An open question in the infosec community is how much user reporting of phishing messages benefits email security. Some customers tell us they’re all for it. Others are hesitant because they don’t have enough automation in place to manage the abuse mailbox successfully. That’s a valid concern, depending on the email security layers you have in place.
Figure 1. Research by Proofpoint of user-reported messages combined with our detection stack analysis found that, on average, 30% to 40% of what users were reporting was malicious or spam.
One recurring problem we’ve seen with phishing reporting relates to add-ins. Sometimes, collaboration suites make overnight updates that create issues with these add-ins, forcing teams scramble to update and re-rollout. Many times, when users encounter a phishing email they are on a mobile device, with no access to a phishing reporting add-in. And sometimes, it takes too many clicks for users to report the phish easily.
Figure 2. This graph shows that most customers fall into a low range of reporting rates because reporting add-ins have low awareness and aren’t always easy to access. (Y axis: number of customers, X axis: phishing reporting rate.)
This is reflected in how users engage with these add-ins. In Figure 2, you can see the difficulty many organizations have getting their users to actively use a phishing add-in for phishing simulations.
This small hurdle can be a big obstacle in building a strong, educated user base that can easily report suspicious messages that may slip by your technical controls.
The average reporting rate of phishing simulations is only 13%, with many organizations falling below that.
Average reporting rate of simulations by percentile:
Percentage of users reporting simulations