The Phish Alert Button (PAB) add-in for Microsoft Outlook, Microsoft Exchange, Microsoft 365, and Google Workspace gives your users the ability to report suspicious emails.
In this article, you will learn how to enable and configure the PAB, choose the PAB installation guide best suited for your organization, and how to set up multiple PAB instances.
To learn how installing the PAB can benefit your organization and for best practices, see our Best Practices for Phish Alert Button (PAB) Implementation article.
What Data Is Sent to Our Servers?
The PAB communicates with our API over TLS 1.2, which is securely encrypted. The external IP address, user agent, and other standard browser information are sent to us as part of the standard HTTPS communication.
The information that is sent from the user's machine to our servers is listed below:
- License Key
- PAB version
- Operating system (OS)
- Operating system architecture
- This includes 32-bit or 64 bit.
- Microsoft Outlook version
- Windows configured language
- This is the language code. For example, EN for English, DE for German, and so on.
- Operating System ID
- This is a random GUID generated for each individual workstation.
- User's email address
- We do not store your users' email addresses unless it is already in our system.
When the user reports an email that is not a simulated phishing email, the reported email will not be sent to us unless you have the Send Us a Copy setting enabled in your Account Settings. When this setting is enabled, reported emails are forwarded to us, and to the email addresses specified in your Account Settings. For more information about this setting, see the Enable and Configure PAB section below.
Enable and Configure PAB
Before you install the PAB, you will need to enable and configure the PAB in your Account Settings. To enable and configure the PAB, follow the steps below.
- Log in to your KnowBe4 console and navigate to your Account Settings screen. This screen will look different depending on your account version.
Free Version: If you have a free account, log in to your console and click the Get Started button. When you click, you will be taken to the Phish Alert Enabled screen. Skip to Step 3 for further instructions.
Paid Version: If you have a paid account, log in to your console and click on your email address in the top-right corner of the screen. Then, select Account Settings.
- Navigate to Account Integrations > Phish Alert.
- Select the Enable Phish Alert checkbox.
- Click the green Add Phish Alert Instance button.
Configure your PAB by filling out the fields in your Account Settings. For information about these fields, see below:
a. Enable Phish Alert: Select this check box if you want to enable Phish Alert Button for your account. If you deploy the PAB in your organization but you don't select this check box, your organization's PAB reports will not be recorded.
b. Icon: Upload your own custom icon for the Phish Alert Button. If you do not upload a custom icon, the default PAB icon will be used. To learn more about the image requirements for the icon, see our article on How to Change the PAB Icon article.
If you have previously installed the Phish Alert Button and this is your first time adding a custom icon, you will need to reinstall the PAB for the change to occur.
c. License Key: Use the license key to install the Phish Alert Button on your workstations. If you are using Google Apps with the Google Workspace Chrome extension, your license key is automatically built into your config .json file.
Note: A 2-digit environment indicator is included at the beginning of the PAB license key, to specify which environment the license key is from (US, EU, CA, etc.). The environment indicator is not available for the PAB for Outlook or HCL Domino (Lotus).
d. Limit CRID Validation: Enable this setting to allow a reported email with any Campaign Recipient ID (CRID) header to be classified as a simulated phishing email. When this option is not selected, the PAB uses CRID validation to detect whether or not an email that is marked with a training header is a simulated phishing email. If an email has a valid CRID and is reported for the first time within the past hour from the same account where the PAB was installed, it will be treated as a simulated phishing email. A simulated phishing email will be deleted and only shown as reported in the KMSAT console instead of being forwarded to PhishER. The PAB for HCL Domino (Lotus) does not use CRID validation.
Note: Enabling this setting is not recommended. However, you can enable this setting if CRID validation is causing simulated phishing emails to be reported as non-simulated phishing emails.
e. Send Non-Simulated Emails to: If a user reports a non-simulated email, you can send a copy of this email to specific users in your organization. To send these users a copy of these emails, enter the users' email addresses in this field. Email addresses must be separated by commas. Any simulated emails will not be forwarded.
f. Send Us a Copy: Enable this setting to send a copy of reported non-simulated phishing emails to KnowBe4 analysis. This email will include the original email header. We can use these emails to create phishing templates to use in future simulated phishing attacks. To learn more about sharing emails with us, see our Sharing Reported Phishing Emails with KnowBe4 with the Phish Alert Button (PAB) article.
g. Email Format (Hybrid PAB Only): Select how forwarded emails from the PAB should be formatted.
h. Autofill Phishing Languages with PAB Locale (Hybrid PAB Only): If you enable this setting, the PAB will autofill your users' profiles with their preferred phishing languages if that field is blank. For more information on how to set individual user languages, see our Localization Guide.
i. Enable Email Forwarding (Hybrid PAB Only): If you enable this setting, you will be able to forward emails to services that require email forwarding, such as Proofpoint. Enter the additional forwarding email address(es) in the Send Non-Simulated Emails to: field, and change the Email Format setting to .MSG.
j. Allow users to leave comments and disposition: Enable this setting to allow your users to add comments and decide the disposition of an email when they use the PAB. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.
k. Forwarded Email Prefix: This prefix will be added before the original subject line when a non-simulated phishing email is forwarded to the recipients you set in the Send Non-Simulated Emails to: field.
l. Confirmation Message: This message will be displayed to users after they click the Phish Alert Button. By default, this message asks the user to confirm whether or not they want to report the email. This field has a maximum of 255 characters.
m. Show a response when the user reports a non-simulated phishing email: If you enable this setting, the user will see this message when they report a non-simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
n. Show a response when the user reports a phishing security test email (Paid Only): If you enable this setting, the user will see this message when they report a simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
o. Response Duration __ seconds: Set the length of time the email response messages appear on the screen. The maximum duration is 60 seconds.
p. Button Text: This is the text that will appear on the Phish Alert Button in the user's email client.
q. Button Group Text: This is the text will appear under the Phish Alert Button in the user's email client.
r. Add Language: Click this button to add additional languages to your Phish Alert Button instances. This feature is only compatible with specific versions of the PAB. To see if your version of the PAB is compatible with the additional languages feature, see our Adding Languages to the Phish Alert Button article.
s. Save Phish Alert Settings: Click this button to save any changes made to your Phish Alert Button settings.
t. Outlook PAB installer for Windows: Download this PhishAlertButtonSetup.exe installation file to download the latest version of the PAB for Microsoft Outlook.
u. PAB manifest for Microsoft products: Download this manifest file to install the PAB for Microsoft 365 or Microsoft Exchange.
v. Chrome Extension PAB config file: Download this is the config file to install the PAB for Google Workspace.
Note: All settings, except Enable Phish Alert and Send Non-Simulated Emails to:, will be applied to the mail client once it has restarted. The updated settings for the Send Non-Simulated Emails to: option will be applied once a user clicks the PAB to report an email.
PAB Installation Guides
Installation of the PAB depends on the mail environment in your organization. Our PAB installation guides are listed below:
- Hybrid Phish Alert Button Product Manual
- This product manual is for the hybrid PAB for Microsoft 365 and Microsoft Exchange
- Gmail Add-On Product Manual
- Outlook (EXE Version) Product Manual
- Google Workspace (Chrome) Product Manual
In addition to our installation guides, you can watch review our Phish Alert Button Installations and User Experiences video tutorial and review our PAB Compatibility Matrix to determine which PAB is right for your organization.
Multiple PAB Instances
You can set up multiple instances of the PAB for your organization. Setting up multiple instances allows you to define unique settings for specific users, such as prompt messages or additional languages. When you add a PAB instance, you will receive an additional license key and you can customize the instance's settings.
To set up multiple PAB instances, see the articles below:
- How to Set Up Multiple Phish Alert Button Instances
If you have a paid account, your Dashboard will display a graph that tracks how many phishing emails your users have reported. You can download a CSV file that includes the following data: the date, the number of times the PAB was used, and whether the emails were simulated or non-simulated.
You can see which phishing emails a user reported in their user profile area, as well as on the Users tab of any phishing campaign in the console.
PAB User Activity
You can see which of your users are reporting messages with the PAB by navigating to Account Integrations > Phish Alert > See PAB User Activity.
From your Account Settings, you can view the PAB User Activity page. This page includes data such as when your users last used the PAB and how many times they've used the PAB. To see the PAB User Activity page, follow the steps below:
- In your KMSAT console, click your email address at the top-right corner of the page and select Account Settings.
- Navigate to Account Integrations > Phish Alert.
- Click See PAB User Activity. Once you click this link, the page will open.
The PAB User Activity page displays each user's email address along with their PAB instance, activity, and the globally unique identifier (GUID) for their workstation. The Latest Activity column displays the date and time when the user last used the PAB. The Activity Count column displays the total number of times the user has used the PAB.