Enter Campaign Inputs
Example Data Table
| Campaign | Sent | Delivered | Opened | Clicked | Credentials | Reported | Success Rate |
|---|---|---|---|---|---|---|---|
| Finance Impersonation | 1,000 | 955 | 410 | 82 | 13 | 68 | 1.36% |
| Password Reset Lure | 1,500 | 1,440 | 760 | 205 | 34 | 102 | 2.36% |
| Shared Document Trap | 900 | 870 | 392 | 97 | 18 | 75 | 2.07% |
| Invoice Attachment Test | 800 | 776 | 366 | 64 | 10 | 88 | 1.29% |
Formula Used
Delivered = Emails Sent − Delivery Failures
Open Rate (%) = Opened ÷ Delivered × 100
Click Through Rate (%) = Clicked Links ÷ Delivered × 100
Click To Open Rate (%) = Clicked Links ÷ Opened × 100
Credential Submission Rate (%) = Credential Submissions ÷ (Clicked Links + QR Scans) × 100
Overall Success Rate (%) = Estimated Successful Users ÷ Delivered × 100
Estimated Successful Users = Credentials + (QR Scans × QR Weight) + (Attachment Opens × Attachment Weight) + (Macro Enables × Macro Weight)
Estimated Exposure Loss = Estimated Successful Users × Average Loss per Successful User
Resilience blends success, click, open, and reporting behavior into one bounded 0–100 indicator. Higher scores suggest stronger phishing resistance.
How to Use This Calculator
- Enter the campaign name and the total number of emails sent.
- Add delivery failures so the calculator can determine actual delivered messages.
- Enter observed behaviors such as opens, clicks, QR scans, credential submissions, attachment opens, macro enables, and reported messages.
- Provide an average loss estimate per successful compromise and your campaign cost.
- Choose the success model that best matches your internal risk methodology.
- Adjust the QR, attachment, and macro weights if you use weighted compromise scoring.
- Set a target maximum success rate to compare current results with your benchmark.
- Press Calculate to view the result block above the form, inspect the chart, and export the summary as CSV or PDF.
FAQs
1) What does phishing success rate mean?
It measures the share of delivered messages that led to a risky outcome. Depending on your model, that outcome can be credential theft, macro activation, or a weighted compromise estimate.
2) Why does the calculator use delivered emails instead of sent emails?
Delivered emails reflect what employees actually received. Using sent totals can understate risk because bounced or blocked messages never reached the target population.
3) When should I use the weighted compromise model?
Use it when risky actions have different severities. A credential submission is usually worse than a QR scan, while macro enablement can indicate a deeper compromise path.
4) What does report rate tell me?
Report rate shows how many employees identified and escalated the suspicious message. Higher reporting often indicates stronger awareness, better playbooks, and faster incident response opportunities.
5) Is click rate enough to measure phishing risk?
No. Clicks show curiosity or initial failure, but they do not always reflect compromise. Credential submission, attachment behavior, and reporting create a more complete risk picture.
6) How should I choose the loss per successful user?
Use historical incident costs, internal downtime estimates, help desk effort, credential reset expense, or conservative breach assumptions. Consistent assumptions make comparisons across campaigns more meaningful.
7) What is a good phishing success benchmark?
Benchmarks vary by industry, job function, and campaign difficulty. Many teams target a low single-digit success rate and steadily rising report rates over time.
8) How often should results be reviewed?
Review every campaign, then compare monthly or quarterly trends. Repeated analysis helps identify departments needing training, validate awareness programs, and refine your detection strategy.