PAB User Comments and Email Disposition Guide
The User Comments and Email Disposition feature for the Phish Alert Button (PAB) allows your users to add comments and decide the disposition of an email when they use the PAB. This new feature can provide your IT security team with the reported email’s disposition as an early warning of possible phishing attacks or malicious emails. Then, your IT security team can then take effective action to prevent security or network compromise.
Note: The User Comments and Email Disposition feature is only available for the Hybrid Phish Alert Button and Microsoft 365 (Outlook 2016 or above, Outlook Web Access). Currently, this feature only supports English text entries.
Click the links below to learn how to enable this feature, how this feature works, and how your users can use this feature in their inboxes.
Enabling User Comments and Email Disposition
To allow your users to send comments and decide the email’s disposition, follow the steps below:
- Log in to your KnowBe4 console and navigate to your Account Settings screen. This screen will look different depending on your account version. For more information, see the Enable and Configure section of our Phish Alert Button (PAB) Product Manual.
- Navigate to Account Integrations > Phish Alert.
- Select the Enable Phish Alert check box.
- If a Phish Alert instance does not exist, click the green Add Phish Alert Instance button.
- Select the Allow users to leave comments and disposition check box.
When your users click the PAB to report an email, the sidebar will include options to suggest the disposition of the email. The possible dispositions are Phish/Suspicious, Spam, and Unknown. For more information about each of these dispositions, see the list below:
- Phish/Suspicious: These emails are sent by cybercriminals to entice you to click on a link or to give up personal or sensitive information.
- Spam: These emails are typically sent from companies trying to sell your users a product or service.
- Unknown: Your users can select this option if they are unsure whether an email is a phish or spam. This is the default setting.
Users are not required to suggest a disposition when using the Phish Alert Button. For more information on the difference between phishing and spam emails, see our How to Use the Phish Alert Button (PAB) Downloadable PDF.
Your users can use the Add a comment section to tell your security team why they choose to classify the email as Phish/Suspicious, Spam, or Unknown. This text box can be used to explain any potential red flags that your users noticed in the email. These comments can help your security team get a better understanding of what indicators they should look out for when reviewing the reported emails. Users are not required to add a comment when using the Phish Alert Button.
When your users submit user comments, you can either view the comments in PhishER or in the PAB notification emails. In the PAB notification emails, the user comments will be attached as a .json file and displayed in the User Comments section.
For information about viewing user comments in PhishER, see the PhishER Integration section below.
You can also view your users' suggested dispositions and comments in your PhishER platform. Using PhishER, you can further categorize suspicious emails and determine if these emails are legitimate.
In PhishER, the Phish/Suspicious and Spam dispositions will appear as tags on individual emails. You can use these tags to separate your users' suggested dispositions from other tags in PhishER. The word User: will appear in front of the Phish/Suspicious and Spam tags. No tag will appear for an email that is reported as Unknown.
You can view all user comments in the Discussions tab on the right side of the Message Details page. Each user comment will appear in the corresponding email, along with the user's name.
The User Comments and Email Disposition feature is compatible with the Hybrid PAB and Microsoft 365 (Outlook 2016 or above, Outlook Web Access). When a user clicks on the Phish Alert Button to report an email, the Phish Alert sidebar will appear. Once your users select the email's disposition and add comments, they will click on the Phish Alert button to report the email.