Reporting phishing attempts does more than you might think. Your report contributes to threat databases that protect millions of other users, helps take down fraudulent sites faster, and sometimes leads to criminal investigations. Here’s exactly how to report phishing to every channel that matters.
Why Reporting Matters
Google Safe Browsing, Microsoft SmartScreen, and similar services that warn users about dangerous URLs are populated largely by crowdsourced reports. When you report a phishing URL, it gets added to blacklists used by billions of users’ browsers. A phishing site that gets flagged quickly can be taken down or blocked before it harms most of its intended targets. A report that doesn’t get filed means the site stays active longer.
Reporting Phishing Emails
In Gmail
Open the suspicious email, click the three-dot menu in the upper right of the message, and select “Report phishing.” This sends the message to Google’s spam and phishing team and removes it from your inbox. You can also forward it to [email protected] (the Anti-Phishing Working Group, the primary industry body for phishing intelligence).
In Outlook / Microsoft 365
Select the message, click “Report message” in the toolbar, and choose “Phishing.” In the desktop app, use the “Report Message” add-in if installed, or forward to [email protected].
In Apple Mail
Forward the phishing email as an attachment to [email protected].
Universal: Forward to the Anti-Phishing Working Group
Forward any phishing email to [email protected]. The APWG is an industry coalition that tracks phishing campaigns globally. Your report goes into their shared intelligence database used by security vendors and law enforcement worldwide.
Reporting Phishing Websites
Google Safe Browsing
Report phishing URLs directly to Google at safebrowsing.google.com/safebrowsing/report_phish/. Once verified, the URL gets flagged in Chrome, Safari (which uses Google Safe Browsing), and Firefox (which uses it as one of its sources).
Microsoft SmartScreen
Submit phishing URLs to Microsoft at microsoft.com/en-us/wdsi/support/report-unsafe-site. This feeds into SmartScreen, which protects Edge users and Windows Defender.
CISA (US only)
The Cybersecurity and Infrastructure Security Agency accepts phishing reports at us-cert.cisa.gov/report. This is particularly important for attacks targeting critical infrastructure or government organizations.
The FTC (US only)
Report phishing attempts at reportfraud.ftc.gov. The FTC investigates fraud and uses reports to identify patterns and build cases against repeat offenders.
The IC3 (US only)
If financial fraud occurred (money was transferred or accounts were accessed), file a report with the FBI’s Internet Crime Complaint Center at ic3.gov.
Reporting the Impersonated Brand
If a phishing email impersonates a specific company (your bank, Amazon, Microsoft), report it to that company’s abuse or security team as well. Most major companies have a dedicated abuse address (e.g., [email protected], [email protected]). They can take direct action against domains impersonating their brand.
Analyzing the Link Before Reporting
Before reporting, it helps to have a clear picture of what makes a link phishing rather than just suspicious. The Phishing Link Scanner analyzes the URL for specific red flags — domain spoofing patterns, SSL issues, redirect indicators — which you can include in your report to provide more useful intelligence to the organizations you’re reporting to.
What Happens After You Report
Google typically reviews submitted URLs and adds confirmed threats to Safe Browsing within hours. Phishing sites are often taken down within 24–72 hours of widespread reporting, though sophisticated operations quickly spin up new domains. Your report is one data point; the cumulative effect of many reports on the same infrastructure is what drives rapid response.