When it comes to reporting on GoPhish metrics there’s a fair bit you can do to justify the exercise.
Once you’ve exported all the CSV data from your campaign. Load it up in a spreadsheet and use these as guides for metrics.
Total amount of emails sent:
Count all occurrences of text using
Total amount read:
Users at which point viewed the email but went no further
Total amount that clicked the link:
Users at which point clicked the link but did not submit credentials
Total amoun of users that submitted credentials:
Users who went on to fully complete the scam and submit their credentials
You should now have a pretty simple metric of success. What management like to see though is some interpretation of data. Rather than saying
“We managed to scam 15% of our end users!”
You could say
“We managed to benchmark that whilst 15% of our users submitted credentials, 25% actually got to the page and did not input them.”
You could also work a metric for the likely hood of follow through.
((‘clicked link’ users + ‘submitted data’ users)/100)*’Submitted data’ users
The above will show you out of how many people clicked the email link then went on to submit data. These metrics are important. As you will likely be able to identify fault points in education. Users may well be very successful at detecting a spammy email…. but what about a spammy website?
Once you have your statistics and opinions together, you will likely then need to get involved in end user awareness programs. You funnily enough have a list of ‘users of concern’. Approach them privately as they may feel like they’ve been tricked, maybe embarrassed. There is no justification in the naming and shaming of end users. But they do need to be identified for focused training.