What are all these phishing terms, and what do they mean?

This is a term appendix for anyone that needs help or a refresher.


This article is a glossary of phishing terms we use at Hook Security, Inc.

This list includes action types associated with how a user handles phishing attacks. When you generate a report, these action types will appear in the Action Type column. Different phishing email templates will generate different types of action types, i.e. action types are specific to specific templates. See Manage Templates for more information.


When generating a report, you can choose to append a phishing term appendix to the report by enabling the Phishing Term Appendix option.


Phishing Terms

The phishing terms we use at Portal are as follows.

NOTE: This is not a comprehensive list and new terms are being added over time.
  • Auto-Reply is an action tracked when a phishing email has been replied to from an auto-responder set up for the target. The system looks for key phrases to help discern if user legitimately replied to a phishing email or not. Auto-Replies are not counted against targets on tests.
  • Bot: Page Crawl is software that systematically visits and analyzes web page pages on the internet. Typically, software performing these crawls are from network security providers looking to find malicious content, or from a search engine to gather information for indexing purposes. When you see this action type, refer to the IP address to see who/what is crawling the page.
  • Bot: Email Crawl is software that systematically opens and analyzes emails. Typically, software performing these crawls are email security tools, like spam filters and anti-malware, that are analyzing emails to find malicious content. When you see this action type, refer to the IP address to see who/what is crawling the email. 
  • Clicked Completion depending on the template, clicked completion means that the target has entered information or clicked a link.
  • Clicked Link in Email means that the primary Hook Link was clicked in the phishing email and the user was taken to the landing page. This action, along with Viewed Landing Page, makes up reported Clicks.
  • Completed Training Page Material means the target navigated to the training page and completed the training materials.
  • Data Extended is any action beyond Clicking Link in Email in severity (e.g., Performed Action, Download Started, Replied, etc.)
  • Delivered is how many emails have left our server. This does not confirm that the emails have reached the inbox of the target.
  • Email Opened means that the email was opened by either the target, security software, or email client.
  • False Positive is an action that may have not been committed by the target. Security software can open and navigate links in an email and would trigger the same actions in the system as a user. Once these possible false positives are identified the IP addresses being used by the software can be filtered out and no longer count against the target.
  • Hook Link is the URL link in the phishing email that leads to the Landing Page or Training Page.
  • Login Information Submitted means the email template asked the target for login information which the target then submitted.
  • Login Submitted means the email template asked the target for a login which the target then submitted.
  • No Action means that the target did not perform any actions on the phishing email (e.g., Opening the email, Clicking Hook Link).
  • Performed Action is the generic term for completing the Phishing Hook action on a template.
  • Performed Update means the template prompted the target to start an update which the user performed. 
  • Phish Time is how long it took for the phishing action to occur after it was sent.
  • Received Training is how many targets have viewed the training page attached to a phishing campaign.
    NOTE: URL redirects will also be recorded as "Received Training".
  • Replied is an action tracked when a phishing email has been replied to from a target. The system determines this reply was authentic from a user and didn't match as an automated response.
  • Started Download some email templates have downloads or attachments. If the target begins a download they will be flagged as having started the download.
  • Targets are the users/email addresses that you are testing.
  • Target Email is one email sent to one Target during a Test (phishing campaign).
  • Test is a single phishing campaign sent to single Group of Targets.
  • Unique is a flattening filter placed on the data so that each target is only counted once per category. For example, a user may have opened the email three times but will only be counted once for opening the email. That same user may have clicked on the link in the email twice but will only be counted once for clicking.
  • Viewed Landing Page means that the Landing Page was refreshed or navigated to by means other than a click from the phishing email. This action, along with Clicked Link in Email, makes up reported Clicks.
  • Viewed Training Page means the target viewed the training page but did not complete the training materials.
  • Worst Action is the most severe action that the target committed during the test. If a target opened the email, clicked on a link, attempted a download, and then opened the email again, their worst action would be attempted a download since it was the most severe action they performed.