Reporting Issues and Security Concerns

Report anything that looks or feels wrong, including: unexpected login attempts or account activity, emails requesting credentials or urgent payments, links or attachments you weren't expecting, platform behaviours that seem different from usual, colleagues asking you to bypass normal processes, and any suspicion that credentials may have been seen by someone who shouldn't have them. When in doubt, report it — the cost of an unnecessary report is low; the cost of a missed incident is high.

Use your organisation's designated reporting path — typically a specific email address, Slack channel, or ticketing system for security concerns. If the incident is urgent (active account compromise, live phishing attempt in progress), contact your team lead or IT contact directly by phone rather than waiting for a ticket response. Include as much detail as you can: what you saw, when, where, and who else might be affected.

Reporting a security concern — including one you may have contributed to — is always the right action. Organisations that punish the person who reports an incident create environments where incidents go unreported and grow. If you clicked a phishing link, if you accidentally sent data to the wrong person, if you shared a credential before you knew you shouldn't — report it immediately. The response to an incident reported within minutes is always better than the response to one discovered days later.

Once you've reported an incident, follow any instructions from your security or IT contact. Don't discuss the incident broadly until you've been told it's safe to do so. Don't attempt to investigate or remediate the issue yourself unless specifically asked. Keep a note of what you reported and when, in case you need to reference it later. If you don't receive acknowledgement of your report within a reasonable time, follow up — don't assume it was received.