How do I report a suspicious email?

Suspicious emails, also known as phishing emails, are on the rise. A phishing email is an email scam where cybercriminals try to trick you into giving them your personal information. These emails can look very authentic, often impersonating well-known companies, banks, or government agencies. If you receive a suspicious email, it’s important to report it so that action can be taken to shut down the scam. In this comprehensive guide, we will cover everything you need to know about reporting suspicious emails.

How to Spot a Phishing Email

The first step is knowing how to identify a phishing email. Here are some common red flags:

  • It was sent from an unfamiliar email address. Reputable companies will only email you from a domain they own.
  • There are spelling and grammar errors. Phishing emails are often poorly written.
  • It asks you to click on a link and provide login credentials or personal information. Reputable companies will not ask for sensitive information over email.
  • It threatens action if you don’t respond, such as account suspension.
  • The email address does not match the company name. For example, an Amazon email sent from
  • The greeting uses generic language like “Dear user” instead of your name.
  • You were not expecting the email or it seems random and unsolicited.
  • The sender claims there is a problem with your account and pressures you to act urgently.
  • Hovering over hyperlinks shows a different URL than the one displayed.

No single red flag confirms an email is malicious, but the more that are present, the more likely it is a phishing attempt. Use your best judgment based on these indicators.

Do Not Engage with the Email

If you suspect an email is phishing, do not click any links, open attachments, or reply. Engaging with the email could confirm you as a target and make you vulnerable to malware or theft of login credentials. Safely ignore and delete the email.

Report the Email

Once you’ve identified a suspicious email, take a few minutes to report it:

Report to Email Provider

Every major email provider has a way to report malicious emails:

  • Gmail: Click the three vertical dots next to the email, choose “Report phishing.”
  • Outlook/Hotmail: Select “Junk” then “Report phishing.”
  • Yahoo: Click the down arrow next to the email, choose “Report spam.”
  • iCloud: Forward the email to [email protected].

Reporting to your email provider will help block future emails from the same sender.

Report to Organization Impersonated

If the phishing email is posing as a legitimate organization, also notify that organization directly:

  • Find the real website for the company or agency impersonated.
  • Look for a “Contact Us” page with information on reporting fraudulent emails.
  • Forward the phishing email as an attachment in your report.

Organizations can request the fake domain names be taken down and use the phishing lures to strengthen their own security.

Report to the Anti-Phishing Working Group

The Anti-Phishing Working Group (APWG) is an international coalition that aims to combat cybercrime. They provide a webform to report phishing attempts. Simply complete the form with details about the suspicious email and any indicators of compromise. This will help authorities track and respond to phishing campaigns worldwide.

Report to the FTC

You can also notify the Federal Trade Commission (FTC) about any phishing attempts through their online complaint assistant. The FTC tracks fraud trends and shares data with law enforcement to aid investigations.

How Reports Help

Every phishing email reported contributes valuable information that protects others from being victimized:

  • Email providers can block listed senders and filter similar emails from reaching people’s inboxes.
  • Organizations can fortify their systems and educate customers on known phishing tactics impersonating their brand.
  • Government agencies use phishing data to pursue legal action against scammers, botnets, money laundering operations, and other cybercrime.
  • Security companies can analyze phishing tactics and train AI to recognize emerging trends.
  • Reporting raises awareness and helps the public identify and avoid new phishing scams as they emerge.

While you may only see one suspicious email, reporting it could be the missing piece of the puzzle that leads to shutting down an entire phishing operation. Your report helps protect countless other potential victims.

How to Further Protect Yourself

In addition to reporting phishing attempts, here are important steps you can take to enhance your own cybersecurity:

  • Enable two-factor authentication on important accounts whenever possible.
  • Be cautious clicking links and attachments, even from people you know. Verify anything suspicious first.
  • Slow down and evaluate emails before acting. Don’t let urgency or fear push you into a mistake.
  • Use security software to help spot and block phishing attempts.
  • Keep all software updated, including your operating system, browser, and security programs.

No one is immune from well-crafted phishing scams. But staying vigilant, reporting suspicious emails, and using safe browsing habits will go a long way in protecting you online.

Examples of Phishing Emails

To help identify phishing attempts, here are two example emails with explanations of the red flags:

Example 1: Bank Phishing Email

Screenshot of a fake bank email

This email pretends to be from a major bank. Some red flags:

  • Generic greeting of “Dear Customer” instead of your name
  • Urgency to avoid account suspension
  • Request to click link and verify personal information
  • Sender email does not match bank’s domain

Example 2: Social Media Notification

Screenshot of a fake social media notification email

This email impersonates a notification from a popular social media site. Some red flags:

  • Was not expecting or requesting login notification
  • Urgency to secure account
  • Generic greeting “Hi Dear”
  • Poor grammar and spelling errors
  • Link URL does not match social media domain

Notice how both examples prey on urgency and fear of a compromised account. No legitimate company will ever contact you this way. Slow down and inspect any emails like these examples before acting.

How to Check if an Email is Legitimate

If you are unsure about an email, don’t use links or info from the email itself to verify it. Instead:

  • Navigate directly to the organization’s website by typing the URL in your browser bar.
  • Find customer service contact information on the company website.
  • Call the phone number listed to authenticate the request in the email.
  • Use the company’s official mobile app to check your account status.
  • Log into your account directly through the app or website to check for notifications.

Any email requesting sensitive information like passwords or account details should be verified through official channels, not through links in the email itself. When in doubt, reach out to the company directly before providing personal information.

What to Do If You Submitted Information

If you mistakenly clicked a link or submitted information in response to a phishing email, don’t panic. Act quickly to secure your accounts through official channels:

  • If related to banking, call your bank’s customer service immediately.
  • If related to an online account, login directly through the mobile app or website to change your password.
  • Enable two-factor authentication if not already active.
  • Check account settings and messages for any unauthorized changes.
  • Run a virus scan to check for any malware installed from downloaded files.

Alert the company impersonated about the phishing attempt so they can take action. Closely monitor all accounts that may have been compromised and report any suspicious activity. Place fraud alerts and order your free credit reports to check for identity theft. With quick action, you can limit or fully reverse the damage.

Reporting Phishing Emails: Recap

To recap, here are the steps to take when you receive a suspicious email:

  1. Do not click any links or attachments in the email.
  2. Report the email to your email provider.
  3. Forward the email to the impersonated organization.
  4. Notify the APWG and FTC using their reporting tools.
  5. Delete the suspicious email.

Reporting phishing emails helps protect the broader community. Additionally, implement safe browsing habits and watch for any unusual activity on your accounts. Being vigilant and taking quick action if compromised will keep your data secure. Share this guide with family and friends to spread awareness about identifying and reporting phishing scams.


Phishing emails can look remarkably authentic, but armed with knowledge of common red flags, you can recognize and report malicious emails. Every reported phishing attempt contributes valuable data to aid anti-fraud efforts worldwide. Do your part to create a safer internet for all by immediately reporting any suspicious emails you encounter. Use secure browsing habits, enable two-factor authentication when possible, and maintain vigilance against evolving phishing tactics. Report phishing confidently using the steps in this comprehensive guide. Together we can significantly disrupt global phishing schemes and their ability to victimize consumers.