In the second quarter of this year alone, organisations were hit with close to one million phishing attempts. As these attacks become more sophisticated, organisations are deploying advanced automated defences to hold the line. Yet, despite these investments, a critical gap remains in the human layer of security. It is not a lack of awareness, but a specific behavioural habit: the tendency to simply hit "delete", says Anna Collard, SVP of Content Strategy & CISO Advisor at KnowBe4 Africa.
The psychology of the "Delete" button
There is a reason the "Report Phishing Email" button is often the most-ignored tool in any email client.
“Deleting is a reflex; reporting is a decision,” explains Collard. “For the most part, people simply want to clear the clutter. Deleting a suspicious email feels like ‘dealing with the problem,’ but in reality, it is merely hiding it.”
This hesitation is often driven by the "bystander effect" – the assumption that someone else has likely already spotted the issue and flagged it. Additionally, there is a lingering fear of embarrassment. Employees can even worry about "crying wolf".
“People worry they’ll be wrong,” notes Collard. “Others simply forget the option exists. But silence is dangerous. Without reports, defenders cannot see the attack pattern, and the automated systems miss a crucial opportunity to learn.”
From manual tickets to machine learning
Historically, reporting a phishing email meant creating a ticket for an overworked IT analyst to investigate manually. Today, the role of the "Report" button has fundamentally changed. It has become a data signal that feeds directly into the organisation’s Human Risk Management (HRM) platform – not some outdated manual “help” button.
“When a user reports a suspected email, it triggers an automated triage process,” Collard comments. “The system gauges the criticality of the phishing email and its potential impact in real-time.”
This input allows AI-driven defence layers to instantly analyse the threat. If confirmed as malicious, the system can automatically update filters and remove similar emails from other inboxes across the organisation – a process known as threat orchestration.
“One report can prevent dozens of clicks,” says Collard. “By helping security teams’ triage and neutralise campaigns faster, attacker dwelling time is reduced, and the potential for financial and reputational damage is limited.” In this context, the employee is both a user as well as an active sensor in the defence network. A single click on the report button creates a ripple effect of immunity that protects colleagues who might be less vigilant.
Building a culture of psychological safety
Shifting behaviour from "delete" to "report" requires more than a bigger button on the toolbar; it requires a culture of psychological safety. Employees must feel that their input is valued, even if they occasionally flag a safe email by mistake (or don’t). “Organisations need to make it safe to be unsure, and even wrong sometimes,” says Collard. “If an employee reports a legitimate email, the response should not be negative, but a simple ‘thank you for staying vigilant’. People report more frequently when they feel their action truly matters and is appreciated.”
Collard recommends gamification and positive reinforcement as powerful tools to build this habit. Acknowledging employees who catch sophisticated phishing attempts – through monthly shoutouts or leaderboards – reinforces the idea that reporting is a valued security action, not an inconvenience. “Encouraging easy reporting and automating the analyst workflow delivers measurable operational business value,” she notes. “It transforms the workforce from passive targets into active defenders.”
The high stakes of silence
The cost of unreported threats is high. Unreported phishing attempts often linger in the network, giving attackers time to establish a foothold. IBM’s latest Cost of a Data Breach report highlights that breaches linked to phishing are among the most expensive to contain, largely due to delayed detection.
“When users report early, the attack chain is interrupted at the weakest point, dramatically reducing downstream damage,” stresses Collard. “By contrast, a strong internal reporting culture gives organisations real-time threat visibility, allowing security teams to act before attackers gain a foothold. An effective phishing-reporting process needs to be integrated into a culture where reporting is normal,” Collard concludes. “When that culture takes hold, one click can prevent another person’s potentially costly error.”
