Where do I report phishing messages?

Phishing is a serious cybersecurity threat that targets unsuspecting internet users. Phishing messages are fraudulent emails, texts, phone calls, or websites that appear legitimate but are designed to steal personal information. These messages often mimic trusted sources and brands in order to trick recipients into sharing login credentials, credit card numbers, or other sensitive details. If you receive a suspicious message that you believe to be a phishing attempt, it’s important to report it promptly to protect yourself and others. This article provides quick answers on where and how to properly report phishing scams across various platforms and contexts.

How to Identify Phishing Messages

Before reporting a potential phishing attempt, it’s important to verify that the message is indeed fraudulent. Here are some common red flags that indicate a message may be a phishing scam:

  • The sender’s email address looks suspicious or doesn’t match the company/organization it claims to represent
  • There are spelling and grammatical errors
  • The message conveys a sense of urgency, demanding immediate action
  • The message asks for sensitive personal or financial information
  • The website linked looks unprofessional, security certificates are invalid, or the URL doesn’t match that of the company
  • The message threatens consequences for inaction, such as account suspension

No legitimate organization will ever ask for your password, account PINs, or full credit card number directly over email or text. If a message raises any suspicions, it’s safest not to click any links, open attachments, or provide the requested information.

Reporting Phishing Emails

If you receive a suspicious email, the first step is to report it to the service you use to access email, such as Gmail, Yahoo, or Outlook. Here’s how to report phishing emails on the major email platforms:


  • Open the suspicious email message
  • Click the three dot menu icon next to the reply button
  • Select “Report phishing” from the dropdown menu
  • Confirm you want to report the message as phishing

Gmail will review the reported email and take appropriate action, such as moving it to the spam folder or blocking the sender entirely.

Yahoo Mail

  • Open the suspicious email message
  • Click the “Report” link towards the top right of the window
  • Select “Phishing” from the dropdown menu
  • Click “Report” to submit your report

Yahoo has an anti-phishing filter that will analyze reported emails and stop any associated attacks.


  • Open the suspicious email message
  • Select “Junk” from the toolbar
  • Choose “Phishing” when prompted

Outlook filters junk mail reported as phishing into a separate folder.

Apple Mail

  • Tap and hold the suspicious email message
  • Tap “Report Junk” from the menu
  • Select “It’s Phishing/Fraud” from the options

Apple Mail isolates junk and phishing attempts into a separate Junk folder.

Other Email Providers

Most email providers have dedicated phishing reporting tools. Check the “Help” sections of AOL, Zoho Mail, GMX, and other mailbox providers to find where to report phishing attacks specifically.

Reporting Phishing Text Messages

Suspicious text messages can also be a phishing risk. Here’s how to report phishing texts on the major mobile carriers:


Forward the text message to SPAM (7726). Verizon will investigate any messages reported through this number.


Copy the suspicious text and forward it to 7726 free of charge. AT&T filters these reported texts into an analytics system for review.


Forward phishing texts to 7726. T-Mobile tags all messages forwarded to this number as spam for analysis.


Sprint users can forward suspicious texts to the short code #777. Sprint investigates texts sent to this number.

Other Carriers

Most phone carriers have a similar dedicated short code for reporting phishing texts. Contact your provider directly for instructions.

Reporting Phishing Websites

If you encounter a website designed to trick visitors, you can report it directly to the hosting provider.

Report to Domain Registrar

The domain registrar is the company that registered the phishing site’s web address. To find out the registrar and submit a report:

  • Run the site through a WHOIS domain lookup tool
  • Note down the Registrar and their abuse contact info
  • Forward details of the phishing site to the registrar abuse team

The registrar can pull the site’s domain rights or shut down the phishing site completely.

Report to Web Host

The web hosting provider stores the phishing site files on their servers. To identify and report them:

  • Use WHOIS to lookup the name servers of the site
  • Enter the name servers into a reverse WHOIS search to uncover the web host
  • Report the phishing site to the web host abuse email, security team, or fraud hotline

The web host can remove the website and associated files or block the account responsible.

Report via Google Safe Browsing

Google Safe Browsing maintains a database of known phishing pages. To report a scam not yet in their system:

  • Click the “Report phishing page” link when Google warns you of the unsafe site
  • Or, from another device, submit the phishing URL directly through Safe Browsing

Google will analyze any reported URLs and block them through Chrome if found to be phishing sites.

Reporting Phishing Phone Calls

Scam calls impersonating trusted sources are difficult to stop once a number is spoofed. But you can report the phishing attempt to relevant authorities:

Report via FTC Complaint Assistant

The FTC (Federal Trade Commission) accepts complaints on phishing scams conducted over the phone. File a report through their online Complaint Assistant form, providing details on the call, company impersonated, and fake caller ID number.

Report to Phone Carrier

Contact your local phone carrier, explain that a fraudster is spoofing numbers matching their service, and ask them to investigate. The more reports against a specific spoofed number, the more likely they can block it.

Report to Impersonated Company

If scammers are pretending to be a certain bank, government agency, or other entity, report the phishing call directly to the real organization’s fraud division or security team. Include impersonated employee names, fake caller IDs or extensions, and scam details.

Report via DoNotCall.gov

In the US, you can file complaints on illegal robocalls and live scams through the FTC’s DoNotCall.gov website, which forwards reports to relevant authorities.

Reporting Suspicious Apps or Social Media Messages

Phishing scams are also conducted through fake apps and social media channels impersonating real ones. Here’s how to report these:

Report Fake Apps to App Stores

If you come across a phishing app on the Google Play Store, Apple App Store, or other platforms, you can report it directly to the store:

  • Google Play – Tap the three dot menu and select “Flag as inappropriate”
  • Apple App Store – Use “Report a Problem” from the app page
  • Other app stores – Check the platform wiki/FAQs for reporting tools

App stores can remove reported phishing apps and block their developers.

Report Phishing Social Media Messages

Social networks take impersonation attempts seriously. Report phishing scams on platforms like Facebook, Twitter, Instagram and LinkedIn through built-in reporting flows – search the respective platform’s “Help Center” for exact steps. Provide key details like account names, offending message content and screenshot evidence where possible.

Conduct Extra Research

After reporting a phishing attempt through official channels, consider doing some personal investigation work to gather evidence:

  • Lookup the phone number or sender address through spam blacklists or complaint forums to find other reports on the same scammer using the same details.
  • Use email headers or full email source code to dig out IP addresses, domains or other identifiable information on the sender.
  • Run links through multi-engine scanners to generate threat reports and uncover the attack destination.
  • Capture compelling evidence like recorded calls, photos of mailed letters, or video of websites in action.

Any supplementary details like this can significantly bolster your report and aid the security teams in pinpointing and stopping the phishing threat.


Phishing scams only succeed when good people are unaware or unsure of how to report them. If you encounter any message designed to steal your personal information, report it promptly through official channels – whether via email providers, phone carriers, domain registrars and hosts, app stores, social networks or consumer protection agencies. The more vigilantly we report phishing, the faster we can disrupt these criminal operations and make the digital world safer for everyone.