The Phish Alert Button (PAB) is an add-in that empowers your users to report suspicious emails, strengthening your organization's security posture against phishing and other malicious email threats. By providing a simple, centralized reporting mechanism, the PAB offers several technical and strategic advantages for organizations in managing email security.

This article outlines the key technical benefits of implementing the PAB in your organization.

Tracks Phishing Security Test (PST) Reporting

If you utilize KnowBe4's simulated Phishing Security Tests (PSTs), the PAB provides essential tracking capabilities.

• Tracking User Proficiency: When a user reports a simulated phishing email using the PAB, the action is recorded in your KnowBe4 Security Awareness Training (KSAT) console. This feature allows you to track which users are successfully identifying and reporting potential threats.
• CRID Validation: The PAB uses Campaign Recipient ID (CRID) validation to distinguish between simulated phishing tests and genuine threats. An email with a valid CRID that is reported for the first time within an hour of the installed account will be correctly identified as a simulated phish. This feature ensures it is only recorded as "reported" in the KSAT console and not forwarded to your security team or PhishER as a real threat.
• Reporting Data: You can view which phishing emails a user reported in their user profile and on the Users tab of any phishing campaign. This data provides insight into the effectiveness of your security awareness training program.

Centralized Reporting and Threat Analysis

The PAB offers a streamlined, centralized option for users to report suspicious emails without forwarding them directly to IT teams or help desks.

• Forwarding to Designated Inboxes: When a user reports a non-simulated email, the PAB can forward it to one or more designated email addresses, such as a security operations mailbox like phishalert@example.com. The email is typically attached in EML or MSG format for analysis. This feature consolidates all user-reported emails into a single location for your security team to review.
• Early Warning System: This centralized reporting provides your security team with an early warning of potential phishing attacks that have bypassed your existing security defenses, allowing for timely and effective action.
• KnowBe4 Analysis: You can opt to send copies of non-simulated reported emails to KnowBe4 for analysis. Our team analyzes these submissions to identify new phishing attacks and create new templates, including "Reported Phishes of the Week".

Ignores Training Notifications

To prevent training-related emails from flooding your security team's inbox, the PAB can be configured to ignore training notifications.

• TNID Recognition: When the Ignore Training Notifications setting is enabled, the PAB identifies emails with a valid training notification ID (TNID).
• User Feedback: If a user reports a training notification, the email remains in their inbox, and they receive a customizable pop-up message explaining the action. The message does not get forwarded as a threat.

Enhances Reporting with User Comments and Disposition

This feature enables users to provide valuable context when reporting an email, providing your security team with more information for their analysis.

• Email Disposition: Users can classify the reported email as Phishing or Suspicious, Spam or Junk, or Unknown. This feature provides an initial level of triage.
• User Comments: A comment box allows users to explain why they deemed an email suspicious, highlighting the red flags they noticed.
• Integration with PhishER: If you use PhishER, user dispositions are displayed as tags on the email, and comments are visible in the Discussions tab, facilitating the automated categorization and analysis of threats.
• Customization: Admins can customize the disposition labels and descriptions, and can route emails to different inboxes based on the selected disposition.

Provides Targeted User Training

To ensure users understand how and when to use the PAB, KnowBe4 offers several training modules in the ModStore that can be assigned through training campaigns.

• Available Modules: Training content includes modules like "Using the Phish Alert Button: Basic Use" and "Using the Phish Alert Button: Report Suspicious Emails," which cover various mail environments.
• Automated Enrollment: Training campaigns can be configured to automatically enroll new users, ensuring all employees receive the necessary PAB training.

Cross-Platform Compatibility with Microsoft and Google

The PAB is designed to work across the most common enterprise email environments, offering options for both Microsoft and Google Workspace users.

• Microsoft Environments: Versions include the Microsoft Outlook (EXE Version), the Hybrid PAB for Microsoft 365 and Exchange, and the Microsoft Ribbon PAB. The Hybrid PAB automatically detects the user's mail client and configures the best version for them. The PAB is also compatible with the Outlook Mobile App for iOS and Android.
• Google Workspace Environments: Options include the Gmail Add-on PAB and the PAB Chrome Extension. The Gmail Add-on works in both browser and mobile inboxes.

Integration with Microsoft Defender for Office 365

You can integrate the PAB with Microsoft Defender for Office 365 to streamline threat reporting and analysis.

• Centralized Submissions: This feature integration allows emails reported via the PAB to be sent directly to Microsoft’s Submissions page for analysis, in addition to your own designated mailboxes.

For additional information on any of the topics above, see our Phish Alert Button (PAB) Product Manual.