How to Report a Phishing Email: What to Tell Your Staff and How to Make Reporting Easy

March 19, 2026

Most organisations have a process for responding to phishing attacks. Fewer have a process for receiving reports of suspected phishing from their own staff. That gap matters because the window between the first person who notices something suspicious and the first person who clicks is often the only chance a security team gets to intervene before an incident becomes an incident.

Reporting rates are one of the more meaningful metrics in a security awareness programme, and they are chronically undervalued. Completion rates and click rates get most of the attention, but a staff member who reports a phishing attempt they did not click is doing something genuinely useful for the organisation. If the process for doing that is unclear, inconsistent, or feels like it will lead to criticism rather than appreciation, they will not do it again.

What Gets in the Way of Reporting

When we ask organisations why their reporting rates are low, the answers fall into a few consistent categories. Staff do not know where to report. They are not confident enough in their assessment to escalate -- they worry about "wasting time" if it turns out to be legitimate. They have reported before and received no acknowledgement. Or the process itself is difficult: finding the right email address, composing a message, attaching the original, avoiding clicking the links in the process of doing so.

Each of those friction points is solvable, but they require deliberate effort. Solving them is more valuable than another training module on how to spot phishing, because it converts awareness into action. A staff member who knows what phishing looks like but does not report it has still left the organisation exposed. A staff member who reports something they were not even sure about has contributed to collective defence.

What a Good Reporting Process Looks Like

Effective phishing reporting has three components: a simple mechanism, a clear instruction, and a feedback loop. The mechanism should require as few steps as possible. A dedicated "Report Phishing" button in the email client is the standard, and most major platforms support this through add-ins. If that is not available, a dedicated reporting email address -- short, memorable, and widely communicated -- is the fallback. Whatever the mechanism, it should not require the staff member to interact with the suspicious email beyond what is necessary.

The instruction needs to be clear about what to report. The most common mistake is telling staff to "report anything suspicious" without helping them understand what that means in practice. A better instruction is to report any message that asks for credentials, requests urgent action, contains an unexpected link or attachment, or creates pressure to bypass normal processes. The threshold should be low -- better to receive five false positives than to miss one genuine attack.

Closing the Feedback Loop

The fastest way to kill a reporting culture is to receive a report and say nothing. If a staff member flags a phishing attempt and hears nothing back, their implicit conclusion is that the report went nowhere. They are less likely to report next time. A simple acknowledgement -- automated if necessary -- that confirms the report was received and is being reviewed is the minimum baseline.

Where the security team can go further is to close the loop with the outcome. If a staff member reported something that turned out to be a genuine phishing campaign, letting them know (without unnecessary alarm) builds confidence that their action mattered. Organisations that do this well see reporting rates increase over time because staff understand that reporting is part of how the organisation defends itself, not an administrative chore.

What to Include in Training

Training on phishing reporting should cover:

  • Where to report: the specific button, address, or system to use
  • What to report: the types of messages that should be flagged, with examples
  • What not to do: forwarding the email to colleagues, clicking links to investigate, or dismissing the message without reporting because it "probably isn't phishing"
  • What happens after a report is submitted: who receives it, how quickly they review it, and whether the reporter will hear back
  • That reporting is encouraged, not criticised: frame it explicitly as a contribution, not an escalation

In phishing simulations, measuring the report rate alongside the click rate gives a more complete picture of where your programme stands. An organisation where 60% of staff click simulated phishing but 40% report it is in a very different position from one where 60% click and 2% report. Both need work, but the intervention is different.

We help organisations build phishing reporting processes as part of our awareness programmes, including simulation campaigns that track report rates over time. If your current programme is not measuring reporting, or if the process for reporting is unclear to your staff, get in touch at info@cyberlinx.com.au and we can help you fix that.

Table of Contents
Resource Type
Guides
Category
Cyber Awareness Training
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?