Table of Contents
Reporting phishing takes a few minutes and protects thousands of potential victims. When you report a phishing email, text, or website, you feed information into the systems that email providers, browsers, phone carriers, and law enforcement use to block future attacks. One report might seem small, but collectively, user reports are the backbone of the global anti-phishing infrastructure. This article is part of our Phishing & Social Engineering guide and walks you through reporting phishing across every channel.
Why Reporting Matters
Every phishing report contributes to:
- Email filtering: When you report a phishing email to Gmail, Outlook, or Apple Mail, the provider uses that data to improve its spam and phishing filters. A reported phishing email helps block similar emails sent to millions of other users.
- Browser blocklists: When you report a phishing URL to Google Safe Browsing or Microsoft SmartScreen, the URL is added to a blocklist that warns every Chrome, Firefox, Safari, and Edge user who attempts to visit it.
- Takedown actions: Reports to domain registrars, hosting providers, and anti-phishing organizations lead to malicious websites being taken down, often within hours.
- Law enforcement investigations: Aggregated reports help the FBI, FTC, and international law enforcement agencies identify patterns, track criminal organizations, and pursue prosecutions.
- Public awareness: Reported phishing data informs security research, media coverage, and awareness campaigns that educate the public.
You are not just protecting yourself when you report phishing – you are protecting everyone.
How to Report Phishing Emails
To Your Email Provider
This is the fastest and most impactful step. Your email provider uses reports to improve filtering for all users.
Gmail:
- Open the phishing email.
- Click the three-dot menu in the upper-right corner of the email.
- Select “Report phishing.”
- Google will analyze the email and use the data to improve filtering.
Apple Mail (iCloud):
- On iPhone/iPad: Open the email, tap the reply arrow, and select “Move to Junk.” For more impactful reporting, forward the email to reportphishing@apple.com.
- On Mac: Select the email and choose Message > Move to Junk, or forward it to reportphishing@apple.com.
Microsoft Outlook:
- Select the phishing email.
- Click the “Report” button in the ribbon (or right-click > Report > Report Phishing).
- Microsoft uses reports to improve filtering across Outlook, Hotmail, and enterprise email.
Yahoo Mail:
- Select the phishing email.
- Click the three-dot menu.
- Select “Report a phishing scam.”
To the Anti-Phishing Working Group (APWG)
Forward phishing emails to reportphishing@apwg.org. The APWG is a global coalition of security companies, law enforcement, and technology providers that aggregates phishing reports from around the world. Your report contributes to the largest phishing data repository used by security researchers and vendors.
To the Impersonated Organization
If the phishing email impersonates a specific company (your bank, Apple, Amazon, etc.), forward it to that company’s abuse or phishing reporting address:
- Apple: reportphishing@apple.com
- Google: Report through Gmail’s built-in reporting
- Microsoft: phish@office365.microsoft.com
- Amazon: stop-spoofing@amazon.com
- PayPal: spoof@paypal.com
- Your bank: Most banks have a dedicated phishing email address, often listed on their security page.
Organizations use these reports to identify campaigns targeting their customers and take action against fraudulent domains and accounts.
How to Report Phishing Websites
Google Safe Browsing
Report phishing URLs to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/. This is one of the most impactful actions you can take because Google Safe Browsing protects users of Chrome, Firefox, Safari, and many other applications that integrate with its blocklist.
Microsoft SmartScreen
Report phishing sites through the Microsoft Security Intelligence portal. SmartScreen protections are used by Edge and Windows Defender.
Your Browser
Most browsers allow you to report phishing sites directly:
- Safari: Go to Safari > Report Fraudulent Website.
- Chrome: Click the three-dot menu > Help > Report an issue, or use the Safe Browsing report page.
- Firefox: Click the hamburger menu > Help > Report deceptive site.
Domain Registrars and Hosting Providers
For a more targeted takedown, identify who hosts the phishing site and report it to them:
- Use a WHOIS lookup (whois.domaintools.com or similar) to find the domain’s registrar and hosting provider.
- Contact the registrar’s abuse department (usually abuse@registrar.com).
- Contact the hosting provider’s abuse department.
Most reputable hosting providers and registrars have policies against phishing and will take down reported sites, often within hours.
How to Report Phishing Texts (Smishing)
Forward to 7726 (SPAM)
In the United States, forward smishing messages to 7726 (which spells SPAM). This service is supported by major carriers (AT&T, Verizon, T-Mobile) and helps them identify and block spam and phishing text messages.
How to forward:
- iPhone: Long-press the message > More > select the message > tap the forward arrow > enter 7726 > Send.
- Android: Long-press the message > Forward > enter 7726 > Send.
Report to the FTC
Report smishing to the Federal Trade Commission at ReportFraud.ftc.gov. FTC reports feed into a nationwide database used by law enforcement agencies.
Report to the Impersonated Organization
If the text impersonates a specific company, forward it to their abuse reporting channel. For example, if a text impersonates your bank, contact your bank to alert them to the campaign.
How to Report Phishing Phone Calls
Do Not Call Registry Violations
If you receive unsolicited phone calls, report them to the FTC at donotcall.gov. While the Do Not Call Registry primarily addresses telemarketing, reports of fraudulent calls help the FTC identify scam operations.
Report to the FTC
File a report at ReportFraud.ftc.gov with as much detail as possible: the phone number, what the caller said, what organization they impersonated, and any callback numbers they provided.
Report Voice Cloning Scams
If the call involved deepfake voice cloning – someone impersonating a family member or known person using a cloned voice – report it to:
- FBI’s Internet Crime Complaint Center (IC3) at ic3.gov
- FTC at ReportFraud.ftc.gov
- Local law enforcement – File a police report, especially if money was lost.
Block the Number
After reporting, block the phone number on your device:
- iPhone: Open the Phone or Messages app > find the number > tap the info (i) icon > Block This Caller.
- Android: Open the Phone app > find the number > tap the menu > Block/Report spam.
How to Report QR Code Phishing
QR code scams require a multi-step reporting approach:
- Report the URL to Google Safe Browsing and your browser (see website reporting above).
- Report the physical QR code to the location where you found it – notify the business, parking authority, or property manager so they can remove the fraudulent sticker.
- Report to local law enforcement if the QR code is on public infrastructure (parking meters, transit stations).
- Report to the FTC at ReportFraud.ftc.gov.
Reporting to Law Enforcement
FBI Internet Crime Complaint Center (IC3)
File a report at ic3.gov for any internet-related crime, including phishing, business email compromise, romance scams, and tech support scams. IC3 reports are analyzed and distributed to federal, state, and local law enforcement agencies.
Provide as much detail as possible:
- Description of the incident.
- Email addresses, phone numbers, and URLs involved.
- Screenshots of the phishing message or website.
- Financial transaction details if money was lost.
- Any other relevant information.
Federal Trade Commission (FTC)
Report at ReportFraud.ftc.gov. The FTC aggregates reports into the Consumer Sentinel Network, a database used by thousands of law enforcement agencies worldwide.
State Attorney General
Most state attorneys general have consumer fraud divisions that accept phishing and scam reports. Find your state AG’s office at naag.org/find-my-ag/.
Local Police
For significant financial losses, file a report with your local police department. A police report is often required for insurance claims, bank disputes, and credit bureau fraud alerts.
What Information to Include in Reports
The more detail you provide, the more useful your report:
- The phishing message: Forward the original email, or screenshot the text/call information.
- Headers: For email, include the full email headers if possible (in Gmail: open the email > three-dot menu > Show original).
- URLs: The exact URLs involved, including any redirects.
- Screenshots: Screenshots of fake login pages, pop-up warnings, or other visual components.
- Timeline: When you received the message and what actions you took.
- Financial details: If money was lost, include amounts, payment methods, and recipient information.
- Impact: What information or access was compromised.
After Reporting: Protect Yourself
Reporting is not the end of the process. Take steps to protect yourself:
- Change compromised passwords using a password manager to generate strong, unique replacements. If you are on macOS or iOS, PanicVault makes it easy to generate and store strong passwords in the open KeePass KDBX format.
- Enable two-factor authentication on all accounts, prioritizing email and financial accounts.
- Monitor your accounts for unauthorized activity.
- Check for data exposure on services like Have I Been Pwned to see if your email appears in data breaches.
- Consider a credit freeze if personal financial information was exposed.
Making Reporting a Habit
The most effective phishing reporters make it a routine. When you receive an obvious phishing email:
- Report it to your email provider (one click in most email apps).
- Forward it to reportphishing@apwg.org (one forward).
- Delete it.
The entire process takes less than a minute. Over time, your reports contribute to the collective defense that protects millions of people.
Training your family to report phishing multiplies this impact. If every member of your household reports the phishing messages they receive, you are feeding more data into the systems that protect everyone.
