Phishing Recognition and Reporting: Complete Guide

Phishing remains the most common initial attack vector for data breaches, account takeovers, and financial fraud. The FBI’s Internet Crime Complaint Center (IC3) received 859,532 cybercrime complaints in 2024 with reported losses exceeding $16 billion, and phishing topped the list by volume. The Anti-Phishing Working Group (APWG) documented 3.8 million phishing attacks across 2025, a slight increase from 3.76 million in 2024.

This pillar guide covers how to recognize phishing across every channel, how to report it to the right authorities, and how to build defenses that reduce your exposure by orders of magnitude.

What Phishing Actually Is

Phishing is a social engineering attack that uses fraudulent communications — email, SMS, voice calls, QR codes, or fake websites — to trick targets into revealing credentials, installing malware, or authorizing fraudulent transactions. The common thread is impersonation: attackers pose as trusted entities such as banks, employers, government agencies, or colleagues.

Phishing has branched into specialized variants. Spear phishing targets specific individuals with researched pretexts. Whaling goes after executives. Business email compromise (BEC) manipulates invoice and payment workflows. Smishing uses SMS, and vishing uses voice calls. Each variant exploits a different trust channel, but the recognition principles overlap.

Recognizing Phishing: The Five-Point Check

Effective recognition comes down to five inspections you can perform on any message in under 30 seconds.

1. Sender Verification

Examine the full sender address, not just the display name. Attackers register domains like paypa1-secure.com or microsoft-support.net that look legitimate at a glance. In email clients, expand the “From” header to see the actual domain. For a deeper look, inspect email headers for SPF, DKIM, and DMARC authentication results. Our email header analysis guide walks through this process step by step.

2. URL Inspection

Hover over links before clicking. Check for:

• Misspelled domains (e.g., arnazon.com instead of amazon.com)
• Suspicious subdomains (e.g., login.bank.attacker-domain.com)
• URL shorteners that hide the true destination
• HTTP instead of HTTPS on login pages

Our URL inspection guide covers advanced techniques including using WHOIS lookups and sandbox tools.

3. Urgency and Pressure Tactics

Phishing messages create artificial urgency: “Your account will be suspended in 24 hours,” “Unauthorized login detected,” or “Payment overdue — act now.” Legitimate organizations rarely demand immediate action via email. Our social engineering red flags guide catalogs the psychological triggers attackers exploit.

4. Attachment and File Analysis

Unexpected attachments — especially .exe, .zip, .js, .docm, or .html files — are high-risk. Even PDF and Office documents can contain malicious macros or embedded links. Never enable macros in documents you were not expecting.

5. Request Validation

Any message requesting credentials, financial information, wire transfers, or gift card purchases should be verified through a separate channel. Call the purported sender using a known phone number, not one provided in the suspicious message.

Phishing by Channel

Email Phishing

Email remains the dominant vector, accounting for over 90% of initial compromises according to CISA’s phishing guidance. APWG’s Q4 2025 report found that SaaS/webmail and social media platforms were the most impersonated sectors, each targeted in 20.3% of attacks.

Key email indicators:

• Authentication failures in headers (SPF/DKIM/DMARC)
• Reply-to address differs from the sender
• Generic greetings (“Dear Customer”) in messages claiming to be from your bank
• Grammatical errors, though AI-generated phishing has largely eliminated this tell

For implementation details on email defenses, see our DMARC/SPF/DKIM explained guide and email filtering best practices.

SMS Phishing (Smishing)

Smishing attacks surged 40% in 2025. Click-through rates on SMS phishing range from 19-36%, far exceeding the 2-4% rate for email phishing, because mobile interfaces hide full URLs and people read texts quickly. Fake toll notices, delivery alerts, and bank fraud warnings dominate this channel. See our smishing guide for detailed defense strategies.

Voice Phishing (Vishing)

Voice phishing incidents rose 442% in 2025 as AI voice cloning reached consumer-grade quality. Attackers clone voices with minimal audio samples, enabling convincing impersonation of executives, family members, or bank representatives. Our vishing guide covers caller verification techniques.

QR Code Phishing (Quishing)

Over 4.2 million QR code phishing threats were identified in early 2025. QR codes bypass email link scanners because the URL is encoded in the image. Attackers place malicious QR codes in emails, physical flyers, parking meters, and restaurant menus. See our quishing guide for detection and prevention.

Sector-Specific Threats

Different industries face different phishing tactics. Healthcare organizations are targeted with HIPAA-themed lures and patient data theft, with phishing-related breaches costing an average of $9.77 million per incident. Financial institutions face credential harvesting attacks impersonating fraud alerts. Educational institutions deal with .edu credential theft and tuition payment fraud.

Detailed guidance for each sector:

• Healthcare phishing threats
• Finance sector phishing
• Education phishing

Attack Sophistication: From Bulk to Targeted

Attack Type	Targeting	Effort	Success Rate
Bulk phishing	Random recipients	Low	2-5%
Spear phishing	Specific individuals	Medium	15-25%
Whaling	C-suite executives	High	25-40%
BEC	Finance/accounting staff	High	30-50%

The spear vs bulk phishing comparison breaks down how to identify each type. For executive-targeted attacks, see our whaling attacks guide. BEC alone caused $2.77 billion in losses in 2024 according to the FBI IC3, and our BEC guide covers prevention in depth.

How to Report Phishing

Reporting phishing disrupts attack infrastructure, warns other potential victims, and provides law enforcement with intelligence for investigations. Every report matters.

Reporting to Federal Authorities

Authority	What to Report	How
FBI IC3	All internet crime including phishing	ic3.gov online form
FTC	Phishing, scams, identity theft	reportfraud.ftc.gov
CISA	Phishing targeting infrastructure	[email protected]
Anti-Phishing Working Group	Phishing emails	[email protected]

Our reporting to IC3/FTC guide provides step-by-step instructions with screenshots.

Reporting to Your Organization

Forward suspicious messages to your IT security team or designated phishing inbox (commonly [email protected]). Do not forward phishing emails to colleagues as warnings — this spreads the threat. Use your organization’s phishing report button if available.

Reporting to ISPs and Email Providers

Report phishing emails that impersonate brands to the impersonated company’s abuse team. Gmail, Outlook, and Yahoo all have built-in “Report phishing” options. Reporting to ISPs hosting phishing infrastructure helps get malicious sites taken down. Our reporting to ISPs guide covers this process.

Building Organizational Defenses

Technical Controls

1. Email authentication: Deploy DMARC at p=reject, backed by SPF and DKIM. DMARC adoption reached 53.8% in 2024, up from 42.6% in 2023. See our DMARC/SPF/DKIM guide.

2. Multi-factor authentication: Phishing-resistant MFA (FIDO2 security keys, passkeys) eliminates the risk of credential theft via phishing. Our MFA guide compares options.

3. Email filtering: Advanced email security gateways with AI-based detection, URL sandboxing, and attachment detonation. See our email filtering guide.

4. Zero trust architecture: NIST SP 800-207 principles ensure that stolen credentials alone are insufficient for access. Our zero trust guide explains implementation.

5. Browser security: Configure browsers to block known phishing sites and warn on certificate errors. See our browser security guide.

Human Controls

1. Security awareness training: Organizations that implement continuous phishing simulation training reduce click rates by 86% within 12 months. See our phishing simulation training guide and security training ROI analysis.

2. Incident response planning: A documented phishing incident response plan reduces breach costs by an average of $2.66 million. See our corporate incident response guide.

3. Credential compromise procedures: When credentials are stolen, speed matters. Our credential compromise response guide provides a step-by-step checklist.

Phishing Response: What to Do If You Clicked

Even with the best defenses, mistakes happen. If you clicked a phishing link or entered credentials, speed determines the outcome.

Immediate Actions (First 15 Minutes)

1. Disconnect from the network if you suspect malware was downloaded
2. Change the password on the affected account from a different, clean device
3. Enable MFA if not already active — see our MFA guide
4. Check for unauthorized changes — email forwarding rules, recovery phone numbers, connected apps
5. Notify your IT security team or designated phishing contact immediately

Short-Term Follow-Up (First 24 Hours)

6. Change passwords on any other accounts where you reused the compromised password
7. Monitor financial accounts for unauthorized transactions
8. Run a full malware scan on the device used to access the phishing site
9. Review account activity logs for signs of unauthorized access
10. File reports with IC3, the FTC, and the impersonated organization

For organizations, the response escalates into a formal incident response process. See our credential compromise response checklist for the complete workflow and our corporate incident response guide for the organizational framework.

Financial Fraud Recovery

If you authorized a wire transfer, sent money, or shared financial information:

• Contact your bank immediately and request a recall or freeze
• File with FBI IC3 within 72 hours for the best recovery odds — the IC3 Recovery Asset Team froze $561 million in fraudulent transfers in 2024
• File a fraud alert with the three credit bureaus (Equifax, Experian, TransUnion)
• Monitor credit reports for 12 months

Phishing Awareness for Specific Audiences

For Non-Technical Users

You do not need to be a cybersecurity expert to defend against phishing. Three habits cover the vast majority of scenarios:

1. Never click links in unexpected messages — navigate to websites directly
2. When in doubt, verify by phone — call the sender using a known number
3. Report everything suspicious — let your security team make the judgment call

For IT and Security Professionals

Focus on the structural defenses that reduce phishing exposure at scale:

• Deploy DMARC at reject on all organizational domains
• Mandate phishing-resistant MFA for all users
• Implement zero trust architecture to limit credential-theft impact
• Run continuous phishing simulations and track improvement
• Maintain a documented incident response plan
• Conduct quarterly phishing forensics reviews

For Business Leaders

The business case for phishing defense is clear. The average data breach costs $4.88 million, and phishing is the most common entry point. Training alone delivers 3-7x ROI. See our security training ROI analysis for the calculation framework.

Emerging Threats

AI-Generated Phishing

AI-generated phishing emails achieved click-through rates four times higher than human-crafted versions in 2025. An estimated 82.6% of phishing emails analyzed between September 2024 and February 2025 contained AI-generated content. Our AI-generated phishing detection guide covers the latest identification techniques.

Brand Impersonation at Scale

Attackers clone legitimate brand emails pixel-for-pixel, using compromised or lookalike domains. Microsoft, Google, and Amazon are the most impersonated brands. See our brand impersonation detection guide.

Supply Chain Phishing

Attackers compromise trusted vendor accounts to send phishing from legitimate email addresses, bypassing authentication checks. Third-party involvement in breaches rose from 15% to 30% in 2025. Our supply chain phishing guide explains vendor verification.

Key Takeaways

• Phishing attacks exceeded 3.8 million in 2025 and caused billions in losses
• The five-point check (sender, URL, urgency, attachments, request validation) catches the vast majority of attacks
• Reporting to IC3, FTC, CISA, and your organization disrupts attacker infrastructure
• Technical controls (DMARC, MFA, email filtering, zero trust) reduce exposure dramatically
• Continuous training reduces phishing click rates by up to 86%
• AI-generated phishing and multi-channel attacks (smishing, vishing, quishing) require updated defenses

Sources

• FBI IC3 2024 Internet Crime Report
• CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
• NIST SP 800-177 Rev. 1: Trustworthy Email
• APWG Phishing Activity Trends Reports 2025
• NIST SP 800-207: Zero Trust Architecture

This content is for educational purposes only. Report suspected phishing to ic3.gov, your IT security team, and the impersonated organization. Do not attempt to engage with or investigate phishing actors on your own.