Cleanbox
Features Blog Pricing Developers
Sign in Start free trial
Blog
security phishing how-to

How to Report a Phishing Email - Gmail, Outlook, Apple Mail, Yahoo

8 min read Oct 28, 2024
How to Report a Phishing Email - Gmail, Outlook, Apple Mail, Yahoo

That Suspicious Email Deserves More Than the Delete Key

You spotted a phishing email. Good. Your instinct might be to delete it and move on, but there is something more useful you can do: report it.

Reporting a phishing email takes about ten seconds and has a real impact. It helps your email provider improve its spam filters, protects other users from the same attack, and can lead to the takedown of phishing sites. When enough people report the same campaign, providers can block it for millions of users within hours.

Here is exactly how to report phishing in every major email client, plus how to escalate to external authorities when the situation warrants it.

How to Report Phishing in Gmail

On Desktop (Web)

  1. Open the phishing email (do not click any links inside it)
  2. Click the three vertical dots in the top-right corner of the message
  3. Select Report phishing
  4. A confirmation dialog appears. Click Report Phishing Message

The email is moved to your Spam folder and a copy is sent to Google for analysis.

On Mobile (Gmail App)

  1. Open the email
  2. Tap the three dots in the top-right corner
  3. Tap Report phishing

If you do not see "Report phishing," you may see "Report spam" instead. Both help Google identify malicious senders, but "Report phishing" gives Google more specific signal about the type of threat.

How to Report Phishing in Outlook

Outlook on the Web (Outlook.com)

  1. Select the phishing email (or open it)
  2. Click Junk in the toolbar
  3. Select Phishing
  4. Confirm when prompted

Outlook Desktop App (Windows)

  1. Select the email in your inbox
  2. Go to the Home tab in the ribbon
  3. Click Junk
  4. Select Report as Phishing

If you have the Microsoft Report Message add-in installed (it is included by default in many Microsoft 365 subscriptions), you will see a dedicated "Report" button in the ribbon with options for Phishing, Junk, and Not Junk.

Outlook for Mac

  1. Right-click the email
  2. Select Report Junk
  3. Choose Phishing

How to Report Phishing in Apple Mail

Apple Mail does not have a built-in "Report phishing" button, but there are two effective approaches:

Forward to Apple

  1. Select the phishing email
  2. Forward it to reportphishing@apple.com
  3. Apple reviews these submissions to improve iCloud Mail filtering

Mark as Junk

  1. Select the email
  2. Click the Junk button in the toolbar (or right-click and select "Move to Junk")

Moving to Junk trains Apple Mail's on-device filter. Forwarding to Apple helps their server-side filtering. Doing both gives the best result.

On iPhone or iPad

  1. Open the email
  2. Tap the flag or reply icon at the bottom
  3. Select Move to Junk

How to Report Phishing in Yahoo Mail

  1. Select the phishing email (do not open it, or open it without clicking links)
  2. Click the three dots (More) in the toolbar
  3. Select Report phishing

On the Yahoo Mail mobile app, the process is similar: open the email, tap the three dots, and look for "Report phishing" or "Report spam."

Reporting to External Authorities

Your email provider is the first line of defense, but for serious phishing campaigns, reporting to external organizations helps with broader takedowns.

Anti-Phishing Working Group (APWG)

Forward phishing emails to reportphishing@apwg.org. The APWG is an international coalition that tracks phishing activity worldwide. They share data with law enforcement, ISPs, and security vendors to take down phishing infrastructure.

Federal Trade Commission (FTC) - United States

Report at ftc.gov/complaint. The FTC uses these reports to build cases against fraud operations. While they cannot resolve individual cases, aggregate reports help them identify and prosecute large-scale operations.

IC3 (Internet Crime Complaint Center) - United States

If you suffered financial loss from a phishing attack, file a report at ic3.gov. The IC3 is run by the FBI and handles internet-related crime complaints. Financial losses above a certain threshold get priority investigation.

National Authorities in Other Countries

  • UK: Forward to report@phishing.gov.uk (National Cyber Security Centre)
  • Netherlands: Report at fraudehelpdesk.nl
  • Australia: Report at scamwatch.gov.au
  • Canada: Report to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca

Reporting Spoofed Brands

If a phishing email impersonates a specific company (your bank, PayPal, Amazon, Microsoft), report it directly to that company. Most major brands have dedicated addresses:

  • PayPal: Forward to phishing@paypal.com
  • Apple: Forward to reportphishing@apple.com
  • Microsoft: Forward to phish@office365.microsoft.com
  • Amazon: Forward to stop-spoofing@amazon.com
  • Google: Use the "Report phishing" option in Gmail

For other brands, look for an abuse@ or phishing@ address on their website, or search for "[brand name] report phishing."

What Happens After You Report

When you report a phishing email, several things happen behind the scenes:

  • Immediate: The email is removed from your inbox and flagged in the provider's system
  • Short-term: The provider's spam model is updated. If many users report the same sender or campaign, the system can block it for all users within hours.
  • Medium-term: URLs in the email are added to blocklists used by browsers (Google Safe Browsing, Microsoft SmartScreen) and security products.
  • Long-term: Hosting providers may take down the phishing site. Domains used for phishing may be suspended by registrars.

Your single report is one data point, but combined with thousands of others, it powers the entire anti-phishing ecosystem.

Before You Report: Identify the Threat

Not sure if an email is actually phishing? Check for these common signs:

  • The sender address does not match the organization it claims to be from
  • The email creates urgency ("Your account will be closed in 24 hours")
  • Links go to unexpected domains (hover over them to check)
  • The email asks for passwords, payment information, or personal data
  • Grammar and spelling errors (though sophisticated phishing is often well-written)

For a more thorough evaluation, our email scam checklist walks you through every red flag to look for. If you are new to the concept entirely, start with our complete beginner's guide to phishing.

How Cleanbox Handles Phishing

If you use Cleanbox, phishing reports are built into the experience. The spam feedback mechanism (thumbs up for legitimate email, thumbs down for spam or phishing) trains the AI classification model across all users. When you flag a phishing email, it improves detection for everyone. The AI classifier also catches phishing proactively by analyzing email content, sender patterns, and authentication results before a message reaches your inbox.

The Bottom Line

Reporting phishing is one of the simplest things you can do to make the internet safer. It takes seconds, costs nothing, and has a cascading effect: your report helps block the attack for other users, trains spam filters, and can lead to the takedown of phishing infrastructure.

Next time you spot a phishing email, do not just delete it. Report it.

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free