Phishing Landing Pages, Credential Capture, and Tracking

Understanding exactly how an employee responds to a simulated phishing email requires more than knowing whether they clicked a link. Did they open the email? Did they proceed to the landing page? Did they actually enter their credentials? Did they report the message as suspicious? Each of these behaviors represents a meaningfully different risk level and a different learning need. empowsec's tracking infrastructure is built to capture the full arc of a simulated phishing interaction - not just the click - so that the resulting data is precise enough to drive targeted remediation and accurate risk scoring.
This article explains how per-recipient tracked links, tracking pixels, simulated landing pages, and the teachable moment that follows all work together in the empowsec phishing simulation engine.
Tracking Pixels and Unique Links: Recording Every Step
Every simulated phishing email generated by empowsec contains two tracking mechanisms embedded specifically for the individual recipient. The first is a tracking pixel - a tiny invisible image element whose load registers an 'opened' event. When the email client renders the message and requests the pixel, empowsec records that this specific recipient opened this specific email at that specific time. Opens are the lightest behavioral signal, but they matter: an employee who opens a simulated phishing email is engaging with the content and may be at risk of clicking.
The second mechanism is a unique tracked link. Every recipient in a campaign receives a version of the link that is specific to them, so when they click through, the platform records not just that someone clicked, but exactly who clicked, when they clicked, and from which context. This per-recipient attribution is what makes the data useful for individual follow-up rather than only for aggregate reporting.
These two mechanisms work in combination. Open tracking tells you whether the email was noticed. Click tracking tells you whether the employee was convinced enough to act. The combination of both tells you something richer: an employee who opened but did not click may have paused, looked more carefully, and stopped themselves - a positive behavior worth recognizing. An employee who opened and clicked very quickly may have been caught by urgency, which points to a specific training need around time-pressure manipulation.
Simulated Landing Pages and Fake Login Forms
When a recipient clicks the tracked link in a simulated phishing email, they arrive at a simulated landing page. This page is a core part of the campaign setup and is paired with the email template. The landing page can include a fake login form that prompts the employee to enter credentials, which is the behavior that most closely mirrors what a real phishing attack is attempting to accomplish.
It is important to be clear about what 'credential capture' means in this context. empowsec is a safe simulation platform. When an employee fills in the fake login form, the platform records the event - specifically that this person submitted the form at this time - but it does not harvest, store, or transmit any real credentials. The purpose is educational: to record a 'submitted' event in the behavioral data so that the risk score reflects the full extent of the employee's engagement with the simulated attack. Real secrets are never at risk.
The 'submitted' event is weighted differently from a 'clicked' event in risk scoring because it represents a higher degree of engagement with the lure. An employee who submitted is not just curious about the link - they went all the way through to entering sensitive information on what they believed was a legitimate form. This distinction is precisely why per-step tracking matters: it gives you a behavioral hierarchy, not just a binary pass/fail per campaign.
The Teachable Moment: What Happens Immediately After
The moment an employee clicks or submits on a simulated landing page is the best possible moment to deliver a security lesson. They have just made a mistake in a safe environment, and their attention is fully engaged. empowsec uses this moment in two ways. First, the landing page itself can display a 'this was a simulation' disclosure that explains the exercise and surfaces the specific red flags the employee should have spotted. This immediate in-context explanation is the most effective single touchpoint in a phishing simulation program.
Second, the click or submit event can automatically trigger an assignment of remedial training. The employee does not just see a banner and move on - they receive a short, targeted training module that goes deeper into the type of attack they just encountered. This assignment is configured at the campaign level, so when you set up the campaign you decide which training module to pair with a failure, and the platform handles the assignment automatically whenever the failure event occurs.
The reply event, which occurs when an employee responds to the simulated phishing email rather than clicking a link, can also trigger a training assignment. This matters because replying to a suspicious email is another high-risk behavior - it can expose organizational information and establishes contact with a would-be attacker. Tracking and responding to this event puts empowsec's simulation capability closer to the full range of ways a phishing attack can succeed.
How Tracking Events Feed Risk Scoring
Every event captured during a simulation - opened, clicked, submitted, replied, reported - feeds into empowsec's risk scoring engine with a weighted contribution. The weights reflect the behavioral risk hierarchy: submitting credentials carries a higher risk weight than simply opening the email. Reporting a simulation is a positive event that reduces risk score. This means the risk score for each employee is not just a count of simulations they have failed; it reflects the severity of each failure and the recency of each event, since the scoring engine applies time decay so that older behavior has less influence than recent behavior.
At scale, these individual scores roll up into department-level and company-level views. A department whose members predominantly clicked but did not submit is in a meaningfully different position from a department whose members frequently submitted credentials. The granularity of per-event tracking is what makes that distinction visible, and it is what makes the risk score a genuinely useful tool for prioritizing where training resources should go next.
What This Means for Your Team
- Per-recipient tracking pixels and unique links give you individual-level behavioral data, not just campaign aggregates.
- Simulated landing pages with fake login forms capture the full depth of engagement, including form submissions - safely, with no real credentials at risk.
- Immediate simulation disclosure on the landing page turns the moment of failure into the most effective teachable moment in the program.
- Automatic remedial training assignment on click, submit, or reply triggers follow-up without any manual steps from an administrator.
- Per-event risk score weighting means the risk data reflects not just who failed but how seriously they engaged with the lure.


