Major companies do little to support phishing reporting, and many fail to act when phishing sites impersonating their brand are reported, according to new research from Drexel University and Arizona State University.
The study found that fewer than half of Fortune 100 companies offer ways to report phishing, and only 3% of reported sites are blocked.
Phishing scams often trick users into divulging personal data on fake websites. Despite cybersecurity efforts, phishing remains a major issue; in 2022, it topped the FBI’s cybercrime reports. Most companies instruct employees to report phishing as a last line of defense, but low reporting rates persist due to limited support and feedback.
The study identified five reporting methods: email, in-app buttons, SMS, online forms, and phone. However, reporting advice across agencies and companies is inconsistent, with only 65 of Fortune 100 companies providing guidance.
Users doubt effectiveness of reporting phishing
Through participant surveys, the researchers found that people often skip reporting due to time and doubts about the impact, and it found those doubts are often justified.
“Although users are constantly trained and instructed on how to identify and report phishing emails, the reaction they receive in the actions taken — or, more often, not taken — by the companies to which they report creates a negative feedback that discourages them from reporting future emails,” said Eric Sun, PhD, an assistant professor in Drexel’s College of Computing & Informatics who helped to lead the research.
“Our research sheds a light on what it’s like to be a reporter and a company that receives a phishing report in hopes of improving this cybersecurity environment.”
An experiment where researchers created test phishing sites showed that only 3% of these sites were blocked after being reported. Many companies either never accessed the sites or provided only auto-replies.
To improve phishing reporting, the study suggests companies enhance communication, offer feedback on reports, and provide clearer, more consistent guidance. Phishing reports remain crucial to fighting these scams, as technology alone cannot completely prevent them.