Where and How To Report a Phishing Email

Phishing emails present a significant threat to individuals and small business owners. Understanding how to effectively report these phishing emails is essential in the battle against cybercrime. 

In this guide, I will take you through the steps on where and how to report phishing emails effectively.

There are 6 ways you can follow to report a phishing email (from the direct one to the more advanced):

1. Firstly, to your financial institution if you believe that your banking or credit card information has been compromised.
2. To your email provider.
3. To the IT department of your organization if you’re an employee.
4. To the APWG (Anti-Phishing Working Group).
5. To the FTC (Federal Trade Commission).
6. To the IC3 (Internet Crime Complaint Center).

Before diving in depth in each one of these 6 ways, let’s first briefly see why would you need to report a phishing email:

– Why is it important to report phishing emails

Reporting phishing emails serves crucial purposes. It raises awareness about new and evolving phishing scams, aiding in the identification of those responsible and enabling law enforcement to intervene.

This process is instrumental in thwarting the success of phishing attacks and mitigating their impact by limiting the information attackers can acquire.

Furthermore, reporting phishing emails plays a vital role in helping organizations assess their vulnerability. It empowers IT departments to pinpoint weaknesses in their security systems, taking preventive measures against future attacks. This information is valuable for enhancing security awareness and training programs within organizations, fostering a culture of vigilance among employees against phishing threats.

Now, let’s detail in a step by step way the 6 methods to report a phishing email:

I- Report a financial phishing attack to your financial institution

If you suspect that your banking or credit card information has been compromised in a phishing scam, it is crucial to take immediate action to protect yourself from further harm:

1. Immediately contact your bank or credit card company to report the incident and provide them with all relevant details.
2. Request them to freeze your account and/or card.
3. Ask them also to place a hold on any suspicious transactions.
4. Change the passwords for your online banking, credit card accounts, and any associated accounts immediately.
   You can use our Password Generator tool to create strong and unique passwords that include a mix of letters, numbers, and symbols.
5. Enable two-factor authentication (2FA) for added security.
6. Keep a close eye on your accounts for any unauthorized transactions and report them immediately.
7. Run antivirus and anti-malware scans on your device to ensure it was not infected with malware from the phishing attack.

By promptly taking these steps, you can minimize the impact of the phishing scam and regain control over your financial security.

II- How to report a phishing email to the email provider

By reporting to the email provider, you contribute to refining email filters, improving protection for both yourself and others in the future.

a- How to report a phishing email in Gmail (Web version)

To report a phishing email in Gmail (the web version, not the android app):

1. Open the suspicious email.
2. In the upper-right corner of the email, click on the three dots (More options).
3. From the dropdown menu, select “Report phishing.”

4. In the popup that Gmail displays, confirm that you want to mark the email as a phishing attempt.

b- How to report a phishing email in Outlook (Web version)

To report a phishing email in Outlook (the web version, not the Windows app):

1. Open the suspicious email.
2. In the upper-right corner of the message, click on the horizontal three dots (“More actions” next to the Forward arrow icon).
3. From the dropdown menu, select “Report”, then “Report phishing.”

III- How to report a phishing email to the IT department of your organization

If you’re an employee, report it also to your IT department; timely reporting to IT departments enables quick action to prevent further attacks and safeguard your organization’s sensitive information.

Here is the effective procedure:

• Extract the complete header information of the phishing email. See here what are email headers and how to get them in Gmail and Outlook.
• Forward the phishing email along with its header information to your IT department.

IV- How to report a phishing email to the APWG

The Anti-Phishing Working Group (APWG) is a non-profit organization that focuses on combating identity theft and fraud arising from phishing, crimeware, and email spoofing.

To report a suspicious phishing email to the APWG : simply forward it to [email protected].

V- How to report a phishing email to the FTC (in the US)

The Federal Trade Commission (FTC) is a U.S. government agency responsible for protecting consumers from fraudulent, deceptive, and unfair business practices. It provides its reportfraud.ftc.gov website for individuals to report various types of fraud, scams, and deceptive practices.

In the US, to report a suspicious phishing email to the Federal Trade Commission (FTC), go to: https://reportfraud.ftc.gov/#/assistant and fill in all the possible information.

In the following screenshots, I illustrated, in a practical example, the different steps to do that:

I took the example of a phishing email I got, that claims to be from FedEx shipping company and that asks me to confirm my delivery information by clicking on a button leading to their phishing page.

So, in the first screen of the FTC Report Fraud assistant, you’re asked to indicate the type or subject of the scam; e.g. An impersonator (of a fake government, fake business, etc).

In my case, I chose the Impersonator option. Select the appropriate option for your situation and click “Continue”.

A second part is added below the first one, and where you’re asked to specify who was the scammer pretending to be; e.g. Government authority or agency, business, etc.

I chose “Well-known or trusted business”. You choose the option that suits your situation and click “Continue”.

The next screen is about any details related to the scam and the scammer. Fill in as much as you can.

Then, the last screen is about you (your name, address, etc).

Once you filled all the information you can, click on “Submit” button.

VI- How to report a phishing email to the IC3 (in the US)

In the US, if you believe you have been the victim of a phishing scam, report it to the Internet Crime Complaint Center (IC3), run by the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). 

Note: You should be aware that you can file a complaint with the IC3 only If either you (the victim) or the alleged subject of the Internet crime is located within the United States.

To file a complaint about a phishing attack, go here: https://www.ic3.gov/Home/FileComplaint

In the following screenshots, I illustrated, in a practical example, the different steps to do that:

First, you’ll need to read and accept some terms and conditions related to filing an IC3 complaint.

Then, in the first step, you’ll need to specify who was the victim of the incident, you or another one.

If you’re filing on behalf someone else, choose “No” and indicate the contact details of the scam victim.

When done, click on “Next”.

In the step 2, you’ll need to fill in the victim contact information.

Once done, click on “Next”.

The following steps are about any financial transaction you did (if any), the incident description and subject, and any other useful information you can add.

In the final step, sign the form and submit it.

– Final thoughts on reporting phishing email scams

Taking every instance of phishing scams seriously and promptly reporting them is crucial. Financial institutions and relevant authorities have the expertise and tools at their disposal to help in safeguarding against scams.

Reporting numerous phishing emails can play a vital role in preventing future attacks for all. Reporting fraud not only protects your personal information or businesses but also safeguards others who might become victims of similar scams.