What sort of rewards do employees get for successfully reporting suspicious emails or other kinds of phishing?

Whilst we do not (generally) reward users for successfully reporting simulated, or even legitimate phishing mails, we do recognise their efforts. However, during the Security Awareness Week in Oct, we have used prizes for users who complete all training and successfully identify the phishing emails sent during that week.

I think that recognition, resulting in closing the loop, awareness and learning are the best outcomes to drive behaviour.

We don't currently offer rewards for reporting phishing, but it's something we're interested in pursuing. We want to reward good behavior and, when people do report phishing attempts, we also want to tell them whether it actually was or was not a phishing email. Through certain platforms, you can provide that affirmation for positive identifications and if an email is mistakenly reported, you can tell the user that it wasn’t phishing but thank them for reporting it anyway.