What is “report phishing” button training?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've deployed a "report phishing" button in your company's email client. Great. But if nobody knows it's there, or they're not sure when to use it, it just sits in the toolbar collecting dust.

"Report phishing" button training is the process of teaching employees how to actually use that button. That means knowing where to find it, when to click it (not just for obvious spam, but for anything that feels off), and what happens once they do. Without that last part, most people assume their reports go nowhere and stop bothering.

The button itself exists in most major email clients. Google Workspace has it built in. Microsoft 365 and Outlook both support one-click reporting. Some companies add a third-party add-in on top for more control over where reports land and what happens next.

Good training covers three things. First, how to find and click the button (sounds obvious, but people skip things they weren't shown). Second, what kinds of emails are worth reporting. That's not just the obvious "you've won a prize" scams. It includes anything with an unusual sender, a link that doesn't match its display text, or a request that doesn't feel right. Third, what the feedback loop looks like. If your security team closes the loop by letting reporters know their submission was reviewed, people keep reporting. If reports feel like a black hole, they stop.

From a deliverability angle, this matters more than most people realize. When employees report phishing attempts, those signals feed back into your mail platform's threat intelligence. The more your users report accurately, the better your filters get at catching things before they land. It's also part of a broader security awareness program that protects your domain reputation from being impersonated or spoofed.

One thing to watch out for: false positives. Employees who are enthusiastic but undertrained will sometimes report legitimate newsletters or internal emails. It's worth showing real examples during training so people develop judgment, not just reflex.

If you're putting a full program together and want to know what else goes alongside button training, check out how simulated phishing training fits in. The two work really well together.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build my phishing button training plan

We're rolling out a "report phishing" button for our employees. Based on our setup, suggest a prioritized training plan that covers where to find the button, what to report, and how to close the feedback loop with staff. Also flag the top mistakes companies make when deploying reporting buttons without proper training.

Edit the yellow boxes, then send to the AI of your choice.