How to Report Phishing Emails and Help Stop Cybercrime

Why Reporting Phishing Matters

When you receive a phishing email and delete it without reporting it, the attacker continues to send the same campaign to thousands or millions of other people. When you report it, you contribute to detection systems, blocklists, and investigations that can disrupt the campaign and protect others.

Reporting phishing takes less than a minute. Here is how to do it effectively.

How to Report Phishing in Gmail

Method 1 (Easiest): Open the phishing email. Click the three-dot menu (⋮) beside the reply button. Select "Report phishing." Gmail uses this feedback to improve its spam filters and may report confirmed phishing to Google's Safe Browsing system.

Method 2: If the email is already in your spam folder, open it and click "Report phishing" at the top.

What not to do: Do not just delete or mark as spam — "Report phishing" sends the email for analysis beyond just your spam filter.

How to Report Phishing in Outlook

Open the phishing email. Click the "Junk" dropdown in the ribbon. Select "Phishing." Alternatively, right-click the email in your inbox and select "Security Options" then "Mark as Phishing."

Microsoft reviews these reports and uses them to improve its SmartScreen filtering and the Microsoft Defender threat intelligence database.

Forwarding to National and International Reporting Bodies

United States:
Forward the phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org. Also report to the FTC at reportfraud.ftc.gov.

United Kingdom:
Forward suspicious emails to report@phishing.gov.uk — the National Cyber Security Centre's phishing reporting service.

European Union:
Report to your national CERT (Computer Emergency Response Team). A directory is available at enisa.europa.eu.

Australia:
Report to the Australian Cyber Security Centre at cyber.gov.au/report.

Globally: The Internet Crime Complaint Center (ic3.gov) accepts reports from international victims of internet crime, including phishing.

Reporting to the Impersonated Organization

If a phishing email impersonates a specific company — a bank, PayPal, Amazon, a government agency — report it directly to that organization. Most major organizations have dedicated phishing report email addresses:
- PayPal: phishing@paypal.com
- Amazon: stop-spoofing@amazon.com
- Apple: reportphishing@apple.com
- IRS (US): phishing@irs.gov

These organizations maintain threat intelligence teams that investigate impersonation campaigns and work with law enforcement.

Reporting SMS Phishing (Smishing)

For phishing text messages in the US: Forward the text message to 7726 (SPAM). This reports it to your carrier.

Also report smishing to the FTC at reportfraud.ftc.gov.

What to Include in a Phishing Report

When reporting through dedicated reporting channels or to organizations, include:
- The full original email (as an attachment if possible, so headers are preserved)
- The sending address
- The subject line
- Any URLs contained in the email (do not click them — copy the URL text)
- The date and time received

The email headers are particularly valuable for investigators tracking the origin of phishing campaigns.

What Happens After You Report

Your report contributes to:
- Email provider spam filter training (millions of user reports shape machine learning models)
- Blocklist additions that prevent the phishing domain or sender from reaching other users
- Threat intelligence databases used by security researchers
- In significant cases, law enforcement investigations into organized phishing operations

Individual reports may seem inconsequential, but collective reporting is one of the primary mechanisms through which phishing campaigns are identified and disrupted.

Protecting Yourself Going Forward

After receiving a phishing email, particularly a targeted one:

- Review which services the phisher may have been impersonating and ensure those accounts are secured
- Change passwords if you believe you may have clicked a link before recognizing the phishing
- Enable 2FA on targeted accounts if not already active
- Use Temp90 for future registrations to reduce the email-linked data available to phishing campaign researchers

FAQ:

Q: Is it worth reporting phishing if the email was obviously fake?
A: Yes. Even obviously fake phishing emails provide useful training data for spam filters and contribute to blocklist databases.

Q: Should I try to investigate the phishing email myself?
A: For most users, no. Follow the links carefully enough to identify them as malicious, then report. Active investigation (visiting the phishing site, responding to the email) carries risk and is best left to security professionals.

Q: Can reporting phishing lead to prosecution of the sender?
A: In some cases, yes. Organized phishing operations have been disrupted and prosecuted based on collective reporting that enabled investigation. Individual report contribution to law enforcement outcomes is indirect but real.

Conclusion:

Reporting phishing is a simple, fast action with collective impact. Using the built-in reporting tools in your email client and forwarding to national reporting bodies contributes to the threat intelligence ecosystem that protects other users. Combined with personal protective practices — strong authentication, phishing awareness, and using Temp90 for registrations — reporting phishing is the civic dimension of personal email security.