When many people spot a suspicious email, they simply delete it. While this can be a smart move, why not go the extra mile and report phishing attempts you encounter?
By reporting suspected phishing emails, you give organizations the ability to fight back against cybercriminals. Phishing reports may do as much as helping to bring down criminal organizations or something as simple as improving email spam filters. But in any scenario, that easy action does a critical thing; it protects others from phishing attempts.
Luckily, it’s pretty easy to report phishing emails. If you aren’t sure where to begin, here’s what you need to know.
When to Report Phishing Emails
General advice tells people to delete phishing emails right away. While that can certainly keep you safe, it can mean you’re missing out on an opportunity to help in the battle against scams.
If you receive a phishing email that could potentially harm someone if they fell for it, you may want to report it. This gives the entity receiving your information additional details about how scammers are acting, making it easier for them to take action to keep people safe.
Additionally, if you are the victim of a phishing attempt – where you actually engaged with the message and provided personal or financial information, lost money, or experienced another problem – reporting it is a must. You are the victim of a crime, so you should take action.
Along with contacting your local police department, you may need to reach out to other organizations, including government agencies, your bank, and more. That way, you can attempt to recover your money, back up an insurance claim, protect yourself against identity theft, and more.
Report Phishing to Government Agencies
FTC
The Federal Trade Commission (FTC), in partnership with the Anti-Phishing Working Group (APWG), plays a big role in the fight against scammers. If you receive a phishing email, you can make sure it gets into the APWG’s hands by sending it to reportphishing@apwg.org.
You can also file an online complaint with the FTC. Head to the Report Fraud section of the website. There, you can click “Report Now” to launch the form. When you do, you’ll need to choose a category. “An Impersonator” is usually the best fit when you want to report phishing, though you can certainly consider other options.
After that, continue to follow the prompts until you’re able to submit. Once you do, your report will be used in the war against scammers.
CISA
The Cybersecurity & Infrastructure Security Agency (CISA) is a government entity that focuses on cyber activity. CISA, in partnership with the APWG, collects information about phishing emails and websites to help combat cybercriminals and keep people safe.
If you receive a phishing email, you can send it directly to the agency. Simply send the phishing email you received, making it an attachment instead of forwarding or copying and pasting, to phishing-report@us-cert.gov.
FBI
The FBI handles phishing and other online scam reports through its Internet Crime Complaint Center (IC3). Once there, you can File a Complaint and give details about the incident to the FBI.
Generally, IC3’s system focuses on crimes where there is a victim. When it comes to phishing, this usually means financial harm to you or someone you know. However, any report will be reviewed, including ones where no specific harm has yet to occur. After all, even if you didn’t provide the scammer with information, someone else may have, so the information you’re providing can still be valuable.
After the IC3 receives the complaint, it’s processed by an analyst and forward to the appropriate law enforcement agencies. This can include the FBI, as well as other entities, including local police, regulatory agencies, and more, depending on the nature of the complaint.
eConsumer.gov
Many scams have international origins. If you believe that a phishing attempt may be coming from outside of the country, you can report it online at eConsumer.gov.
Generally, phishing attempts will be imposter scams, so you’ll want to head to the Imposter Scams section of the site. Then, choose a category based on what the email sender was impersonating, such as scammers pretending to be:
- Family Members or Friends
- Local, State, or Federal Government Representatives
- Business Representatives or Employees
Once you choose a category, you’ll be directed to the complaint form.
There’s also an area for romance scams, such as catfishing, that involve requests for money. Those are considered imposter scams, as well.
State Consumer Protection Offices or Attorneys General
You may have the ability to report phishing emails to your state’s consumer protection office or attorney general. The exact agency you need to contact, as well as the complaint process, will vary depending on where you live.
You can look up local agencies using the USA.gov State Consumer Protection Offices search tool. That will give you direct links to your state’s consumer protection agencies.
Email Services That Accept Phishing Reports
If you use Gmail, you can report phishing emails directly to Google. This can help the tech giant improve their spam filters, ensuring more users are protected against potentially dangerous emails.
The process is incredibly simple. Here’s what you need to do:
- Head to Gmail on your computer
- Open the suspect message
- Click the More option (three dots in a vertical line next to the Reply icon)
- Click “Report phishing”
That marks the message as a suspected phishing attempt, alerting Google to the email.
If you’re on your mobile device, you don’t have the ability to report the message as phishing. However, if you move it to your spam folder before deleting it, Google will be alerted that the email is suspect. Then, they’ll analyze it to improve Gmail’s filters. The result isn’t exactly the same, but it’s a simple move that does help.
iCloud
If you use Apple’s iCloud email service, you can report suspicious emails to Apple for analysis. Simply send the message, making it an attachment instead of forwarding or copying and pasting, to abuse@icloud.com.
Microsoft Outlook
Reporting phishing attempts through Outlook.com is incredibly simple. Here’s how you do it:
- Select the suspect email
- Choose the “Junk” menu, located above the reading pane
- In the “Junk” menu, choose “Phishing”
- Then click “Report”
You can also report messages received through the Microsoft Outlook desktop application. There’s an add-in that supports the “Report Message” feature, and you’d use the same process that’s listed above. It’s available with Outlook 2016 or later.
However, if you don’t have that add-in, you can use another approach. Microsoft also accepts phishing reports through an email address. Create a new email and address it to phish@office365.microsoft.com. Then, drag and drop the suspect message into the body of that new email and send it on its way.
ISPs
If you use an email address provided by your internet services provider (ISP), you may be able to report phishing attempts directly to that ISP. Usually, this information is available through the support section of the ISP’s website. However, here is the contact information of some of the largest ISPs to report phishing:
- AT&T – abuse@att.net
- Comcast/Xfinity – missed-spam@comcast.net or abuse@comcast.net
- Verizon – phishing@verizon.com
- Spectrum/Charter – abuse@charter.net
Generally, you’ll want to forward the suspect as an attachment instead of forwarding or copying and pasting. That preserves critical information, making the alert you sent more valuable.
Report Phishing to the Organization Being Imitated
In some cases, you may also want to alert the company that’s being imitated about phishing attempts that use their name. This lets them take action, reducing the chances that people using their products or services will be scammed.
Here are a few of the most commonly imitated organizations and how to report phishing emails that reference them, specifically.
IRS
IRS scams are prevalent, particularly when tax time nears or during times of heightened activity, such as when the COVID-19 stimulus payments went out. However, they can actually happen all year-round.
If you encounter an IRS scam, report the phishing attempt to the Treasury Inspector General for Tax Administration (TIGTA). You can file a report even if you didn’t experience a financial loss, helping the agencies combat fraud and learn more about scammers’ techniques.
SSA
Social Security scams are also incredibly common. If you see a phishing email from someone claiming to be from the Social Security Administration (SSA), report it to the SSA’s Office of the Inspector General.
The process is very simple. You simply fill out the online form and hit submit.
Apple
According to Checkpoint, Apple is the most commonly impersonated brand. If you receive a phishing email that claims to be from Apple, Apple wants to hear about it.
You can send the suspect message, making it an attachment instead of forwarding or copying and pasting, to reportphishing@apple.com. While you won’t receive an individual email reply, you will help the company combat fraud committed by scammers using its name.
Amazon
Amazon is another company that’s commonly imitated, mainly because it’s so popular with consumers. If you receive a suspicious email that claims to be from Amazon, you can send it to the retail giant.
Make the message an attachment instead of forwarding or copying and pasting. Then, send it to stop-spoofing@amazon.com. You might get an automated confirmation that your message was received, but no further contact about the matter beyond that.
Netflix
With Netflix, the process is incredibly simple. You don’t need to make the suspicious message an attachment. Instead, you can forward it directly to phishing@netflix.com.
If the email you send to them is rejected by Netflix, all it means is that they already have a copy of that particular phishing attempt. You can simply delete the email at that point.
PayPal
Another commonly spoofed company in phishing emails is PayPal. If you end up with a suspicious email that claims to be from PayPal, forward the email to spoof@paypal.com to alert the payment giant. You don’t have to make it an attachment, making the process a breeze.
Mail and Shipping Companies
Mail and shipping companies are commonly imitated by phishers. You can report the activity to the organization using the following contact information:
- USPS – cybersafe@usps.gov (send suspicious email as an attachment)
- UPS – fraud@ups.com (forward suspicious email)
- FedEx – abuse@fedex.com (forward suspicious email)
Banks
If you get an email that claims to be from a bank but is actually a phishing attempt, you can report them to the bank being imitated. Here is the contact information for some of the largest banks:
- Bank of America – abuse@bankofamerica.com (forward suspicious email)
- Capital One – abuse@capitalone.com (forward suspicious email)
- Chase – phishing@chase.com (forward suspicious email)
- Citibank – spoof@citi.com (forward suspicious email)
- Fifth Third Bank – 53investigation@security.53.com (forward suspicious email)
- HSBC – Call 877-826-8684
- USAA – abuse@usaa.com (forward suspicious email)
- US Bank – fraud_help@usbank.com (forward suspicious email)
- Wells Fargo- reportphish@wellsfargo.com (forward suspicious email)
Reporting Phishing to Other Organizations
If you receive a scam email claiming to be from another organization, you may be able to report those directly to the organization, too. The easiest way to find out about its fraud and scam reporting procedures is to head to a search engine.
Simply search for “report phishing [company name].” Once the results pop up, look for a listing from that organization’s actual website. Usually, that’s the easiest way to find legitimate and current information about reporting processes.
If you don’t have any luck, you can also call the organization’s main customer service line. Usually, a representative will be able to steer you toward an answer.
Just make sure that, if you contact the organization, you don’t use any of the contact information listed in the phishing email, as those details may be inaccurate or could put you in contact with the scammers instead of the company. Always look up the contact information on your own, relying on the organization’s actual website. That way, you can be sure that it’s right.