What are best practices for handling phishing reports?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
The process that works is the one employees will actually use. Before anything else, make reporting frictionless. If someone has to forward the email to security@company.com, find the address, remember it, and type it correctly while also being stressed about whether they've clicked something dangerous, you'll get a small fraction of the reports you should. A "Report Phishing" button in the email client is dramatically more effective.
Once reports come in, triage quickly. Not every reported message is actually phishing: people report newsletters they forgot they signed up for, cold sales emails they find annoying, and anything with an unfamiliar sender. Your first task is categorizing: is this a real threat, a false positive, or something in between? Criteria that matter: is this targeting other employees (if yes, escalate immediately), does it use your domain or brand identity (credential phishing targeting your own users), or is it a one-off that affects only the reporter?
For confirmed threats, the response has two tracks. The immediate track: pull the message from other inboxes if your email platform allows it (Microsoft 365 and Google Workspace both support this), block the sending infrastructure, and alert other employees if it's a coordinated campaign. The investigative track: analyze the headers, identify the infrastructure, document indicators of compromise, and determine scope.
Feed confirmed indicators back into your security tooling: add malicious domains and IPs to your email security gateway's blocklist, share relevant threat data through your ISAC or M3AAWG if you participate.
Close the loop with the reporter. Tell them what you found and what action was taken. People report more when they feel like it made a difference. They stop reporting when they feel like it goes into a black hole.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.