You get a phishing email. You recognise it. You feel a small flush of pride for not falling for it. Then you delete it and move on with your day.
Sound about right?
Here's the thing: deleting a phishing email protects you. Reporting it protects everyone. And it takes less than a minute.
Most people don't report because they assume nothing happens — that their report disappears into a void. That's not true, and I'll show you exactly what happens when you report. But first, here's how to actually do it.
How to report phishing in Gmail
Method 1 (quickest):
Open the suspicious email
Click the three dots (⋮) in the top-right corner of the email
Click "Report phishing"
Click "Report Phishing Message" in the confirmation popup
Done. Google will analyse the email and use it to improve Gmail's phishing detection for all 1.8 billion Gmail users.
Method 2 (if you want it out of your inbox):
Select the email (checkbox)
Click the exclamation mark (!) button in the toolbar
Select "Report phishing"
This moves the email to spam and sends the report to Google simultaneously.
What Google does with your report: It feeds into their machine learning models. Google has said that user reports are one of their most valuable signals for detecting new phishing campaigns. When multiple users report the same email, it triggers accelerated review and can result in the phishing campaign being blocked across all Gmail accounts within hours.
How to report phishing in Outlook (Microsoft)
Outlook.com (web):
Select the suspicious email
Click the three dots (⋯) or right-click
Select "Report" → "Report phishing"
Outlook desktop app (Windows/Mac):
Select the email
Go to Home tab → Report Message (you may need to enable the Report Message add-in first: Home → Get Add-ins → search "Report Message")
Select "Phishing"
If the add-in isn't available:
Create a new email to
[email protected]Drag the phishing email into the new message as an attachment
Send it
Microsoft's response: reports go to their Digital Crimes Unit, which has taken legal action against phishing operations and obtained court orders to seize malicious domains. Since 2010, Microsoft's DCU has disrupted over 25 criminal operations and taken down millions of malicious sites.
How to report phishing in Yahoo Mail
Open the suspicious email
Click the three dots (⋯) next to the reply button
Select "Report phishing scam"
Yahoo uses reports to update their spam filters and block similar messages across their network. It's less transparent about its process than Google or Microsoft, but the reporting mechanism works.
How to report phishing in Apple Mail
Apple Mail doesn't have a built-in "report phishing" button, which is frustrating. Here's what to do:
If the email pretends to be from Apple:
Forward it to [email protected]
For all other phishing emails on Mac:
Open the email
Go to Message → Move to → Junk (or use the Junk button in the toolbar)
Also forward the email to the reporting addresses listed below
On iPhone/iPad:
Long-press the sender's name
Tap "Block this Contact" (prevents future emails)
Forward the email to the relevant reporting body (below)
Apple's approach to phishing detection is less community-driven than Google's. Marking as junk helps train your local filter but doesn't contribute to a centralised phishing database the way Gmail reports do. That's why forwarding to external reporting agencies matters even more for Apple Mail users.
Who else to report to (and why it matters)
Reporting to your email provider helps filter future emails. But to get the phishing site taken down and the campaign disrupted, you need to report to agencies that coordinate takedowns.
🇬🇧 UK reporting:
NCSC (National Cyber Security Centre) Forward the email to: [email protected]
This is the single most impactful thing you can do in the UK. The NCSC's Suspicious Email Reporting Service (SERS) launched in 2020 and has been remarkably effective:
- As of 2024, they've received over 30 million reports
- Those reports have led to the takedown of over 235,000 malicious URLs
- Average time from report to takedown: under 4 hours for sites hosted in the UK
Just forward the entire email. Don't modify it, don't add commentary — just forward. The NCSC's automated systems extract the malicious URLs and begin the takedown process.
Action Fraud For reporting the crime itself (especially if you've lost money): actionfraud.police.uk or call 0300 123 2040. Action Fraud is the UK's national fraud reporting centre. Reports here feed into the National Fraud Intelligence Bureau, which identifies patterns and coordinates police investigations.
🇺🇸 US reporting:
FTC (Federal Trade Commission) Report at: reportfraud.ftc.gov
CISA (Cybersecurity and Infrastructure Security Agency) Forward phishing emails to: [email protected]
Anti-Phishing Working Group (APWG) Forward phishing emails to: [email protected]
The APWG is a global industry coalition that shares phishing data with browsers, email providers, and security vendors worldwide. Your report to APWG can result in the phishing site being blocked in Chrome, Firefox, Safari, and Edge — protecting millions of users.
🌍 International:
Your bank or the impersonated company: If the email pretends to be from Barclays, forward it to Barclays' phishing reporting address (usually phishing@[company].com — check their website). Companies use these reports to issue takedown notices to hosting providers.
What actually happens when you report (the takedown process)
Most people assume reporting goes into a black hole. Here's the real process:
Step 1: Automated extraction (minutes)
When you forward a phishing email to [email protected] or [email protected], automated systems immediately extract URLs, sender addresses, and technical indicators from the email.
Step 2: Verification (minutes to hours) The extracted URLs are checked: is the site actually malicious? Automated crawlers visit the URL, take screenshots, and classify the page. If it looks like a credential harvesting page impersonating a known brand, it's flagged for takedown.
Step 3: Notification to hosting provider (hours) The hosting company or domain registrar receives an abuse report. Most major hosts (Cloudflare, AWS, GoDaddy, etc.) have automated abuse processing systems that can disable sites within hours of a verified report.
Step 4: Blocklist updates (hours) The URL gets added to threat databases: Google Safe Browsing, Microsoft SmartScreen, PhishTank, OpenPhish. Once listed, anyone using Chrome, Firefox, Edge, or Safari will see a warning page if they try to visit the site.
Step 5: Pattern analysis (ongoing) Your report is correlated with others. If 50 people report similar emails in the same week, that reveals a coordinated campaign. Investigators can track the campaign's infrastructure, identify other related phishing sites, and take them down proactively.
The real timeline: The NCSC reports that most phishing sites flagged through [email protected] are taken offline within hours. Google says that Safe Browsing blocks are typically applied within 30 minutes of a URL being confirmed as malicious.
Why most people don't report (and why they should)
The vast majority of phishing emails go unreported by recipients. The most common reasons:
"It won't make a difference" — It does. Every report accelerates takedown timelines and improves detection for future campaigns. A single report might not trigger a takedown, but yours could be the fifth report that crosses the threshold for automated action.
"I don't know how" — Now you do. Forward to
[email protected]. That's it."It takes too long" — Forwarding an email takes literally 10 seconds. The longest part is remembering the email address (bookmark this post).
"They'll just make a new site" — True, but there's still a cost. Every domain takedown costs the attacker money (domains cost money to register), time (setting up new infrastructure), and effectiveness (blocklists catch known campaign patterns faster). Reporting increases the attacker's costs and reduces their ROI.
"I'm embarrassed I almost fell for it" — You're not reporting yourself as a victim. You're reporting the attack. No one judges you, and the report is functionally anonymous.
Quick reference: your 30-second reporting workflow
When you spot a phishing email, do this:
Report in your email client (Gmail: three dots → Report phishing)
Forward the email to
[email protected](UK) or[email protected](anywhere)If it impersonates a company, forward to that company's phishing address too
Delete the email
Total time: about 30 seconds. Impact: real.
If you've already clicked or entered information
If you've interacted with a phishing email before realising it was fake, the reporting process is the same — but you also need to act fast:
Change your password immediately on the affected service
Change it everywhere else you used the same password (and stop reusing passwords — see our post on credential harvesting)
Enable MFA if you haven't already
Contact your bank if you entered payment details
Report to Action Fraud (UK) or FTC (US) if money was lost
Monitor your accounts for unusual activity over the next few weeks
Time matters. The faster you act, the more likely you can prevent actual damage.
The collective defence argument
Here's a way to think about it: phishing works because of information asymmetry. The attacker knows the email is fake. You might figure it out. But the next person might not.
When you report a phishing email, you're closing that information gap. Your report helps the system learn — and every report makes the next campaign slightly less effective. It's collective defence: each report is a small contribution, but at scale, they make phishing harder, more expensive, and less profitable.
The goal isn't to stop phishing entirely. It's to make the economics unworkable for attackers. Reporting is how we get there.
