The Report Button: Your Highest-ROI Security Habit

Thomas Eriksson··7 min read
Employee reporting a suspicious email with one click at their office desk

The Cheapest Detection Tool You Already Own

Security teams spend heavily on tools that detect threats. Yet one of the fastest detection sensors in any organization is also one of the cheapest: an employee who notices something is off and clicks a report button. A single report can surface a campaign that slipped past your filters, and it can do so within minutes of the first email landing, long before automated tooling catches up.

The instinct in many programs is to obsess over preventing clicks. That matters, but it frames the human role negatively, as a mistake to be avoided. The more powerful framing is positive: every employee is a potential sensor, and reporting is the action that activates the sensor. When thousands of people can each raise a hand the moment something looks wrong, you have built a detection network no product can fully replicate.

An over-focus on "don't click" breeds fear and silence. A focus on "report it" builds a workforce that actively hunts for the threats your tools miss. The goal is not just to avoid the trap; it is to help the security team disarm it.

Why Reporting Beats Not-Clicking on Pure ROI

Not clicking a phishing email protects exactly one person: the recipient. Reporting that same email protects the entire organization. The security team can pull the message from every inbox, block the sending domain, and warn anyone who already interacted with it. One person's two-second action becomes protection for thousands, and unlike a filter rule, it scales automatically with every employee you hire.

The economics get even better when you consider dwell time, the window between an attack arriving and the security team acting on it. Every minute an attacker operates undetected is a minute to harvest credentials, move laterally, or trigger a fraudulent payment. Fast reporting collapses that window. The first report is often the trigger that starts containment, and the difference between a report in two minutes and a discovery in two hours can be the difference between a non-event and a breach.

That is what makes the report button the highest-ROI behavior in security awareness. It costs the user almost nothing, it scales to your entire headcount, and a single click can short-circuit an entire attack chain. It is also exactly what national authorities advise: CISA's guidance calls reporting suspicious messages one of the most efficient ways to protect an organization, because each report helps spot new and trending attacks early.

Make Reporting Effortless: The One-Click Button

Behavior follows friction. If reporting means forwarding an email to a security distribution list, remembering the right address, and wondering whether you are overreacting, most people will simply delete the message and move on. Each step you remove lifts the report rate.

A one-click report button built directly into the mail client removes that friction almost entirely. The user sees something suspicious, clicks one button, and the message is routed to the security team and removed from view, no decisions, no addresses, no second-guessing. empowsec provides report-phishing add-ons for both Gmail and Google Workspace and for Outlook, so the button sits exactly where people already read their mail. When a simulation is reported through the same button, the user gets immediate positive feedback, reinforcing the habit on real and test messages alike.

Practical principles for the button:

  • Put it where the work happens. Inside the inbox, visible without hunting through menus.
  • Make one click enough. No forms, no choosing a category, no typing.
  • Confirm the action. A brief "thanks, our team will review this" tells the user their click mattered.
  • Route it automatically. The report should reach the security team and feed your triage process without manual forwarding.

Build a Blameless Reporting Culture

A button removes the mechanical friction. Culture removes the emotional friction, which is often the bigger barrier. People hesitate to report because they fear looking foolish for flagging a legitimate email, or worse, fear punishment for having clicked before they realized their mistake.

Both fears suppress exactly the behavior you need, so design them out:

  • Make it explicitly blameless. Tell people, repeatedly, that there is no penalty for a false alarm and no penalty for reporting something they already clicked. A late report is still a valuable report.
  • Reward the behavior, not just the outcome. Recognize people who report, including those who report a genuine threat the filters missed. A simple thank-you from the security team is a powerful reinforcer.
  • Close the loop. Nothing kills reporting faster than silence. When a report leads to a takedown or a blocked sender, let people know their action protected colleagues. Visible impact sustains the habit.
  • Celebrate the catch. When an employee's report stops a real campaign, share the win (without shaming anyone who clicked). It turns reporting into something people are proud to do.

Separate the click conversation from the report conversation entirely. Someone who clicks and then reports has done the second-best thing possible, and treating that report as a success rather than a confession is what keeps the channel open.

Connect the Button to Your Incident Response

A flood of reports is only an asset if it feeds a process. Plan the back end before you promote the button:

  1. Triage quickly. Decide how reports are reviewed and prioritized so genuine threats do not sit in a queue behind false alarms.
  2. Act at scale. When one report confirms a campaign, have the means to remove the message from every affected inbox and block the source.
  3. Feed it back into training. Patterns in what people report (and miss) tell you where to aim the next phishing simulation and which teams need a focused teachable-moment debrief.
  4. Measure report rate and time-to-report. These behavior-based metrics show whether reporting is becoming reflexive and let you demonstrate shrinking dwell time to leadership.

Reinforced through regular phishing simulation and behavior-based reporting, the report button stops being a feature and becomes a habit, the single behavior that turns your whole workforce into the front line of detection.

Common Mistakes That Quietly Kill Report Rates

Even well-intentioned programs undermine reporting in avoidable ways. Watch for these:

  • Punishing false alarms. The moment someone is made to feel foolish for reporting a legitimate email, everyone around them learns to stay quiet. Treat every false alarm as a sign the system is working.
  • Letting reports vanish into silence. If reporting feels like shouting into a void, people stop. A simple acknowledgement and the occasional "your report stopped a real attack" keeps the channel alive.
  • Conflating clicking with reporting. Tracking and shaming clicks while ignoring reports sends the message that the goal is to avoid blame, not to help. Measure and celebrate reporting as its own success.
  • Making the button hard to find. A reporting process buried in a wiki page or a hard-to-remember email address guarantees low adoption. If it is not one click in the inbox, it is too many steps.

Key Takeaways

  • Reporting protects everyone; not-clicking protects one. A single report lets the team defend every inbox.
  • Speed is the payoff. Fast reporting collapses attacker dwell time and is often what starts containment.
  • Remove all friction. A one-click button in the inbox, like empowsec's Gmail/Workspace and Outlook add-ons, lifts report rates more than any poster.
  • Make it blameless and visible. No penalty for false alarms or late reports, and always close the loop so people see their impact.
  • Wire it to incident response. Triage, act at scale, feed results into training, and track report rate and time-to-report.
Share: