Phishing Education

How to Report Phishing: A Step-by-Step Guide

By AntiPhishers Published

How to Report Phishing: A Step-by-Step Guide

Reporting phishing is one of the most impactful actions any individual can take in the fight against cybercrime. Every reported phishing message contributes to blocklists, filter improvements, and takedown efforts that protect others from the same attack. Despite this importance, the majority of phishing messages go unreported because people either do not know how to report them or assume someone else already has.

Why Reporting Matters

Each phishing report feeds into systems that protect millions of users. Email providers use reports to update their filtering algorithms and block similar messages from reaching other inboxes. Browser vendors add reported phishing URLs to their safe browsing databases, triggering warnings for anyone who visits those sites. Hosting providers and domain registrars use abuse reports to take down phishing infrastructure.

Phishing campaigns operate on a timeline. The sooner a campaign is reported, the sooner its infrastructure can be blocked or taken down, and the fewer victims it claims. A single early report can trigger an automated response that prevents thousands of people from reaching a phishing page.

Organizational reporting provides security teams with threat intelligence specific to their environment. Patterns in reported phishing messages reveal which employees are being targeted, what pretexts are being used, and which security controls need strengthening.

Reporting to Your Email Provider

Most major email services include a built-in option to report phishing. In Gmail, click the three-dot menu on the message and select “Report phishing.” In Outlook, use the “Report” button and select “Phishing.” These reports are processed by the provider’s security team and contribute to filter improvements across the platform.

When using a corporate email system, follow your organization’s established reporting procedures. Many enterprises deploy a phishing report button integrated into the email client that simultaneously alerts the security team and removes the message from the reporter’s inbox.

If your email client does not have a dedicated phishing report function, forward the suspicious message as an attachment to preserve the full email headers, which contain technical details essential for investigation.

Reporting to National Agencies

Forward phishing emails to the Anti-Phishing Working Group at [email protected]. This industry coalition aggregates reports from around the world and distributes threat intelligence to law enforcement, hosting providers, and security vendors.

In the United States, report phishing to the Federal Trade Commission through their online complaint portal. File a report with the FBI’s Internet Crime Complaint Center if you have suffered financial loss. These reports contribute to law enforcement investigations and help authorities track cybercrime trends.

Reporting to Impersonated Organizations

If a phishing message impersonates a specific company, report it directly to that organization. Most major brands maintain dedicated abuse reporting channels. Banks, technology companies, and government agencies typically provide email addresses or web forms specifically for receiving phishing reports from the public.

This notification serves multiple purposes. The impersonated organization can issue customer alerts, request takedowns of phishing infrastructure using their brand, and adjust their own security monitoring to detect related attacks.

Reporting Phishing Websites

Google’s Safe Browsing team accepts phishing URL reports that result in warnings being displayed to Chrome, Firefox, and Safari users who attempt to visit the reported site. Submit URLs through the Safe Browsing report page.

Domain registrars and hosting providers have abuse reporting procedures for sites hosted on their infrastructure. WHOIS lookups reveal the registrar and hosting provider for a given domain, and reporting to these entities can result in rapid takedown of phishing sites.

For more on identifying phishing messages before reporting, read our complete phishing guide. You can also learn about related defensive strategies in our article on How to Recognize Phishing Emails: 10 Red Flags.

Making Reporting a Habit

Treat reporting as a reflex rather than an exceptional action. Every suspicious message you receive should be reported through at least one channel. The few seconds it takes to click a report button or forward a message contribute to a collective defense system that becomes more effective with every report submitted. Organizations should track and celebrate phishing reporting rates, recognizing employees who consistently report suspicious messages as active contributors to organizational security.

More in Phishing Education

Phishing Recognition and Reporting: Complete Guide Guide Complete Phishing Protection Guide 2026 Guide What Is Phishing? A Complete Guide to Recognizing and Avoiding Attacks Guide AI-Generated Phishing Detection and Defense

View all Phishing Education articles →