How to Report Scam Emails: Report, and Avoid Phishing in 2026
In this article:
- What to Do When You Receive a Suspicious Email
- Where and How to Report Phishing Emails: Step-by-Step Guide
- How to Report Phishing in Gmail, Outlook, and Yahoo
- How to Report Scam Emails
- How to Report a Scammer’s Email Address
- How to Report Fraudulent and Business Email Compromise Emails
- How to Report Threatening or Extortion Emails
- Spam vs. Phishing: What Is the Difference?
- What to Do If You Clicked a Phishing Link
- Frequently Asked Questions About Reporting Phishing
- Protect Your Business from Phishing Attacks in 2026
Every day, an estimated 3.4 billion phishing messages land in inboxes around the world. Phishing remains the single most prevalent type of cybercrime in the United States and the leading cause of data breaches globally, with IBM reporting that 15% of all breaches stem directly from phishing attacks.
As a Chicago managed IT company, we see the aftermath of these scams every week. A single click on a malicious link or a single response to a suspicious message can expose your organization to stolen credentials, ransomware, financial fraud, and identity theft. This guide walks you through exactly how to report phishing emails, where to forward phishing emails, and what to do when suspicious emails, scam email messages, or deceptive emails reach your inbox.
What to Do When You Receive a Suspicious Email
If you have received a suspicious message, whether it looks like a phishing attempt, a scam, or just something that does not feel right, here is exactly what to do:
Do not click links, download attachments, or download files from the message. Even clicking “unsubscribe” in a scam email can confirm your address is active and invite more phishing attacks. Do not respond, and do not send money under any circumstances.
Do not provide private information. Reputable organizations will never ask you to share passwords, Social Security numbers, credit card numbers, or financial information by email. Any message requesting sensitive information through email should be treated as suspicious.
Verify the sender independently. If the email claims to be from your bank, a vendor, or a colleague, contact them directly using a phone number or website you already trust. Note that scammers craft phishing messages using publicly available information from social media and company websites to make unusual requests appear legitimate. Phone calls (vishing) and text messages (smishing) use the same tactics. Check the sender’s email address carefully: scammers often use addresses with slight misspellings of official domains to create deceptive emails. Hover over hyperlinks to check the URL before clicking.
Report the email using the steps below. Reporting phishing takes a few seconds and helps protect other people from the same attack.
Delete the message after reporting. Remove it from your inbox and your junk folder.
If you are not sure whether an email is phishing or just spam, report it anyway. It is always better to report suspicious emails that turn out to be harmless than to ignore something dangerous.
Where and How to Report Phishing Emails: Step-by-Step Guide
Reporting phishing attempts helps protect not just your organization but the broader community. Every report contributes to tracking campaigns, identifying threat actors, and shutting down malicious websites and malicious email infrastructure.
Quick Reference: Where to Forward Phishing and Scam Emails
| What You Received | Where to Forward It | Additional Steps |
|---|---|---|
| Phishing email (any kind) | reportphishing@apwg.org | Also forward to spam@uce.gov |
| Phishing impersonating a company | The company’s abuse address | Also forward to APWG |
| Scam or fraudulent email | reportphishing@apwg.org | File a report at ReportFraud.ftc.gov |
| Phishing text message (smishing) | Forward to 7726 (SPAM) | Report at ReportFraud.ftc.gov |
| Threatening or extortion email | ic3.gov (FBI complaint) | Contact local enforcement |
| Scammer using a specific address | Report to email provider + ic3.gov | See scammer address section below |
What to Include When Reporting a Phishing Email
When submitting your report, include the full email (forward it, do not just describe it), the sender’s email address, any links or attachments (do not click them), the date and time you received it, and any actions you took. If possible, include the full email header. In Gmail, click the three dots and select “Show original.”
Anti-Phishing Working Group (APWG)
The APWG is a global coalition fighting phishing and cybercrime. When you forward phishing emails to reportphishing@apwg.org, the APWG’s systems analyze the message to identify the malicious infrastructure behind the attack, the fake websites, the hosting providers, the domains. This data feeds into a global threat intelligence network that helps email filters, browsers, and security teams block similar phishing attacks faster. Your single forwarded email genuinely contributes to shutting down phishing campaigns that could otherwise reach thousands of additional targets.
Federal Trade Commission (FTC)
The Federal Trade Commission uses phishing reports to track scams and bring cases against fraud. Forward phishing emails to reportphishing@apwg.org, forward the same message to spam@uce.gov, and file a complaint at ReportFraud.ftc.gov.
FBI Internet Crime Complaint Center (IC3)
The FBI’s IC3 collects reports of internet crime including phishing, business email compromise, and ransomware. Visit ic3.gov, complete the online complaint form, and include as much detail as possible about the sender, message content, and any money lost.
Report Phishing Impersonating Specific Companies
If the phishing email impersonates a legitimate company, report it directly to that organization. Microsoft: forward to phish@office365.microsoft.com. Google: forward to reportphishing@google.com. Apple: forward to reportphishing@apple.com. Amazon: forward to stop-spoofing@amazon.com. PayPal: forward to phishing@paypal.com. Most major companies have dedicated reporting addresses on their official website.
How to Report Phishing in Gmail, Outlook, and Yahoo
Most email platforms have built-in tools to report phishing directly from your inbox. Using these tools flags the suspicious message for the email provider’s security teams and helps train the email filters that protect every other user on that platform.
Gmail: Open the suspicious email (do not click any links inside it). Click the three vertical dots in the upper right corner. Select “Report phishing” from the dropdown menu. Confirm when prompted. Gmail will move the email to the junk folder and send a copy to Google for analysis.
Microsoft Outlook and Microsoft 365: Select the suspicious email. Click the “Report” button in the ribbon (or right-click the message). Choose “Report phishing.” The message will be forwarded to Microsoft and removed from your inbox.
Yahoo Mail: Open the suspicious email. Click the three dots (More) next to the reply button. Select “Report phishing scam.” Yahoo will analyze the message and update its email filters accordingly.
Apple Mail: Apple Mail does not have a dedicated report phishing button. Forward phishing emails impersonating Apple to reportphishing@apple.com. For other phishing messages, forward to reportphishing@apwg.org. Mark the message as junk by moving it to your junk folder.
How to Report Scam Emails
Not every malicious email looks like a textbook phishing attack. Scam emails come in many forms: fake invoices, bogus prize notifications, romance scams, advance-fee fraud, impersonation of government agencies, or fraudulent business proposals.
Do not reply, click links, or send money. Forward the scam email to reportphishing@apwg.org. Report the scam at ReportFraud.ftc.gov. Report to your email provider using the built-in reporting tools. If you lost money or shared financial information, contact your bank or credit card company immediately, then file a report with the FBI’s IC3.
Whether you call it a scam email, a fraudulent email, or a phishing email, the reporting channels are the same.
How to Report a Scammer’s Email Address
Sometimes the goal is not just to report a single message but to flag an email address that is being used repeatedly for scams or phishing. Report to the email provider: Gmail, Outlook, and Yahoo each have abuse reporting pages where you can flag the account for investigation. Forward examples of the scam emails from that address to reportphishing@apwg.org. File a report with the FBI’s IC3 at ic3.gov if the address was used for fraud or any other crime. Report to the Federal Trade Commission at ReportFraud.ftc.gov.
Can you get a scammer’s email address shut down? Yes, but it depends on the email provider and the strength of the evidence. Providers like Google and Microsoft have dedicated abuse teams that review reports and can suspend accounts. Filing reports with multiple agencies increases the chances the address gets flagged and blocked.
How to Report Fraudulent and Business Email Compromise Emails
Fraudulent emails specifically involve financial deception: fake invoices, phony wire transfer requests, forged payment confirmations, or messages impersonating your bank to steal money or financial information. Business email compromise involves an attacker spoofing an executive’s email account to demand urgent financial transactions from employees.
Forward the email to reportphishing@apwg.org and spam@uce.gov. Report to the Federal Trade Commission at ReportFraud.ftc.gov. File a complaint with the FBI’s IC3, especially if the email involves a wire transfer, invoice manipulation, or business email compromise. Contact your bank immediately if anyone acted on the email. Notify your company’s IT team or managed service provider, because these phishing attacks often signal that an email account within your organization has been compromised. For a deeper look at how hackers exploit compromised email, see our guide on whether someone can hack your email without your password.
How to Report Threatening or Extortion Emails
Threatening and extortion emails go beyond typical phishing. These messages might claim to have compromising photos, threaten to release sensitive information, demand payment in cryptocurrency, or threaten violence. Most email extortion threats are bluffs sent in bulk using leaked email lists.
Do not respond and do not send money. Screenshot and save the full message including the sender’s email address and any cryptocurrency wallet addresses. Report to the FBI’s IC3 at ic3.gov. Contact local law enforcement if the email contains specific threats of violence. Forward the email to reportphishing@apwg.org. Notify your IT team if the email was sent to a work account.
Spam vs. Phishing: What Is the Difference?
Spam is unwanted bulk email: unsolicited marketing, newsletters you never signed up for. Spam is annoying but usually not trying to steal sensitive information or install malware. Phishing is a targeted attempt to trick you into giving up private information, clicking a malicious link, or downloading malicious attachments. Phishing messages impersonate trusted organizations, create urgency, and have a specific goal.
To report spam, mark it as junk in your email app and forward to spam@uce.gov. To report phishing, forward to reportphishing@apwg.org, use your email app’s report phishing tool, and file with the FBI’s IC3 if financial loss or identity theft is involved. If you are not sure, report suspicious emails as phishing.
What to Do If You Clicked a Phishing Link
If you suspect you have fallen for a phishing scam, act immediately. Change your password for the compromised account and any account that shares similar credentials. Enable multi-factor authentication on every account that supports it. Contact your bank if you entered financial information. Monitor your accounts for suspicious activity. Run a full security scan on your computer and phone. If your Social Security number may have been stolen, contact Equifax, Experian, and TransUnion to place a fraud alert or credit freeze. Report the incident using the steps above and notify your employer’s IT team if a work account was involved. For more on why regular password changes matter, see our guide on why password changes are required.
Frequently Asked Questions About Reporting Phishing
What does “report phishing” mean? Report phishing means notifying an authority (your email provider, the Federal Trade Commission, the FBI, or the APWG) that you received a deceptive email designed to steal information or money. When you report, you forward the suspicious message so it can be analyzed, malicious websites can be taken down, and email filters can be updated to block similar phishing attacks.
Where do I forward phishing emails? Forward phishing emails to reportphishing@apwg.org. You can also forward to spam@uce.gov and to the impersonated company’s abuse address. For phishing text messages, forward to 7726 (SPAM).
Does reporting phishing actually do anything? Yes. Every report contributes to a global database that security teams, email platforms, and law enforcement partners use to identify and dismantle phishing campaigns. The APWG tracks over a million phishing attacks per quarter and coordinates takedowns worldwide.
What is the difference between spam and phishing? Spam is unwanted bulk email. Phishing is a targeted attack designed to trick you into revealing sensitive information or clicking a malicious link. Report spam by marking it as junk and forwarding to spam@uce.gov. Report phishing by forwarding to reportphishing@apwg.org.
Can I report an email address for scamming? Yes. Report the address to the email provider through their abuse reporting pages. Forward examples to reportphishing@apwg.org and file a report with the FBI’s IC3 at ic3.gov.
How do I report a threatening or extortion email? Do not respond and do not pay. File a complaint with the FBI’s IC3, contact local law enforcement if the threat is specific, and forward the email to reportphishing@apwg.org.
Why should I report phishing instead of just deleting it? Deleting protects you. Reporting protects thousands of other potential victims. When you report phishing, you contribute data that helps email filters improve, helps security teams take down malicious websites, and helps law enforcement investigate cybercriminals.
Protect Your Business from Phishing Attacks in 2026
Phishing scams will continue to evolve, but you do not have to face them alone. A managed IT service provider brings advanced threat detection tools, employee training, phishing simulations, email authentication protocols (SPF, DKIM, DMARC), and proactive monitoring to stay ahead of emerging phishing attacks. From multi-layered email security that blocks malicious email before it reaches your inbox to dark web monitoring for exposed credentials, the right partner makes your organization significantly harder to compromise. Phishing can also arrive through fake website pop ups, not just email.
LeadingIT is Chicagoland’s trusted advisor for organizations with 25 to 250 users, specializing in IT and cybersecurity solutions. Our unlimited support model means your team always has the help they need. Call us at 815-788-6041 or book a free security risk assessment today.
