Passwordly

How to Report a Phishing Email (and Why It Matters)

🎣 Phishing & Social Engineering

How to Report a Phishing Email (and Why It Matters)

Reporting phishing emails helps protect millions of other users. Learn exactly how to report phishing in Gmail, Outlook, Apple Mail, and to government agencies.

Passwordly Team
8 min read

Why Reporting Phishing Matters

Most people delete phishing emails without a second thought. That's understandable — but reporting takes only a few clicks and has an impact that scales far beyond your inbox.

When you report a phishing email, several things happen:

The email provider improves its filters. Gmail, Outlook, and other providers use reported phishing emails to train their machine learning models. Your report helps these systems recognize similar attacks and block them for millions of other users.

The phishing site gets taken down. Reported URLs are added to blocklists used by browsers (Google Safe Browsing, Microsoft SmartScreen), antivirus software, and corporate security tools. This prevents other people from reaching the phishing site.

Law enforcement tracks patterns. Aggregated reports help agencies like the FBI's IC3, the FTC, and the Anti-Phishing Working Group identify phishing campaigns, attribute them to threat actors, and prioritize investigations.

Organizations learn about impersonation. When you report a phishing email to the company being impersonated (e.g., PayPal, Apple, your bank), their security team can take action against the phishing infrastructure and warn other customers.

A single phishing campaign may target millions of people. Your report might be the one that triggers detection and takedown — protecting thousands of others from falling victim. It's a collective defense mechanism, and it works. Google alone blocks more than 100 million phishing emails daily, largely powered by user reports and the patterns they reveal.

Reporting in Gmail

Gmail (Web):

  1. Open the phishing email (don't click any links within it)
  2. Click the three-dot menu (⋮) next to the Reply button
  3. Select "Report phishing"
  4. Click "Report Phishing Message" in the confirmation dialog
  5. The email is moved to spam, and the data is sent to Google for analysis

Gmail (Mobile App):

  1. Open the email
  2. Tap the three-dot menu (⋮) in the top-right corner
  3. Select "Report phishing"
  4. Confirm the report

Gmail tips:

  • If the email is already in your Spam folder, you can open it and click "Report phishing" if it wasn't caught as phishing specifically (it may have been marked as general spam)
  • If the email is a legitimate message that Gmail incorrectly flagged as phishing, click "Report not phishing" to improve accuracy
  • Google uses your reports to refine their ML models, improving detection for all 1.8 billion Gmail users

Reporting in Outlook

Outlook on the Web (Outlook.com):

  1. Select the phishing email (or open it)
  2. Click "Report" in the toolbar
  3. Select "Report phishing"
  4. The message is sent to Microsoft for analysis and deleted from your inbox

Outlook Desktop App (Microsoft 365):

  1. Select the phishing email
  2. On the Home tab, click "Report Message" (may need to be enabled by your admin)
  3. Select "Phishing"
  4. The message is reported to Microsoft and optionally to your organization's security team

If the Report button isn't available:

  1. Forward the email as an attachment to phish@office365.microsoft.com
  2. To forward as attachment: select the email, go to Home → More → Forward as Attachment
  3. This ensures Microsoft receives the full email headers for analysis

Outlook Mobile App:

  1. Open the phishing email
  2. Tap the three-dot menu (...)
  3. Select "Report junk""Phishing"

Reporting in Apple Mail and iCloud

Apple Mail on Mac:

  1. Select the phishing email
  2. Click "Move to Junk" in the toolbar (or right-click → Move to Junk)
  3. For more impactful reporting, forward the email to reportphishing@apple.com if it impersonates Apple

Apple Mail on iPhone/iPad:

  1. Open the email
  2. Tap the flag icon at the bottom
  3. Select "Move to Junk"

iCloud Mail on the Web:

  1. Select the email
  2. Click the flag icon
  3. Select "Move to Junk"

Important note about Apple Mail: Apple Mail's "Move to Junk" function primarily trains your local junk mail filter. For phishing that impersonates Apple specifically, always forward to reportphishing@apple.com. For broader impact, also report through the other channels described below.

Apple-specific phishing:

  • Forward suspected Apple phishing emails to reportphishing@apple.com
  • Forward suspicious FaceTime calls information to reportfacetimefraud@apple.com
  • Forward suspicious iMessage spam to report via the "Report Junk" link below the message

Reporting in Other Email Clients

Yahoo Mail:

  1. Open the phishing email
  2. Click the three-dot menu (...)
  3. Select "Report""Phishing scam"

Proton Mail:

  1. Select the phishing email
  2. Right-click (or use the dropdown menu)
  3. Select "Move to spam"
  4. Proton uses aggregated spam reports to improve their filters

Thunderbird:

  1. Right-click the suspicious email
  2. Select "Mark""As Scam"
  3. For more impactful reporting, forward the email as an attachment to the Anti-Phishing Working Group (see below)

Corporate email (Google Workspace, Microsoft 365): Your organization may have specific phishing reporting procedures:

  • A dedicated phishing reporting email address (e.g., security@yourcompany.com)
  • A "Report Phishing" button integrated by your IT team
  • A security awareness platform (KnowBe4, Proofpoint) with a dedicated reporting plugin
  • Check with your IT department for your organization's specific procedure

Reporting to Government Agencies

Beyond your email provider, report phishing to relevant authorities:

Anti-Phishing Working Group (APWG):

  • Forward phishing emails to: reportphishing@apwg.org
  • The APWG is an international coalition of industry, government, and law enforcement focused on eliminating phishing
  • They maintain the largest repository of phishing data worldwide
  • Your report feeds into threat intelligence shared with the entire security community

Federal Trade Commission (FTC) — United States:

  • Report at ReportFraud.ftc.gov
  • The FTC collects reports and shares them with over 2,800 law enforcement agencies
  • Also forward phishing emails to spam@uce.gov

FBI Internet Crime Complaint Center (IC3) — United States:

  • Report at ic3.gov
  • For significant phishing, especially involving financial loss or sensitive data
  • IC3 reports feed into FBI investigations of major cyber criminal operations

National Cyber Security Centre (NCSC) — United Kingdom:

  • Forward phishing emails to report@phishing.gov.uk
  • Report suspicious websites at ncsc.gov.uk/section/about-ncsc/report-an-incident
  • The NCSC actively takes down phishing sites based on reports

Canadian Anti-Fraud Centre (CAFC):

  • Report at antifraudcentre-centreantifraude.ca
  • Call 1-888-495-8501

Australian Cyber Security Centre (ACSC):

  • Report at cyber.gov.au/report
  • Forward phishing emails to report@phishing.gov.au

For any country: Search for "[your country] report phishing" to find the relevant national cyber security agency.

Reporting to Impersonated Companies

Most major companies have dedicated email addresses for receiving phishing reports that impersonate them:

  • Apple: reportphishing@apple.com
  • Amazon: stop-spoofing@amazon.com (or use "Report" in the Amazon app)
  • Microsoft: report@phishing.microsoft.com
  • PayPal: phishing@paypal.com
  • Bank of America: abuse@bankofamerica.com
  • Chase: phishing@chase.com
  • Netflix: phishing@netflix.com
  • IRS: phishing@irs.gov (for IRS impersonation scams)
  • USPS: spam@uspis.gov (for USPS impersonation)

For other companies, search their website for "report phishing" or "security" — most have a dedicated reporting mechanism.

Why report to the impersonated company?

These reports directly help the company's security team:

  • Take down phishing sites by contacting hosting providers and domain registrars
  • Block malicious domains in their security infrastructure
  • Warn other customers through notifications and blog posts
  • Work with law enforcement to identify and prosecute attackers
  • Improve their email authentication (SPF, DKIM, DMARC) to make impersonation harder

What Happens After You Report

When you report a phishing email, a cascade of automated and manual processes begin:

Email provider response (minutes to hours):

  1. The email is analyzed — content, sender, URLs, and headers are examined
  2. If confirmed as phishing, similar emails in other users' inboxes are flagged or removed
  3. The sending domain may be blocked
  4. Machine learning models are updated to detect similar future attacks

URL/domain blocking (hours to days):

  1. The phishing URL is added to browser blocklists (Google Safe Browsing, Microsoft SmartScreen)
  2. DNS-level blocking services (Cloudflare, OpenDNS) add the domain
  3. Antivirus and security tools update their databases
  4. Users attempting to visit the URL see a warning

Hosting takedown (hours to days):

  1. The phishing site's hosting provider is notified
  2. Most legitimate hosting providers take down phishing sites within 24-48 hours
  3. Some providers are slower — especially those in jurisdictions with weak enforcement
  4. The domain registrar may suspend the domain

Law enforcement (days to months):

  1. Individual reports are aggregated with other reports of the same campaign
  2. Significant campaigns are prioritized for investigation
  3. International cooperation may be needed for cross-border operations
  4. Occasionally, major phishing operations are shut down entirely through coordinated law enforcement action

Your role in this chain is critical. The more reports a phishing campaign receives, the faster it's detected and shut down. The speed difference between the first report and the hundredth can mean the difference between a phishing site operating for hours versus days — potentially protecting thousands of additional victims.

After reporting, delete the phishing email. If you've already clicked on anything in the email, review our guide on spotting and responding to phishing for immediate response steps. And if you're concerned about whether your email has been exposed in any data breaches, check your passwords with our password strength checker.

Reporting phishing is one of the highest-impact, lowest-effort actions you can take for collective cybersecurity. A few clicks from you can protect thousands of others from the same attack. Think of it as digital civic duty — when you see something, report something. The entire security ecosystem benefits.

Share:

Tags

report phishingemail securityphishing reportingcybersecurityanti-phishing

Related Articles

Continue exploring related topics