Search Background

Get instant support with our search!

How do Disabled and Deleted Users Reflect in Phish Reports?

User Avatar
Roisin Boyle

Updated

New phish reporting settings from May 2026

From May 2026, Phish reporting will handle users who are later deleted or disabled differently, ensuring historical campaign data remains accurate, stable, audit‑ready, and GDPR‑compliant as your user base changes over time.

Two new company‑level settings control this behaviour:

  • Include Deleted users in Reports - controls whether Deleted users appear in phishing reports
  • Include Disabled users in Reports - controls whether Disabled users appear in phishing reports
A screenshot of Company Edit showing the new Disabled and Deleted Users in Reports toggles

Both settings default to ON and can be changed within Settings > Company Edit.

What changes?

Phish reporting is now anchored to user status at the time the phish was sent, not their current status in the platform — delivering stable, complete, and compliant reporting across all future campaigns:

  • Users who received a phish remain visible for that campaign, regardless of later user changes
  • Deleted users are anonymised in line with GDPR while preserving reporting structure
  • Disabled users retain their full record and are clearly labelled as Disabled
  • Campaign totals stop shifting over time
  • Exports remain stable across reporting cycles
  • Audit and compliance defensibility improves

In practice:

  • If a phishing email has been sent to a user → they remain in reporting permanently, regardless of any later user lifecycle change
  • If the phishing email has not yet been sent → the user is excluded entirely if they are deleted or disabled before delivery

This principle applies to deletion, disablement, and staggered‑send campaigns.

 

What happens when a user is Deleted or Disabled?

Both lifecycle events keep the user visible in reports if they have already received the phish — but they're handled differently to reflect the different intent of each action. The table below summarises the key differences.

  Disabled Users Deleted Users
User Status

Name

No change

Deleted User
Email Address

No change

deleteduser1@companyname.com
deleteduser2@companyname.com, etc.
Other Personal Data

No change

Removed
Department

No change

No change
Engagement Data (opens, clicks, submissions)

Fully retained

Fully retained

In summary:

  • Deleted Users - All personal information is anonymised or removed. This approach ensures GDPR expectations for data minimisation are met while preserving the structural data needed for accurate reporting.
  • Disabled Users - The user record stays intact and simply reflects their current status.
An example of how deleted users are shown in the Phish Overview report

An example of how Deleted users are shown in the Phish Overview report

Reports where Disabled or Deleted users appear

If a user received a phish before being deleted or disabled, they remain visible in every reporting view and export, including:

  • Phish Overview
  • Phish Adoption
  • Phish Comparison
  • Phish Summary
  • Phish Campaign Summary
  • Reported Emails
  • Recurring Phish Victims
  • Phish Map
  • Phish Device Report
  • Plugins
  • Phish Audits

All drill‑downs continue to function, and campaign totals remain consistent over time.

Targeting scenarios

Here are some example targeting scenarios and how the reporting is handled if a user is Deleted or Disabled.

Scenario 1 — User active when the phish is sent

  • Phish email is delivered
  • User is later deleted or disabled
  • User remains in all reports
  • Status shows as Deleted or Disabled
  • For Deleted users, personal data is anonymised

Scenario 2 — User deleted or disabled before the phish is sent

  • User is planned for the campaign but is removed or disabled before delivery
  • User is excluded from targeting and reporting entirely
  • No placeholder or historical record is created

Scenario 3 — Staggered sending, user removed before their scheduled send

  • Campaign uses staggered delivery
  • User is deleted or disabled before their specific email goes out
  • User is excluded from reporting and totals, even though other recipients in the same campaign may have already received their email

How are past campaigns handled?

⚠ This update is not retroactive.

  • Only phishing emails sent after the May 2026 release follow this behaviour
  • Campaigns sent before that date continue to use the previous logic and are not reprocessed

If either setting is enabled and a campaign has already run, users who were deleted or disabled during that campaign will continue to appear for that campaign — even if the setting is later turned off.

Which users does this apply to?

This behaviour applies consistently across:

  • Email‑based and federated users
  • SCIM‑managed users
  • Google Workspace (Gmail) integrations
  • Okta integrations

It applies whether users are deleted or disabled by:

  • Administrators
  • Business users
  • Bulk user removal or user list replacement within User Management
Back to all articles