Phishing Reporting Policy
A phishing reporting policy template that tells employees how to spot suspicious messages, report them fast, and avoid spreading the threat. It also gives HR, IT, and managers a clear response path.
Trusted by frontline teams 15 years of frontline software AI customization in seconds
Built for: Healthcare · Financial Services · Professional Services · Education · Retail
Overview
This Phishing Reporting Policy template sets out how employees identify, report, isolate, and escalate suspected phishing attempts. It is designed for workplaces that want a clear, repeatable process for suspicious emails, texts, calls, QR codes, and fake login pages that may target credentials, payroll data, or internal systems.
Use it when you need a policy that tells workers exactly what to do after receiving a suspicious message, clicking a link, or entering information into a fake site. The template is also useful when HR and IT need a shared policy holder, a defined reporting channel, and a documented anti-retaliation statement for employees who report mistakes quickly and in good faith.
Do not use this template as a generic cybersecurity statement with no operational steps. If your organization does not have a reporting inbox, ticketing queue, or incident response owner, set those up before rollout. It is also not a substitute for a broader information security policy, acceptable use policy, or incident response plan. If you handle regulated personal data, pair it with privacy and breach-notification procedures so the reporting path, evidence preservation, and escalation timing are aligned.
Standards & compliance context
- This template supports incident reporting and access-control practices commonly used alongside GDPR and CCPA when phishing may expose personal data.
- If a phishing event leads to a data breach, the policy should connect to your breach-response process and any applicable state notification rules.
- The policy should preserve employee rights and avoid retaliation concerns when workers report mistakes in good faith, especially where discipline is handled through documented warning or PIP processes for repeated policy violations.
- If phishing reports involve employee communications or device use, align the policy with your broader privacy, acceptable use, and monitoring notices so collection and review are disclosed appropriately.
General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.
What's inside this template
Purpose
Explains why the policy exists and what risk it is meant to reduce.
-
This policy establishes a clear, repeatable process for employees to **identify, report, isolate, and share information** about suspected phishing threats. The goal is to reduce the risk of credential theft, malware, fraud, and unauthorized access while protecting company systems, employee data, and customer information.
Scope
Defines which workers, devices, message types, and locations the policy covers.
-
This policy applies to all employees, contractors, temporary workers, interns, and managers who use company systems, accounts, devices, or data. It applies to email, text messages, chat platforms, social media messages, QR codes, voice calls, and any other communication channel used for business purposes. **Jurisdiction-specific notes:** - **California employees:** Personal data handling must be consistent with the **CCPA/CPRA** and the company’s privacy notices. - **Employees in the EU/EEA or UK:** Processing of personal data must follow **GDPR** requirements and local data-transfer rules. - **All U.S. employees:** This policy is not intended to interfere with protected concerted activity under **NLRA Section 7** or with rights under other applicable employment laws.
Definitions
Clarifies terms like phishing, smishing, vishing, suspicious message, and compromised account.
-
For purposes of this policy: - **Phishing** means a deceptive attempt to obtain credentials, financial information, personal data, or access to systems by impersonating a trusted person or organization. - **Suspicious message** means any communication that is unexpected, urgent, poorly written, spoofed, requests sensitive information, or directs the user to an unfamiliar link or attachment. - **Isolation** means stopping interaction with the message and preventing further exposure by not clicking, downloading, forwarding externally, or replying. - **Good-faith report** means a report made honestly based on a reasonable belief that a threat may exist. - **Sensitive information** includes passwords, MFA codes, payroll data, bank details, government identifiers, health data, and other confidential business or employee information.
Policy Statement
States the organization’s rule that suspected phishing must be reported immediately and not handled informally.
-
Employees must treat suspected phishing as a security incident and report it immediately. Employees are expected to act in good faith, preserve evidence, and follow instructions from IT/security or management. No employee may use company systems to intentionally bypass security controls, conceal a phishing event, or retaliate against a person who makes a good-faith report. The company will investigate reports promptly, limit access to related information on a need-to-know basis, and take reasonable steps to protect employee privacy and company data. This policy does not replace the company’s incident response, acceptable use, or data privacy policies.
Procedure
Gives employees and responders the exact steps to report, isolate, preserve evidence, and escalate.
-
### 1) Identify suspicious content Employees should look for common phishing indicators, including: - Unexpected requests for passwords, MFA codes, payroll details, gift cards, or wire transfers - Urgent or threatening language - Mismatched sender addresses, spoofed domains, or unusual reply-to addresses - Links that do not match the displayed text - Attachments that are unexpected or require macros/enabling content - Requests to bypass normal approval or verification steps ### 2) Isolate the threat If a message appears suspicious, the employee must: - **Do not click** links or open attachments - **Do not reply** to the sender - **Do not forward** the message to external parties - If possible, **mark the message as phishing** using the company reporting tool - Preserve the original message and headers if instructed by IT/security ### 3) Report immediately Employees must report suspected phishing **as soon as possible** using one of the approved channels: - The email/report-phishing button in the mail client - The security hotline or ticketing system - Direct notification to IT/security if the reporting tool is unavailable The report should include, when available: - Date and time received - Sender name and email address - Subject line or message preview - Screenshots or message headers, if requested - Any actions already taken (for example, whether a link was clicked) ### 4) Escalate if credentials or data were exposed If an employee clicked a link, opened an attachment, entered credentials, or shared sensitive information, the employee must notify IT/security immediately and follow instructions to reset passwords, revoke sessions, or isolate the device. ### 5) Share information safely Employees may share phishing warnings internally when authorized by IT/security or HR, but must not publicly post screenshots, customer data, or employee personal data. Any internal alert should be limited to the minimum information needed to help others avoid the threat. ### 6) Cooperate with investigation Employees must cooperate in good faith with follow-up questions, containment steps, and remediation actions. Managers should ensure employees have time to report security incidents without retaliation or unreasonable delay.
Roles & Responsibilities
Assigns ownership to employees, managers, HR, IT, security, and the policy holder.
-
- **Employees:** Identify suspicious messages, isolate them, report promptly, and follow remediation instructions. - **Managers:** Reinforce reporting expectations, support prompt escalation, and ensure employees are not discouraged from making good-faith reports. - **IT/Security:** Triage reports, contain threats, preserve evidence, investigate impact, and coordinate remediation. - **HR:** Support policy communication, training, and any employee-relations issues arising from incident handling. - **Policy holder / Compliance:** Review the policy for legal and regulatory alignment, including privacy and recordkeeping obligations.
Compliance, Discipline, and Anti-Retaliation
Explains how the policy is enforced, how repeated violations are handled, and why good-faith reporting is protected.
-
Failure to report suspected phishing, intentional bypassing of security controls, or mishandling sensitive information may result in corrective action up to and including termination, consistent with applicable law and company policy. Discipline will be based on the facts, severity, intent, prior warnings, and whether the employee acted in good faith. The company prohibits retaliation against any employee who makes a good-faith report or participates in an investigation. Nothing in this policy is intended to interfere with rights protected by the **NLRA**, including concerted activity, or with rights under the **FLSA**, **FMLA**, **ADA**, **Title VII of the Civil Rights Act**, or applicable state whistleblower laws such as **NY Labor Law § 740**. Where a phishing incident involves employee data, the company will handle information in a manner consistent with applicable privacy laws and internal retention rules. The company will not collect or disclose more personal information than is reasonably necessary for investigation and remediation.
Review and Revision
Sets the effective_date, version control, and annual review cadence so the policy stays current.
-
This policy will be reviewed at least annually and updated as needed to reflect changes in threats, technology, legal requirements, and business operations. The policy holder is responsible for maintaining the current version, documenting revisions, and communicating material changes to affected employees. California, New York, and other jurisdiction-specific requirements must be reviewed before adoption or amendment.
How to use this template
- 1. Fill in the policy holder, effective_date, version, applicable_jurisdictions, applicable_roles, and review_frequency so the document clearly states who owns it and where it applies.
- 2. Define the reporting channels employees must use, including the security inbox, ticketing system, hotline, or chat channel, and specify what information to include in a report.
- 3. Assign HR, IT, security, and manager responsibilities for triage, isolation, credential resets, message preservation, and employee follow-up after a suspected phishing event.
- 4. Train employees to stop interacting with the message, avoid forwarding it to coworkers, and use the approved reporting method immediately after receipt or discovery.
- 5. Review each incident for root cause, update controls or training as needed, and revise the policy after major threats, tool changes, or annual review.
Best practices
- Tell employees to report the message before deleting it, because headers, sender details, and links may be needed for triage.
- Require a single primary reporting path and a backup path so employees do not waste time guessing where to send a suspicious message.
- State clearly that employees should not click links, open attachments, reply, or forward the message to coworkers unless IT asks for a preserved copy.
- Include a simple isolation step for compromised accounts, such as immediate password reset and session revocation through the approved support channel.
- Use plain examples of phishing, smishing, vishing, and QR-code scams so nontechnical staff can recognize the policy applies to more than email.
- Document how quickly reports should be acknowledged and who handles after-hours escalation so urgent cases do not stall.
- Tie the policy to security awareness training and phishing simulations so employees see the same steps in both training and real incidents.
What this template typically catches
Issues teams running this template most often surface in practice:
Common use cases
Frequently asked questions
Who should use a phishing reporting policy template?
Use it if your organization wants a written process for employees to report suspicious emails, texts, calls, or chat messages. It is especially useful where HR, IT, security, and managers need a shared response path. The template is meant to be adapted to your reporting tools and escalation chain.
Does this template cover only email phishing?
No. A good phishing reporting policy should cover email, SMS smishing, voice vishing, QR-code scams, and fake login pages when those are used to steal credentials or data. You can narrow or expand the scope depending on your risk profile and the systems employees use. The policy should define what counts as a suspected phishing attempt.
How often should this policy be reviewed?
Review it at least annually, and sooner after a phishing incident, a major tool change, or a security incident involving employee credentials. Annual review helps keep reporting instructions, contact points, and isolation steps current. If your incident response process changes, update this policy at the same time.
Who should own the policy and the response process?
HR usually owns the policy text, while IT or security owns the technical response workflow. Managers should reinforce reporting expectations, but employees should not be asked to investigate on their own. The policy should name a policy holder and identify who receives reports after hours or during outages.
What laws or standards does this policy relate to?
This policy is usually tied to general workplace security and privacy practices rather than one single employment statute. It should support confidentiality obligations, data protection expectations, and incident response controls under applicable privacy laws such as GDPR or CCPA where relevant. If phishing reports may include employee data, the policy should also address access limits and retention.
What is a common mistake in phishing policies?
A common mistake is telling employees to 'be careful' without giving a concrete reporting method or isolation step. Another is failing to say what to do if someone clicked, replied, or entered credentials. The policy should make the next action obvious: report, do not forward, and isolate the message using the approved method.
Can this template be customized for different departments or countries?
Yes. You can customize reporting channels, response timing, language, and local privacy references by department or jurisdiction. If you operate across regions, add local carve-outs for data handling and incident escalation. Keep the core employee action steps consistent so reporting stays simple.
How does this compare with ad hoc email reminders?
Ad hoc reminders are easy to miss and often leave gaps in who to contact, what to preserve, and when to escalate. A written policy creates a repeatable process that employees can follow under pressure. It also gives HR and IT a defensible record of expectations, training, and enforcement.
Related templates
Ready to use this template?
Get started with MangoApps and use Phishing Reporting Policy with your team — pricing built for small business.
