How to Report Phishing in Gmail and Outlook
What is the fastest way to report phishing in Gmail or Outlook?
To report phishing in Gmail, open the suspicious email, click the three-dot menu next to the reply button, and select Report phishing. In Outlook, select the email, click Report in the toolbar, and choose Phishing. Both platforms forward the message to their security teams and remove it from your inbox. Neither action notifies the sender. Always report — do not just delete.
What is a phishing email?
A phishing email is a fraudulent message crafted to impersonate a trusted sender, a bank, employer, government agency, or technology provider — in order to steal credentials, financial data, or install malware. Unlike generic spam, phishing is psychologically targeted and technically convincing, using spoofed sender addresses, lookalike domains, and urgency-driven language to override judgment. It encompasses spear phishing (individuals), whaling (executives), smishing (SMS), and vishing (voice).
Why does reporting phishing matter?
Most people delete suspicious emails and move on. Deletion protects one person once. Reporting protects millions continuously.
The FBI's Internet Crime Complaint Center (IC3) documented 193,407 phishing and spoofing complaints in 2024, the most reported crime category that year. Total cybercrime losses reached $16.6 billion, up 33% from 2023. Phishing losses jumped from $18.7 million to $70 million in a single year, and business email compromise (BEC), which almost always begins with phishing, generated $2.77 billion in losses across 21,442 incidents (FBI IC3 2024 Annual Report).
Google and Microsoft analyze reported messages in near real time to block sending domains, update spam filters, and flag malicious URLs across millions of accounts simultaneously. FBI Director Kash Patel stated in the 2024 IC3 report: "Reporting is one of the first and most important steps in fighting crime."
Sources: FBI IC3 2024 Annual Report (ic3.gov); Verizon 2024 Data Breach Investigations Report
How does a phishing attack actually work?
Phishing attacks follow a consistent five-stage pattern. Recognizing each stage helps you intercept the attack before it succeeds.
Stage 1 — Reconnaissance The attacker researches their target via LinkedIn, company websites, and breach databases, collecting names, roles, and email addresses to make the message convincing.
Stage 2 — Spoofing
A lookalike domain is registered, support@paypa1.com instead of support@paypal.com, or a legitimate email service with no DMARC record is exploited to pass authentication checks.
Stage 3 — Social engineering The email applies pressure: your account will be suspended, an invoice is overdue, a delivery failed. Urgency suppresses critical thinking and drives impulsive clicks.
Stage 4 — Credential harvest or malware delivery The embedded link opens a clone of a legitimate login page, capturing credentials. Or an attachment deploys a keylogger, ransomware payload, or remote access tool on open.
Stage 5 — Exploitation With credentials or device access, the attacker pivots laterally, initiates wire transfers, exfiltrates data, or sells access on dark web markets within hours.
What does a real phishing attack look like?
In 2022, a small accounting firm in Ontario received an email appearing to come from their cloud payroll provider. It asked employees to re-verify credentials after an MFA update. Three employees complied within the hour.
Within 48 hours the attacker rerouted two payroll runs to an external account. Total loss: over $130,000 CAD. The sending domain had been registered just 72 hours earlier, too new for any threat feed to catch. No employee reported the emails during the attack window.
Key principle: Reporting speed determines blast radius. A single report during that 72-hour window could have triggered a domain takedown before the second payroll run cleared.
How do you report phishing in Gmail?
Do not click any links or open attachments before reporting.
- Open the suspicious email.
- Click the three-dot menu (⋮) next to the reply arrow in the top-right corner.
- Select Report phishing from the dropdown.
- Click Report Phishing Message to confirm.
Gmail removes the message and sends a copy to Google's abuse team for analysis.
Also forward to: reportphishing@apwg.org (Anti-Phishing Working Group)
Reference: support.google.com/mail/answer/8253
How do you report phishing in Outlook?
Outlook on the web: Right-click the message, select Report, then Report phishing.
Outlook desktop (Microsoft 365): Select the email, click Report in the Home ribbon, choose Phishing. If absent, install the free Report Message add-in from Microsoft AppSource.
Both methods route the report to Microsoft's security team. In Microsoft 365 environments, your IT administrator receives a copy automatically.
Also forward to: phishing@office365.microsoft.com
Reference: support.microsoft.com — Phishing and suspicious behavior in Outlook
How can you tell if an email is phishing?
Apply this checklist to any suspicious message. Three or more indicators present — report immediately.
- The sender's email address domain does not match the official domain when you expand the from field
- The message applies urgency around account suspension, payment deadlines, or legal threats
- Hovering over any link reveals a destination URL that does not match the brand being impersonated
- The email requests login credentials, financial account details, or government identification
- The email references an account, order, or relationship you do not recognize
- Attachments use high-risk file types:
.exe,.zip,.docwith macro prompts, or.html - The greeting is generic — "Dear customer," "Hello user," or no name at all
Three or more apply: report immediately. Do not reply. Do not click. Do not forward manually.
What prevention steps reduce your exposure to phishing?
Enable multi-factor authentication (MFA) on every account that supports it. NIST Special Publication 800-63B designates MFA as the primary control against credential-based attacks. Even if a phishing email captures your password, MFA blocks unauthorized login.
Deploy DMARC, SPF, and DKIM on every domain your organization uses for email. These three protocols prevent attackers from spoofing your domain. The IRS mandates DMARC for all federal agency domains under CISA Binding Operational Directive 18-01 for exactly this reason.
Use an AI-powered email security layer that evaluates sender behavior, link reputation, and message intent before delivery. Legacy spam filters match known threat lists. Behavioral AI catches zero-day campaigns on brand-new domains — the same attack vector that bypassed the Ontario firm's filter above.
Report every suspected phishing email using your email client's built-in tool. Every report feeds a public threat database. Deletion protects one inbox. Reporting protects millions.
Quick reference: where to report phishing
| Platform | Built-in action | Additional reporting |
|---|---|---|
| Gmail | Three-dot menu → Report phishing | reportphishing@apwg.org |
| Outlook (web) | Right-click → Report → Report phishing | phishing@office365.microsoft.com |
| Outlook (desktop) | Report button in ribbon → Phishing | phishing@office365.microsoft.com |
| Any platform | Use built-in tool first | ic3.gov (FBI) |
Sources
- FBI IC3. 2024 Internet Crime Report. ic3.gov
- Verizon. 2024 Data Breach Investigations Report. verizon.com
- NIST. SP 800-63B: Digital Identity Guidelines. pages.nist.gov
- CISA. Binding Operational Directive 18-01. cisa.gov
- Google. Avoid and report phishing emails. support.google.com/mail/answer/8253
- Microsoft. Phishing and suspicious behavior in Outlook. support.microsoft.com
- Anti-Phishing Working Group. apwg.org
AI-powered protection, zero data collection. That's the SO promise.
SO Email Security analyzes email threats directly in your browser. Your email data never leaves your device. Learn more at soemailsecurity.com