Do you have visibility into who clicked a phishing link or entered credentials on a phishing site?
Demonstrate that the organization maintains technical and procedural capabilities to identify and track employees who clicked phishing links or submitted credentials on phishing sites within a timeframe sufficient for timely response.
Description
What this control does
This control establishes the organization's capability to identify employees who have interacted with phishing attacks by clicking malicious links or submitting credentials on fraudulent sites. Detection mechanisms typically include security email gateway logging, endpoint detection and response (EDR) telemetry, web proxy logs, security information and event management (SIEM) correlation rules, and specialized anti-phishing platforms that track click-through and credential submission events. Effective visibility enables rapid incident response, targeted user remediation, credential resets, and data-driven security awareness program improvements.
Control objective
What auditing this proves
Demonstrate that the organization maintains technical and procedural capabilities to identify and track employees who clicked phishing links or submitted credentials on phishing sites within a timeframe sufficient for timely response.
Associated risks
Risks this control addresses
- Compromised credentials remain undetected and are used for unauthorized access to corporate systems and data
- Initial phishing compromise escalates to ransomware deployment or data exfiltration without detection
- Lack of victim identification prevents timely password resets and account lockdowns following credential harvesting attacks
- Security awareness training cannot be targeted to high-risk users without visibility into actual phishing victimization
- Incident response teams cannot assess blast radius or identify lateral movement originating from compromised accounts
- Compliance violations occur when breached credentials lead to unauthorized access to regulated data without detection
- Repeat phishing victims remain unidentified, creating persistent attack surface for threat actors
Testing procedure
How an auditor verifies this control
- Inventory all technical systems deployed to detect phishing link clicks and credential submissions, including email security gateways, web proxies, EDR platforms, SIEM solutions, and dedicated anti-phishing tools
- Review configuration settings in identified systems to verify logging is enabled for URL click events, authentication submissions to known-bad domains, and phishing-related security alerts
- Request documentation of phishing detection use cases, correlation rules, and alert definitions currently deployed in monitoring systems
- Select a sample of 10-15 recent phishing simulation exercises or actual phishing incidents from the past 12 months
- For each sampled incident, request evidence showing identified victims including usernames, timestamps of clicks or credential submissions, and URLs accessed
- Verify that detection occurred within a reasonable timeframe by comparing phishing event timestamps to detection/alert timestamps in security logs
- Interview security operations personnel to confirm the workflow for receiving phishing victim notifications, validating findings, and initiating response actions
- Test detection capability by simulating a phishing click or requesting evidence from the most recent sanctioned phishing simulation showing individual-level tracking data