CIVRA Get Started
Guides

How to Report a Phishing Email, Step by Step (2026 Guide)

April 21, 2026 4 min read The CIVRA Team
The short answer

To report a phishing email, do not click anything in it, use your email client's built-in Report Phishing button, then forward it to your IT or security contact. Reporting it helps your provider block the sender and warns the rest of your team before someone falls for it.

To report a phishing email, do not click any links or open attachments, use the built-in "Report Phishing" button in your email client, then notify your IT or security contact. Reporting matters because it helps your email provider block the sender and protects everyone else on your team who got the same message.

Reporting takes under a minute and is the single most useful thing an employee can do when something looks off. Here is exactly how to do it.

First — Do Not Touch Anything in the Email

Before you report, freeze. The goal is to preserve the message without triggering it.

  • Do not click any links, even ones that look like "unsubscribe" or "verify."
  • Do not open or download attachments.
  • Do not reply, even to say "is this real?" A reply confirms your address is live.
  • Do not forward it to coworkers as a casual heads-up. Forwarding can spread a live link.

If you already clicked something, do not panic and do not hide it. Skip to the section on what to do if you clicked.

Step 1 — Use the Built-In Report Button

Both major email platforms have a one-click reporting feature that sends the message to the right place automatically.

  1. In Outlook, select the message, open the Report menu in the toolbar (or the add-in if your company uses one), and choose Report Phishing.
  2. In Gmail, open the message, click the three-dot menu in the top right, and choose Report phishing.

This does two things at once. It removes the message from your inbox and sends a copy to your provider's threat team, which helps them block the sender for everyone.

Step 2 — Notify Your IT or Security Contact

The built-in button tells your email provider. It does not always tell the people you work with.

  • If your business has IT or a security contact, forward the suspicious message to them using the method they prefer, or flag it through whatever reporting channel they have set up.
  • If you do not have dedicated IT, tell whoever manages your email or a manager who can warn the rest of the team.

The reason this matters is simple. Phishing campaigns rarely target one person. If you got it, others probably did too, and one of them might not spot it.

Step 3 — Report External Fraud When Money Is Involved

If the email impersonated a bank, a vendor, a government agency, or tried to redirect a payment, there are external channels worth using.

  • Report to the impersonated organization so they can warn other customers.
  • Report to your national fraud or cybercrime reporting body if a financial loss occurred or was attempted.
  • Contact your bank immediately if any payment information was shared or a transfer was made.

This kind of payment-redirection scam is a hallmark of business email compromise, and fast reporting can sometimes stop a transfer before it clears.

What to Do If You Already Clicked

It happens, and speed beats embarrassment. If you clicked a link or entered information:

  1. Disconnect from the network if you downloaded a file.
  2. Change your password immediately from a different device, and any other account that shares it.
  3. Turn on multi-factor authentication if it was not already enabled.
  4. Tell your IT or security contact right away. Hiding it gives the attacker more time. Reporting it early is what limits the damage.

Why Reporting Helps More Than You Think

A single report can protect dozens of inboxes. When you report a phishing email:

  • Your provider's filters learn the pattern and block similar messages.
  • Your team gets warned before someone else clicks.
  • Your security tools, if you have them, can hunt for the same message in other mailboxes.

Spotting it in the first place is the harder skill. If you want to sharpen it, read our guide on how to spot a phishing email.

The better long-term fix is to catch these before they ever reach the inbox. CIVRA analyzes sender identity, look-alike domains, attachments, and the intent of a message to stop targeted phishing and impersonation that slips past standard spam filters, working alongside Microsoft 365 and Google Workspace.

FAQ

Should I just delete a phishing email instead of reporting it?

No. Deleting it protects only you and teaches your provider nothing. Reporting it through the built-in button feeds the threat data that blocks the sender for your whole organization.

Is it safe to forward a phishing email to report it?

Forwarding to your IT or security contact is fine and often expected. Avoid forwarding casually to coworkers, because a live link or attachment can spread. Use the official report button whenever possible.

What if I already clicked the link?

Change your password right away from a clean device, enable multi-factor authentication, and tell your IT or security contact immediately. Acting in the first few minutes greatly limits the damage.

Who should I report a phishing email to?

Use your email client's Report Phishing button to notify your provider, tell your internal IT or security contact, and report to your bank or a fraud authority if money or payment details were involved.

Want phishing stopped before anyone has to report it? See how CIVRA works at civra.ai/pricing or start free at app.civra.ai.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts