Not all clicks are created equal. Clicking a link is bad. Entering your username and password into the resulting page is catastrophic.
The Silent Theft
In a credential harvesting attack, the user is directed to a fake login page (e.g., "Microsoft 365 Login"). If they enter their credentials, the attacker captures them instantly. No malware required.
Why Click-Only Metrics Fail
Compromise Rate: This metric matters more than click rate. Did they actually give up the keys?
Teachable Moment: The realization 'I almost gave away my password' is a powerful learning event.
Risk Profiling: Users who enter data are higher risk than those who just click.
Safety First
Key Takeaway
"Never store the passwords. A responsible simulation platform records that data was entered, but strictly discards the actual password to protect user privacy."
