How to Report Phishing Emails: Complete Guide by Provider and Agency

TLDR

Over 300 billion emails are sent daily, and more than 90% are spam or malicious. The FTC processed 2.4 million fraud reports in 2025, and the FBI's IC3 received 880,418 complaints. ScamVerify™ covers every reporting channel below, from your email provider's built-in tools to federal agencies. Reporting takes 2 to 5 minutes and directly helps block future attacks against others.

Why Reporting Phishing Emails Matters

Every phishing report contributes to a larger defense system. When you report a phishing email:

• Email providers use your report to update spam filters, protecting millions of other users
• Federal agencies aggregate reports to identify active campaigns and take enforcement action
• Security organizations add reported domains and IPs to global blocklists
• Law enforcement builds cases against organized phishing operations

The Anti-Phishing Working Group (APWG) reported that a single phishing URL receives an average of 67 clicks before being taken down. Faster reporting means fewer victims.

Report to Your Email Provider (Step 1)

Your email provider is the fastest first response. Reporting through your provider immediately flags the sender for all users on that platform.

Gmail (Desktop)

1. Open the phishing email (do not click any links inside it).
2. Click the three-dot menu (top right of the email).
3. Select "Report phishing."
4. Click "Report Phishing Message" in the confirmation dialog.

Gmail moves the email to spam and sends the report to Google's abuse team. Google uses these reports to update filters for all 1.8 billion Gmail users.

Gmail (Mobile App)

1. Open the phishing email.
2. Tap the three-dot menu (top right).
3. Tap "Report phishing."
4. Confirm the report.

Outlook (Desktop - New Outlook and Microsoft 365)

1. Select the phishing email (do not open it if possible).
2. Click the "Report" button in the toolbar ribbon (or right-click the email).
3. Select "Report phishing."
4. Click "Report" to confirm.

Microsoft uses these reports to improve Exchange Online Protection and Defender for Office 365 filters. If you do not see the Report button, your administrator may need to enable the Report Message add-in.

Outlook (Web - outlook.com)

1. Select the phishing email.
2. Click the three-dot menu above the email.
3. Select "Report" then "Report phishing."
4. Confirm the report.

Apple Mail (macOS)

1. Select the phishing email.
2. Click the "Move to Junk" button in the toolbar, or right-click and select "Move to Junk."
3. For additional reporting, forward the email to reportphishing@apple.com.

Apple Mail does not have a built-in "Report phishing" button like Gmail or Outlook. The forward-to-Apple step is important for blocking the sender across iCloud Mail.

Apple Mail (iPhone/iPad)

1. Open the phishing email.
2. Tap the flag icon at the bottom.
3. Select "Move to Junk."
4. Forward the email to reportphishing@apple.com for additional reporting.

Yahoo Mail

1. Select the phishing email (do not open links).
2. Click the three-dot menu next to the email.
3. Select "Report phishing."
4. Yahoo automatically moves the email to your spam folder.

Report to Federal Agencies (Step 2)

After reporting to your email provider, file reports with relevant federal agencies. Each agency serves a different function.

FTC (Federal Trade Commission)

1. Go to reportfraud.ftc.gov.
2. Answer the guided questions about what happened.
3. Include the sender email address, subject line, and any URLs from the email.
4. Submit the report.

The FTC does not investigate individual cases but aggregates reports to identify patterns. When enough reports target the same operation, the FTC takes enforcement action. In 2025, FTC actions resulted in $330 million returned to consumers.

FBI IC3 (Internet Crime Complaint Center)

1. Go to ic3.gov and click "File a Complaint."
2. Provide your contact information and details about the phishing email.
3. Include the sender's email address, any URLs, and the content of the email.
4. Submit the complaint.

IC3 received 880,418 complaints in 2023, with reported losses exceeding $12.5 billion. IC3 coordinates with local, state, and federal law enforcement. If you lost money, IC3 is the most important agency to report to.

CISA (Cybersecurity and Infrastructure Security Agency)

Forward the phishing email directly to phishing-report@us-cert.gov. Do not alter the email headers or subject line. CISA uses these reports to issue alerts and update government-wide security policies.

Anti-Phishing Working Group (APWG)

Forward the phishing email to reportphishing@apwg.org. The APWG is a global coalition of security vendors, financial institutions, and law enforcement. Reported URLs are added to the eCrime Research database, which feeds blocklists used by browsers (Chrome, Firefox, Safari) and email providers.

What Information to Include in Your Report

The more detail you provide, the more useful your report becomes:

To access full email headers in Gmail, open the email, click the three-dot menu, and select "Show original." In Outlook, right-click the email and select "View source" or "Message options." Our detailed guide on how to read email headers explains what each header field means and how to trace the real sender.

What Happens After You Report

Understanding the reporting pipeline helps set expectations:

1. Immediate (minutes to hours): Your email provider flags the sender. If enough users report the same sender, the provider blocks it globally.
2. Short-term (hours to days): APWG adds reported URLs to the eCrime database. Browser blocklists update. Chrome, Firefox, and Safari begin showing phishing warnings for the URL.
3. Medium-term (days to weeks): CISA and IC3 correlate reports and may issue advisories. Hosting providers receive takedown requests.
4. Long-term (weeks to months): FTC and DOJ build enforcement cases if the operation is large enough. IC3 coordinates with international law enforcement for cross-border operations.

No single report leads to an arrest, but every report contributes to the data that makes enforcement possible.

Reporting Phishing for Specific Scam Types

Different phishing types have additional reporting channels:

• IRS phishing: Forward to phishing@irs.gov. See our IRS phone scam guide for related phone-based tactics.
• Bank or financial phishing: Forward to the institution's abuse email (usually abuse@bankname.com) in addition to federal reports.
• Workplace phishing: Report to your IT security team first. They can block the sender for your entire organization.
• Social media phishing: Report through the platform (Facebook, LinkedIn, Twitter) in addition to email provider reports.

If you received a scam text instead of an email, our guide on how to report scam texts covers the SMS-specific reporting process, including forwarding to 7726 (SPAM).

How to Protect Yourself Going Forward

Reporting is reactive. These steps are proactive:

1. Enable two-factor authentication on all email accounts.
2. Use a password manager to generate unique passwords for every account.
3. Keep software updated. Phishing emails that deliver malware exploit known vulnerabilities.
4. Verify suspicious emails by contacting the supposed sender through an independent channel (their official website, not any contact information in the email).
5. Check sender domains using the ScamVerify email checker before engaging with unfamiliar senders.

FAQ

Do I need to report phishing to every agency listed above?

At minimum, report to your email provider (1 click) and the APWG (forward the email). If you lost money, also report to IC3 and the FTC. You do not need to report to every agency for every phishing email, but the more reports agencies receive, the faster they can act.

Will I hear back after reporting?

Your email provider will typically move the email to spam without further communication. The FTC and CISA do not respond to individual reports. IC3 provides an acknowledgment and a reference number. The APWG does not respond individually. None of these agencies will contact you about the outcome of your report.

I already clicked the link in the phishing email. Is it too late to report?

No. Report the email through all channels listed above. Additionally, change your passwords immediately, enable two-factor authentication, run a malware scan, and monitor your accounts for unauthorized activity. Our guide on how to spot phishing emails explains what to check before clicking, and reporting after the fact still helps protect others.

Can I report phishing emails from my work email?

Yes. Report to your IT security team first, then follow the same steps above. Many organizations have internal phishing report buttons (KnowBe4, Proofpoint) that forward reports to both your security team and your email provider.

Is there a way to report phishing emails in bulk?

The APWG accepts bulk submissions. Security professionals and IT teams can submit phishing URLs in bulk through the APWG's eCrime Research portal. For individual users, reporting one at a time through your email provider's built-in button is the most efficient method.

Received a suspicious email? Analyze it with ScamVerify's email checker to verify sender domains and detect phishing indicators before reporting.