How to Report Phishing Emails on Gmail (Step-by-Step)
When a phishing email lands in your Gmail inbox, reporting it does more than remove it from your view. It feeds data into Gmail''s spam filters, helping protect millions of other users from the same attack. This guide shows you exactly how to report phishing in Gmail on every platform, what happens after you report, and how to protect yourself going forward.
For a broader guide covering all email providers, see our general phishing reporting guide. This article focuses specifically on Gmail.
How to report phishing in Gmail (desktop)
On Gmail in your web browser:
- Open the suspicious email (or select it in your inbox without opening)
- Click the three-dot menu (⋮) in the top-right corner of the email
- Select "Report phishing"
- Gmail will ask you to confirm. Click "Report Phishing Message"
The email is moved to your Spam folder and a report is sent to Google.
Alternative: report via the spam button
If you do not see "Report phishing" in the menu, you can also:
- Select the email in your inbox
- Click the Report spam button (the octagon with an exclamation mark) in the toolbar
This is less specific than "Report phishing" — it flags the email as spam rather than specifically as a phishing attempt. Use "Report phishing" when the email is trying to steal your credentials or impersonate a legitimate sender. Use "Report spam" for unwanted commercial email that is not necessarily malicious.
How to report phishing in the Gmail app (iPhone and iPad)
- Open the Gmail app and find the suspicious email
- Open the email
- Tap the three-dot menu (⋯) in the top-right corner
- Tap "Report phishing"
- Confirm when prompted
Note: on older versions of the Gmail iOS app, "Report phishing" may not appear. In that case, tap "Report spam" instead, or report via the desktop interface.
How to report phishing in the Gmail app (Android)
- Open the Gmail app and find the suspicious email
- Open the email
- Tap the three-dot menu (⋮) in the top-right corner
- Tap "Report phishing"
- Confirm when prompted
The process is nearly identical to iOS. The "Report phishing" option is in the same overflow menu.
What happens after you report
When you report a phishing email in Gmail:
- The email moves to Spam — it is removed from your inbox immediately
- Google analyzes the report — the email content, sender, links, and headers are examined by Google''s abuse team and automated systems
- The sender may be flagged — if enough users report the same sender or campaign, Gmail may block the sender across all Gmail accounts
- URLs may be added to Safe Browsing — phishing URLs in the email can be flagged in Google Safe Browsing, which protects Chrome, Firefox, and Safari users
- You will not be notified of the outcome — Google does not send individual follow-ups on phishing reports
Report phishing vs report spam: when to use which
| Use "Report phishing" when | Use "Report spam" when |
|---|---|
| The email pretends to be from a company or person it is not | The email is unwanted marketing or newsletters |
| The email asks for your password, credit card, or personal information | The email is from a real sender you just do not want to hear from |
| The email contains links to fake login pages | The email is a legitimate (but annoying) commercial message |
| The email claims your account is compromised and urges immediate action | You unsubscribed but the sender keeps emailing |
| The email impersonates your bank, employer, or a government agency | The email is an automated notification you no longer want |
Phishing is about deception and credential theft. Spam is about unwanted volume. The distinction matters because Google treats phishing reports more urgently than spam reports.
Beyond Gmail: where else to report phishing
Reporting within Gmail helps other Gmail users. For broader impact, also report to these organizations:
| Where to report | How | What it does |
|---|---|---|
| Anti-Phishing Working Group | Forward email to reportphishing@apwg.org | Global phishing intelligence sharing across security companies |
| The impersonated company | Forward to their abuse address (e.g., phishing@paypal.com) | Helps the company take down the phishing infrastructure |
| Google Safe Browsing | Report phishing URLs at safebrowsing.google.com/safebrowsing/report_phish/ | Flags the URL across Chrome, Firefox, and Safari |
| FTC (United States) | reportfraud.ftc.gov | Federal enforcement database |
| Action Fraud (UK) | actionfraud.police.uk | UK cybercrime reporting |
How to recognize phishing emails
Before reporting, you need to spot phishing in the first place. Watch for these signs:
- Urgency and threats — "Your account will be closed in 24 hours" or "Unauthorized login detected, act now"
- Mismatched sender address — the display name says "PayPal" but the actual email address is
alert@paypa1-security.com - Suspicious links — hover over links before clicking. If the URL does not match the supposed sender''s domain, it is likely phishing
- Requests for credentials — legitimate companies never ask for your password via email
- Generic greetings — "Dear Customer" instead of your actual name
- Grammar and spelling errors — less reliable than it used to be (AI-written phishing is grammatically correct), but still a signal in many campaigns
For real-world examples and detailed analysis, see our breakdown of real phishing emails and our overview of 10 email attack types.
Prevention: stop phishing before it reaches you
Enable Gmail''s enhanced safe browsing
Go to myaccount.google.com/security and enable "Enhanced Safe Browsing." This provides real-time protection against phishing URLs and malicious downloads, more aggressive than Gmail''s default protection.
Enable two-factor authentication
Even if you accidentally enter your password on a phishing page, 2FA prevents the attacker from accessing your account without your second factor. Use an authenticator app or hardware key — not SMS.
Use email aliases to limit exposure
Phishers target email addresses they find in breach databases or public profiles. If you use a unique email alias for each service, a phisher who obtains one alias cannot use it to impersonate other services convincingly. And if an alias starts receiving phishing, you disable it — the phisher loses access to that address entirely.
Frequently asked questions
Does reporting phishing in Gmail actually do anything?
Yes. Google uses phishing reports to train its spam filters, flag malicious senders, and update Safe Browsing. Individual reports contribute to a larger intelligence picture. The more people report a specific campaign, the faster Google blocks it for everyone.
What if I already clicked a link in the phishing email?
If you clicked a link but did not enter any information, you are likely fine. Clear your browser cache and run a malware scan to be safe. If you entered a password, change it immediately on that service and any other service where you use the same password. Enable 2FA on the affected account.
Can I report phishing in Gmail if I am using a Google Workspace account?
Yes. The reporting process is the same. Your Workspace admin may also have additional phishing reporting tools configured for your organization.
How do I report phishing to Google if it is not in Gmail?
If you received a phishing email in another email provider but it impersonates Google or links to Google services, report the phishing URL via Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
Ready to take control of your inbox?
Start protecting your email with Cleanbox — free plan available, no credit card required.
Get started free