The problem with click rates
Two companies run phishing simulations. Here are their click rates.
Company A
9%
click rate
Company B
18%
click rate
Traditional metrics say Company A is safe and Company B is at risk.
Company A
9%
click rate
Looks safe
Company B
18%
click rate
Looks risky
But what emails did they actually send?
Company A
9%
click rate
NIST difficulty1 / 7
From: Amazon Rewards
"Congradulations!! You Won a $500 Gift Card!!!"
Company B
18%
click rate
NIST difficulty6 / 7
From: David Park, Finance
"Re: Q2 budget reforecast — updated spreadsheet"
Company A sent an obvious scam. 9% still clicked.

Company B sent a near-real email. Only 18% fell for it.
Company A
9%
click rate on a 1/7 email
Actually at risk
Company B
18%
click rate on a 6/7 email
Actually resilient
Same metric. Completely different story. That's why difficulty matters.
The NIST Phish Scale Framework

The benchmark for measuring human phishing detection difficulty.

Read the NIST publication

Every phishing email is scored from 1 to 7 based on how many red flags are visible and how well the scenario fits the recipient. Higher scores mean harder to detect.

1
Obvious
2–3
Easy
4
Moderate
5–6
Difficult
7
Realistic
Typos, fake domains, too-good-to-be-true
Generic brand impersonation
Plausible but detectable
Role-targeted, few red flags
Indistinguishable from a real email
Real-world example

In February 2024, a single email cost Pepco Group €15.5 million.

The European retailer lost the funds to a business email compromise attack. Here's what a BEC email at that difficulty level looks like — and how the NIST Phish Scale scores it.

Re: Vendor payment — urgent processing needed
TN
Tomasz Nowak, CFO1
to me

Hi Anna,2

Following up on the vendor payment we discussed in yesterday's call. The supplier has updated their banking details — I've attached the new wire instructions.

Can you process the transfer today? They've flagged it as overdue and it's holding up delivery for the Budapest distribution center.3

Please don't loop in procurement on this one — I've already cleared it with their team directly and we need to move fast to avoid the late penalty.4

Wire details attached. Let me know once it's sent.5

Tomasz Nowak
Chief Financial Officer · Pepco Group
t.nowak@pepcogroup.com · +36 1 555 01476

Live NIST score

Cues found0 / 6
Cue density
Premise alignment
Audience
NIST score6 / 7
What they receive

Adaptive simulations that meet employees where they are.

Customized by role, behavior, and geography — so every phish is a real challenge, not a checkbox.

Marcus Johnson
VP, Finance
2/7
NIST level
NIST difficulty2 / 7
Priya Patel
Customer Support
4/7
NIST level
NIST difficulty4 / 7
Sarah Kim
Software Engineer
6/7
NIST level
NIST difficulty6 / 7
Train intelligently

Automate at scale.

Step 1
How often should we send phishing emails?
Monthly
Bi-monthly
Quarterly
Twice a year
Step 2
Select departments to receive phishing.
Select all
Engineering
Sales
Finance
HR
Executive
Step 3
We take it from here. Fully automated phishing campaigns — forever.

July 2026

S
M
T
W
T
F
S
.
.
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
.
CompletedNext campaign
Organization view

Clear, immediate reporting.

See how individuals and departments are improving — not just whether they clicked.

68%
Avg. report rate
4.2/7
Avg. NIST difficulty
+18%
90-day improvement
DepartmentReport rateLevelTrend
Engineering
5.2/7+22%
Finance
4.1/7+15%
Sales
3.4/7+19%
HR
2.8/7+12%
Executive
2.1/7-3%

Easy for admins. Just right for employees.

Launch fully-automated phishing simulations that target each employee's role and evolve as they improve.

Book a demo