[bearcobra]

My company uses Knowbe4, and I'm constantly frustrated how it considers it a fail if I only click a link vs entering in credentials. Sometimes it's tough to tell if something is phishing when your checking email on your phone. Does Riot work the same way? Or do you test to see if users notice issues once they've actually opened something in the browser?

[jiveturkey]

That's not a knowbe4 thing, that's your company's choice.

opened/clicked/creds and so forth are various levels. Your company has decided that a mere click is a fail. also, in gmail, if you 'report phishing' (without clicking), gmail will "click" it for you as part of their back-end analysis. this will show up in the click report. this type of click is distinguishable from a user click, but it's not obvious and knowbe4 has zero docs on it.

Keep in mind, a mere click can in fact be a fail. There are still drive-by attacks that work simply by clicking.

[mike_d]

> I'm constantly frustrated how it considers it a fail if I only click a link vs entering in credentials

That is a failure. There is currently a Windows font parsing vulnerability that is being exploited in the wild just like this. If you click the link, you are subjecting your browser and OS to an attacker crafted payload.