SCAMMERDETECT
Phishing email scam inbox warning
Phishing emails are designed to look legitimate. Reporting them helps email providers block these attacks and protects other users.

Phishing emails are one of the most common forms of online fraud. They impersonate trusted companies, banks, and government agencies to trick you into revealing passwords, financial information, or personal data. Reporting phishing emails is one of the most effective things you can do -- it helps shut down scam operations and prevents others from becoming victims. If you want to check whether a suspicious link is safe before taking any action, use our phishing URL checker.

This guide covers exactly how to report phishing emails to your email provider, to the companies being impersonated, and to the authorities.

Step 1: Report to Your Email Provider

Your email provider can use your report to block the sender and improve filters for millions of users.

Gmail (Google)

  1. Open the suspicious email
  2. Click the three-dot menu (More) next to the Reply button
  3. Select "Report phishing"
  4. Click "Report Phishing Message" in the confirmation dialog

Google uses these reports to strengthen Gmail's spam and phishing filters across all users.

Outlook (Microsoft)

  1. Open or select the suspicious email
  2. Right-click the message (or use the three-dot menu)
  3. Select "Report" then "Report phishing"
  4. Alternatively, forward the email as an attachment to phish@office365.microsoft.com

Apple Mail (iCloud)

  1. If the email pretends to be from Apple, forward it to reportphishing@apple.com
  2. For other phishing in your iCloud inbox, forward to abuse@icloud.com
  3. In the Mail app, select the message and click "Move to Junk"

Yahoo Mail

  1. Open the suspicious email
  2. Click the three-dot menu next to the message
  3. Select "Report a phishing scam"

Step 2: Forward to the Anti-Phishing Working Group (APWG)

The Anti-Phishing Working Group (APWG) is a global coalition of ISPs, security vendors, financial institutions, and law enforcement that works to dismantle phishing operations.

  1. Forward the phishing email to reportphishing@apwg.org
  2. If possible, forward it as an attachment (not inline) to preserve the email headers

The APWG archives the email and shares its indicators -- sender domains, URLs, IP addresses -- through its eCrime eXchange platform. Member organizations use this data to block fraudulent sites and take down phishing infrastructure.

Step 3: Report to the FTC

The Federal Trade Commission collects fraud reports in a database accessed by hundreds of law enforcement agencies.

  1. Go to https://reportfraud.ftc.gov
  2. Describe the phishing attempt
  3. Include the sender's email address, the subject line, and what the email asked you to do

Step 4: Notify the Company Being Impersonated

If the phishing email pretends to be from a specific company (your bank, Amazon, PayPal, etc.), report it directly to that company. Most major companies have dedicated abuse reporting channels:

| Company | How to Report | |---------|--------------| | PayPal | Forward to phishing@paypal.com | | Amazon | Forward to stop-spoofing@amazon.com | | Apple | Forward to reportphishing@apple.com | | Microsoft | Forward to phish@office365.microsoft.com | | Bank of America | Forward to abuse@bankofamerica.com | | Netflix | Forward to phishing@netflix.com |

For other companies, search for "[company name] report phishing" to find their specific reporting address.

Step 5: Report the Phishing Website (If Applicable)

If the phishing email contained a link to a fake website, you can report that URL to help get it taken down:

How to Identify a Phishing Email

Not sure if an email is phishing? Look for these red flags:

  • Urgency and threats -- "Your account will be closed in 24 hours"
  • Generic greetings -- "Dear Customer" instead of your name
  • Suspicious sender address -- The display name may look real, but the email address does not match the company's domain
  • Requests for sensitive information -- Legitimate companies never ask for passwords, full credit card numbers, or Social Security numbers via email
  • Mismatched or shortened links -- Hover over links to see where they actually lead
  • Poor grammar or unusual formatting -- Although AI-generated phishing is becoming more polished, many phishing emails still contain errors

For a deeper dive into recognizing phishing tactics before they reach you, see our guide on how to protect yourself from phishing.

If You Already Clicked a Phishing Link

If you clicked a link or entered information on a phishing site, take these steps immediately:

  1. Change your password for the affected account right away
  2. Enable two-factor authentication if it is not already active
  3. Run a full antivirus scan on your device
  4. Monitor your accounts for unauthorized transactions or login attempts
  5. Contact your bank if you entered any financial information -- see our full recovery guide for scam victims for detailed next steps
  6. Place a fraud alert on your credit report -- start a recovery plan at IdentityTheft.gov and check whether your email has been exposed using Have I Been Pwned
🔍

Think a website might be a scam?

Check any URL instantly with our free scam detection tools.

Check Now

Related Resources

Guides

How to Protect Yourself from Phishing

Proactive steps to defend against email, SMS, and voice phishing attacks.

 Guides

How to Spot a Scam Website

Learn to identify fake websites before they steal your information.

 Guides

What to Do If You've Been Scammed Online

Immediate recovery steps if you've fallen victim to any online scam.

 Tools

Phishing URL Checker

Paste a suspicious URL to check it against known phishing databases instantly.

 Platform Guides

Coinbase Scam Emails

How to recognize and report phishing emails impersonating Coinbase.

 Scam Types

Romance Scams

How phishing and social engineering intertwine in romance-based fraud.