Phishing Landing Pages, Credential Capture, and Tracking

Marcus Chen··7 min read
A simulated phishing landing page used for training

Understanding exactly how an employee responds to a simulated phishing email requires more than knowing whether they clicked a link. Did they open the email? Did they proceed to the landing page? Did they actually enter their credentials? Did they report the message as suspicious? Each of these behaviors represents a meaningfully different risk level and a different learning need. empowsec's tracking infrastructure is built to capture the full arc of a simulated phishing interaction - not just the click - so that the resulting data is precise enough to drive targeted remediation and accurate risk scoring.

This article explains how per-recipient tracked links, tracking pixels, simulated landing pages, and the teachable moment that follows all work together in the empowsec phishing simulation engine.

Tracking Pixels and Unique Links: Recording Every Step

Every simulated phishing email generated by empowsec contains two tracking mechanisms embedded specifically for the individual recipient. The first is a tracking pixel - a tiny invisible image element whose load registers an 'opened' event. When the email client renders the message and requests the pixel, empowsec records that this specific recipient opened this specific email at that specific time. Opens are the lightest behavioral signal, but they matter: an employee who opens a simulated phishing email is engaging with the content and may be at risk of clicking.

The second mechanism is a unique tracked link. Every recipient in a campaign receives a version of the link that is specific to them, so when they click through, the platform records not just that someone clicked, but exactly who clicked, when they clicked, and from which context. This per-recipient attribution is what makes the data useful for individual follow-up rather than only for aggregate reporting.

These two mechanisms work in combination. Open tracking tells you whether the email was noticed. Click tracking tells you whether the employee was convinced enough to act. The combination of both tells you something richer: an employee who opened but did not click may have paused, looked more carefully, and stopped themselves - a positive behavior worth recognizing. An employee who opened and clicked very quickly may have been caught by urgency, which points to a specific training need around time-pressure manipulation.

Simulated Landing Pages and Fake Login Forms

When a recipient clicks the tracked link in a simulated phishing email, they arrive at a simulated landing page. This page is a core part of the campaign setup and is paired with the email template. The landing page can include a fake login form that prompts the employee to enter credentials, which is the behavior that most closely mirrors what a real phishing attack is attempting to accomplish.

It is important to be clear about what 'credential capture' means in this context. empowsec is a safe simulation platform. When an employee fills in the fake login form, the platform records the event - specifically that this person submitted the form at this time - but it does not harvest, store, or transmit any real credentials. The purpose is educational: to record a 'submitted' event in the behavioral data so that the risk score reflects the full extent of the employee's engagement with the simulated attack. Real secrets are never at risk.

The 'submitted' event is weighted differently from a 'clicked' event in risk scoring because it represents a higher degree of engagement with the lure. An employee who submitted is not just curious about the link - they went all the way through to entering sensitive information on what they believed was a legitimate form. This distinction is precisely why per-step tracking matters: it gives you a behavioral hierarchy, not just a binary pass/fail per campaign.

secure-portal-update.example.com - Sign in to continue
This was a phishing simulation
This page was part of a security awareness exercise run by your organization via empowsec. No real credentials were captured. See below to learn what you should have spotted.
1
Delivered
09:14 - email arrived in inbox
Done
2
Opened
09:16 - pixel loaded
Done
3
Clicked
09:17 - tracked link followed
Recorded
4
Submitted
09:18 - form completed on landing page
Recorded
After clicking through to the landing page, the employee sees a simulation disclosure banner and a delivery timeline showing each tracked event.

The Teachable Moment: What Happens Immediately After

The moment an employee clicks or submits on a simulated landing page is the best possible moment to deliver a security lesson. They have just made a mistake in a safe environment, and their attention is fully engaged. empowsec uses this moment in two ways. First, the landing page itself can display a 'this was a simulation' disclosure that explains the exercise and surfaces the specific red flags the employee should have spotted. This immediate in-context explanation is the most effective single touchpoint in a phishing simulation program.

Second, the click or submit event can automatically trigger an assignment of remedial training. The employee does not just see a banner and move on - they receive a short, targeted training module that goes deeper into the type of attack they just encountered. This assignment is configured at the campaign level, so when you set up the campaign you decide which training module to pair with a failure, and the platform handles the assignment automatically whenever the failure event occurs.

The reply event, which occurs when an employee responds to the simulated phishing email rather than clicking a link, can also trigger a training assignment. This matters because replying to a suspicious email is another high-risk behavior - it can expose organizational information and establishes contact with a would-be attacker. Tracking and responding to this event puts empowsec's simulation capability closer to the full range of ways a phishing attack can succeed.

Inbox
IT
FromIT Helpdesk <[email protected]> lookalike domain
SubjectAction required: your password expires today urgency cue
Your corporate password expires in 2 hours. Click to reset immediately or you will be locked out.
Report phishingReset password
A simulated phishing email with flagged red flags: the lookalike sender domain and the urgency-driven subject line.

How Tracking Events Feed Risk Scoring

Every event captured during a simulation - opened, clicked, submitted, replied, reported - feeds into empowsec's risk scoring engine with a weighted contribution. The weights reflect the behavioral risk hierarchy: submitting credentials carries a higher risk weight than simply opening the email. Reporting a simulation is a positive event that reduces risk score. This means the risk score for each employee is not just a count of simulations they have failed; it reflects the severity of each failure and the recency of each event, since the scoring engine applies time decay so that older behavior has less influence than recent behavior.

At scale, these individual scores roll up into department-level and company-level views. A department whose members predominantly clicked but did not submit is in a meaningfully different position from a department whose members frequently submitted credentials. The granularity of per-event tracking is what makes that distinction visible, and it is what makes the risk score a genuinely useful tool for prioritizing where training resources should go next.

Tip
Pair each landing page with a specific remedial training module matched to the lure type. A credential-harvest simulation should pair with training on recognizing fake login pages - not a generic phishing overview.

What This Means for Your Team

  • Per-recipient tracking pixels and unique links give you individual-level behavioral data, not just campaign aggregates.
  • Simulated landing pages with fake login forms capture the full depth of engagement, including form submissions - safely, with no real credentials at risk.
  • Immediate simulation disclosure on the landing page turns the moment of failure into the most effective teachable moment in the program.
  • Automatic remedial training assignment on click, submit, or reply triggers follow-up without any manual steps from an administrator.
  • Per-event risk score weighting means the risk data reflects not just who failed but how seriously they engaged with the lure.
Share: