
Small organizations also tend to lack formal security awareness training programs. Without periodic reinforcement, employees default to trusting email at face value. A single simulation paired with a 15-minute training session can cut click rates in half within 90 days, but only if it becomes a recurring program rather than a one-time exercise.
Turning Simulation Data Into Actionable Security
A phishing simulation is diagnostic, not punitive. Naming and shaming employees who clicked is counterproductive and erodes the trust needed for people to report real threats. Instead, use the data to identify patterns: which departments clicked most, which phishing pretexts were most effective, and whether specific roles (finance, HR, executive assistants) are disproportionately targeted.
Then build a layered response. Deploy targeted micro-training for high-risk groups within 48 hours of the simulation. Implement or verify MFA across all externally accessible applications. Establish a reporting workflow so flagged emails reach your security team (or managed services provider) in real time. And schedule the next simulation for 90 days out to measure progress.
The Bullium Approach
Our security assessments include phishing simulations as part of a broader evaluation that covers network vulnerabilities, endpoint hygiene, and policy gaps. We deliver the results in a format leadership can act on — not a spreadsheet of email addresses, but a risk-prioritized roadmap with specific next steps for your organization's size and industry.
Related Reading
Ready to Test Your Human Firewall?
A phishing simulation takes days to set up and delivers months of actionable insight. Let us run one for your organization and show you exactly where your human layer stands.