Low phishing reports can still hide cyber risk

Security awareness training often gets measured through the behaviours people leave behind. The first numbers most teams check are click rate, report rate and training completion. They are useful numbers, but they only capture what employees actively did.

Employees who do not report suspicious emails are harder to assess. Some may have recognised the email as suspicious and decided no action was needed. Others may have been unsure whether to report it, or may not have seen the message as relevant to their work.

Reporting depends on more than spotting a suspicious email. A 2024study on phishing intervention behaviour found that low perceived value, lack of feedback or communication, privacy concerns and other worries can discourage employees from reporting phishing emails.

SoSafe’sAdaptive Defence Playbook points to a similar issue in security culture. In its survey, 42% of security professionals say reporting mistakes or near misses is limited or avoided in their organisation. Within that group, 23% say employees limit reporting because they worry about the consequences, while 19% say employees rarely report or avoid it completely.

In SoSafe Live | In Action: Adapting to Threats webinar, an audience question focused on the “silent population”, meaning employees who do not click, report or respond during simulations. While we’re exploring this in future product capabilities at SoSafe, the question raises a more immediate issue for security teams. When employees do not report suspicious emails in day-to-day work, what does that silence actually mean?

In this article, you’ll learn how to read low reporting more carefully, identify where employees may be hesitating, and make phishing reporting easier to act on without adding unnecessary noise for the security team.

Why low reporting is hard to read

Low reporting creates a gap in what security teams can see. Reports help reveal which suspicious emails reached employees, which patterns were noticed and where the organisation may need a faster response. When few people report, there is less evidence to work with.

There is also a motivation layer.Research on phishing reporting in organisations found that employees often report suspicious emails because they want to protect their organisation and colleagues. Responsibility, awareness of possible consequences and uncertainty also influence whether someone acts.

For security teams, these motivations are hard to read from a dashboard. Low reporting may reflect confidence, hesitation or a lack of perceived value in reporting. The reporting process therefore needs to capture more than volume.

The better target is reporting quality: enough context to support triage, fewer avoidable false positives and a calmer route for employees who interacted with something suspicious.

How can you make reporting easier to act on?

A good reporting flow helps employees explain what made an email feel suspicious without making the process feel heavy. Asking whether the concern is the sender, content, links or attachments gives employees a simple way to classify what they noticed. It also gives the security team more context than a forwarded email alone.

One way we support this is through the SoSafe Phishing Report Button. Employees can report suspicious emails directly from Outlook or Google, so the action stays inside the inbox.

Small moments of friction can change whether someone completes a report.

Optional Hints can help employees inspect specific details before they report, such as sender information, links or attachments. Where AI Hints are enabled, the system can also review message content and highlight suspicious patterns, while leaving the decision with the employee.

The flow also gives employees a clear way to explain what happened if they interacted with the email. If someone clicked a link, opened an attachment, replied or entered details, they can describe it in plain language. Security teams can then route or prioritise the case based on what actually happened.

Employees do not need reporting to feel dramatic. They need it to feel clear, quick and safe enough to complete.

Use reporting patterns to spot where guidance is missing

Reporting patterns can show where employees need more support, especially when the same behaviours appear across teams, regions or recurring threat types.

Look at timing first. Reports that come in before interaction suggest employees are pausing early enough to act. Reports that come in after someone clicked, opened an attachment or entered details may point to a need for earlier guidance.

Then look at uneven patterns across teams. Some may report almost everything, while others rarely do. That difference can help security teams decide whether the next step should be clearer reporting guidance, better prompts that help employees check before they report, or examples that feel closer to their day-to-day work.

The SoSafe Phishing Report Button also supports learning in simulations. When employees correctly report a SoSafe phishing simulation, they can receive immediate confirmation that they spotted it. If they interact with a simulated phishing email, a short learning page can explain what happened and what to look for next time.

For real suspicious emails, the value is operational. Clearer reporting helps security teams see what employees are noticing, understand what happened before the report and decide what needs follow-up.