Click rate is the percentage of employees who clicked a malicious link or entered credentials into a phishing simulation. If you send a phishing simulation to 1,000 employees and 100 click it, your click rate is 10%.
What Are Click Rate and Report Rate
Click rate is the percentage of employees who clicked a malicious link or entered credentials into a phishing simulation. If you send a phishing simulation to 1,000 employees and 100 click it, your click rate is 10%. Report rate is the percentage of employees who flagged the message as suspicious or reported it to security. Using the same simulation, if 150 employees reported it, your report rate is 15%. Both metrics come from the same phishing simulation campaign, but they measure fundamentally different behaviors. Click rate tells you who was fooled. Report rate tells you who is actively protecting the organization.
Why Report Rate Matters More Than Click Rate
Organizations obsess over click rate because it's easy to understand: lower is better. But click rate alone misses the point. A 5% click rate looks great until you realize 95% of employees never reported the message either. They just deleted it or ignored it. An employee who doesn't click but also doesn't report isn't adding security value. Report rate reveals active security behavior. A security culture with a 50% report rate is far more valuable than an 85% non-report rate because those reporters are actively hunting threats. In mature organizations, report rate becomes the primary metric. High report rates mean employees have the confidence, speed, and psychological safety to escalate threats instantly. That's how threats get caught before they become breaches.
Industry Benchmarks
Untrained employees typically show click rates around 30% based on KnowBe4 data. After security awareness training, that drops to roughly 5-10%. Click rates plateau there without ongoing reinforcement. Report rates vary much more widely, from 10% in organizations without structured phishing programs to 70% in mature security cultures. Organizations that run monthly simulations, provide instant feedback, and celebrate reporters reach 50-70% report rates within 12-18 months. Phishing simulations with immediate educational feedback drop click rates faster than training alone. The correlation is strong: organizations investing in frequent, feedback-rich simulations see click rates below 5% and report rates above 40%. Benchmarking yourself matters, but your own trend matters more. A 40% report rate with steady growth beats 50% with stagnation.
How to Improve Report Rates
Make reporting frictionless. Employees need a one-click report button in their email client, not a process that requires finding an email address or filling out a form. Provide instant positive feedback in the reporting flow: "Thank you! You've helped stop a threat." Publish results so teams see impact. Monthly newsletters showing reported phishing attempts, prevented breaches, or threat trends keep security front-of-mind. Gamification accelerates reporting culture. Recognize top reporters in team standups or internal communications. Make it status-positive to report, not a sign of gullibility. Run simulations frequently enough that reporting becomes muscle memory, but not so frequently that it becomes noise. Every two weeks works well. Train managers to praise reports, not punish them. A single public criticism of someone who fell for a simulation tanks report rates across the org.
Frequently Asked Questions
What's a good report rate to target?
Target 40% as a minimum within 12 months of consistent effort, and 60%+ as a mature state. Organizations at 70%+ report rates have extremely strong security cultures where threat reporting feels normal and safe.
Why do some employees never report anything even when click rate is low?
They're not engaged with security. Low click rate means they avoided clicking, but high non-reporting means they either didn't notice or didn't feel confident reporting. These employees need different training or messaging to activate them.
Should we focus on reducing click rate or increasing report rate?
Both, but report rate first. A high click rate with high reporting means employees are catching threats. A low click rate with low reporting means you don't have visibility into what employees are thinking.
How often should we run phishing simulations to build report rates?
Every 2-4 weeks works best for building muscle memory. Monthly simulations are the minimum for culture change. Less frequent than quarterly and behavior won't stick.