While thinking about UIDs I thought of this that would help. You create an API that takes the UID and logs that it has been accessed, an additional field that says where would also be useful. The use case is:

user clicks link and lands on phishing home page - log ($uid, "homepage")
user enters username and password - log ($uid, "logged in")

You can then track how far certain users have gone through the phishing process. A report to say:

• 100 mails sent
• 50 clicked the link and visited the homepage
• 10 entered credentials

The API could take hits in a number of ways, server to server through a curl command or from a browser in an image or JavaScript XML_HTTP_Request.