Phishing scams flood in-boxes every day, tricking victims into clicking malicious links — but what happens next? Usually, not much. Despite the threat, companies rarely make it easy to report phishing attempts, and even fewer take action to shut them down.

To assess how bad the problem is, researchers from Drexel’s College of Computing & Informatics and Arizona State University launched their own simulated phishing attacks. They found that most organizations offer little support for reporting scams, leaving phishing sites to operate unchecked.

To conduct their work, they created a set of test phishing websites — in accordance with ethical research requirements and with prior notification to the domain registrar and hosting service provider — spoofing the site of Fortune 100 companies.

Over the course of two months, the team reported phishing attacks over a dozen times — a challenging process, they often found, due to logistics with forwarding emails to a dedicated reporting address. They then tracked how many of their bogus sites were accessed — an indicator that the companies were investigating the report — and how many were ultimately blocked.

Their findings, presented at the International Symposium on Research in Attacks, Intrusions and Defense, revealed that less than half of Fortune 100 companies offer any channel for reporting these scams. They also discovered that nearly 30% of reported websites were never accessed as part of an investigation and only 3% were ever blocked from access. Their report is one of the first comprehensive studies to look at the attitudes and actions around phishing reporting.

“Although users are constantly trained and instructed on how to identify and report phishing emails, the reaction they receive in the actions taken — or, more often, not taken — by the companies to which they report creates a negative feedback that discourages them from reporting future emails,” says Eric Sun, an assistant professor in the College of Computing & Informatics who helped to lead the research.