Phishing report rate as paired program-quality signal alongside click rate

Blog

Phishing Report Rate: Why It Matters More Than Click Rate

Phishing Report Rate: Why It Matters More Than Click Rate

Click rate is the metric every phishing-simulation program reports. Report rate is the metric mature programs report alongside it. The difference: click rate measures passive susceptibility (how many users fell for the lure); report rate measures active detection (how many users recognized and reported it). The 2026 program-quality conversation has shifted from "what is your click rate?" to "show us a 12-month click-rate trend AND a 12-month report-rate trend" - and the same shift is reflected in cyber-insurance underwriting questionnaires, SOC 2 audit-evidence packages and board reporting expectations.

This post explains what report rate is, why it matters more than click rate alone, the channel mechanics that drive it, the industry benchmarks at 12 and 24 months, the program-design choices that move the number and where it sits in the broader program-quality story.

The two-metric view of program quality

A program with 5% click rate sounds successful. A program with 5% click rate and 10% report rate is incomplete. A program with 8% click rate and 40% report rate is materially better than the first - because the second program's workforce is actively recognizing and reporting threats while the first's is mostly silent. The 5%-clicking-95%-silent population is invisible during a real attack. Detection requires reporting; reporting is what turns the user population into a distributed sensor.

The metric pair tells the story click rate alone cannot:

  • High click + low report: novice program, no recognition culture, real attacks proceed undetected.
  • Low click + low report: passive program. Users are not falling for lures but also not signaling threat. A real lure that lands outside trained patterns will succeed unobserved.
  • Low click + high report: mature program. Users recognize threats and surface them to security operations. Real attacks get detected at the user layer before they spread.
  • High click + high report: contradicts on its face but happens during transitions - typically when difficulty-tier mix shifts upward and the workforce learns the new pattern. A 12-month look smooths it out.

The narrative target is the third quadrant: click rate going down AND report rate going up. Both metrics on the board report; both metrics on the renewal application; both metrics on the SOC 2 evidence packet.

Calculation

Report rate = (unique users who reported / total recipients) x 100, calculated per campaign and on rolling 90-day and 12-month trend lines. The companion calculation is unique-users-who-clicked / total recipients (click-through rate), and the two read together. Same denominator, different numerators, both per-cohort and rolling-trend.

"Unique users" matters because reports and clicks both have repeat behavior. A single user who reports five different phishing simulations counts once in unique-reporter for the rolling trend; the campaign-by-campaign count picks up the per-campaign behavior. Most reporting platforms (including Bait & Phish) handle this distinction automatically; if you're computing it manually, the deduplication is the most common error source.

Industry benchmarks

Mature programs target the following benchmarks:

  • 30-50% report rate at 12 months - the maturity threshold where the program's reporting culture is observably working. Below 20% at 12 months suggests the reporting channel is too high-friction or the program is not acknowledging reports.
  • 50%+ at 24 months - the inflection point where report rate exceeds click rate. Programs that hit this have shifted the workforce from passive susceptibility to active detection.
  • Industry vertical variation: financial services and government typically hit higher report rates faster (35-50% at 12 months) due to security-mindfulness culture; healthcare and manufacturing tend to lag (20-35% at 12 months) because clinical and operational time pressure compresses the moment a user has to evaluate and report.

The KnowBe4 Phishing By Industry report and several other published benchmarks roughly align with these ranges, though specific cohort definitions vary. The pattern across published data is consistent: report rate trails click rate as a measurable program metric (most programs only started tracking it well around 2022-2023) and the curve shape is similar to click-rate progression (steep early gains, slower late-stage refinement).

Channel mechanics

Three program-design choices drive report rate:

One. Low-friction reporting. The friction difference between a one-click add-in and copy-paste-to-phishing-mailbox is the single largest input to whether reporting becomes habitual. Microsoft Defender for Office 365 includes a built-in "Report Phishing" button. Gmail and Workspace have native menu options. Bait & Phish ships an Outlook add-in that integrates with the simulation platform so reports surface to security and trigger remediation training in one workflow.

Two. Positive acknowledgment. When a user reports a simulated phish correctly, the auto-response is "thanks - you reported a phishing simulation correctly. The lesson here is X." When they report a real phish, the response is "thanks - this was a real phishing email and we've removed it from other inboxes; you helped protect 247 colleagues." The acknowledgment turns reporting from invisible work into visible contribution and produces measurable report-rate compounding over the next 6-12 months.

Three. Avoid punishment for non-reporting. The strongest research on awareness-program design - from ENISA, CISA Cyber Hygiene resources and academic studies - is unambiguous: punishing non-reporting depresses both report rate and self-disclosure of real incidents. Users who fear consequences for missing a phish under-report future real incidents, lengthening dwell time and increasing breach severity. Save the heavy-handed approach for repeat-clickers on hard-difficulty templates, and even there, the response should be additional training, not discipline.

Multi-channel reporting

Email reporting is the foundation; SMS and voice need their own report channels. Most 2026 cyber-insurance underwriting questionnaires and SOC 2 audit-evidence requests now ask about all three channels.

  • SMS smishing: forward-to-shortcode pattern where users forward suspicious texts to a configured short code that auto-acknowledges. Some carriers cooperate via the 7726 (SPAM) reporting code; enterprise programs typically run a parallel internal short code that feeds the simulation platform.
  • Voice vishing: dedicated voicemail or chat-based report channel. The chat-based variant ("text the security team if you got a suspicious call") consistently produces higher report rates than voicemail because the friction is lower.

Without multi-channel reporting, smishing and vishing campaigns can't measure report rate at all. The result on a renewal application is "no data" - which underwriters increasingly read as program-coverage gap.

Where this sits in the cyber-insurance conversation

Three years ago the underwriting question was "do you run phishing simulations?" (yes or no). Two years ago it became "what is your click rate?" (point-in-time number). The 2026 standard is "show us a 12-month click-rate trend AND a 12-month report-rate trend." Underwriters caught up around 2024 and now treat the paired metrics as the standard program-quality signal.

The renewal narrative that holds premiums down: "click rate has gone from 22% baseline to 6% sustained over 18 months; report rate has gone from 4% to 38% over the same window." Both numbers, both trends, both broker-quotable. The narrative that produces flat or rising premiums: a single click-rate number with no trend line and no companion report-rate metric. The 9 questions cyber insurers ask includes this metric pair explicitly in 2026 applications.

Pulling it together

Click rate without report rate is half the program-quality story. The metric pair turns a one-dimensional susceptibility number into a two-dimensional program-maturity narrative: passive susceptibility going down AND active detection going up. Mature programs report both, target both, design around both. The next phishing-program review you produce - to the board, to the broker, to the auditor - should lead with the pair, not the click number.

If you're running a phishing program that tracks click rate but not report rate, that's the quickest improvement available. Deploy a one-click reporting channel, acknowledge every report, track the metric monthly and review the 12-month trend at quarterly board reporting. Start a free trial covering up to 25 users if you want to see the report-rate workflow integrated end-to-end with the simulation platform. For full deployment, see pricing or contact us.

Related reading