Skip to content
ScamSniff
← Back to Home

Email Safety

How to Report a Phishing Email — FTC, FBI IC3, and Your Inbox

8 min read min readBy ClearShield Team

Last updated: 2026-06-10

The short answer: forward the email to phishing@reportfraud.ftc.gov, file a report at ic3.gov, and click "Report phishing" inside your email app. It takes about 10 minutes total — and your report can stop the same scammers from targeting someone else.

You opened an email that looked wrong. Maybe it claimed to be from your bank, Medicare, or UPS. Maybe it asked you to "verify your account" or threatened to suspend something. You didn't click anything — good. Now what?

Reporting that email is one of the most helpful things you can do. Government agencies use your reports to track scammer networks, issue warnings, and sometimes prosecute criminals. This guide walks you through every step, platform by platform, with no tech experience required.

First: Don't Click, Don't Delete

Before you report, two rules:

Don't click anything in the email. Not "unsubscribe," not "verify my account," not even the logo. Phishing links can install harmful software the moment you land on the page.

Don't delete the email yet. You'll need it open (or in your trash) to report it. Once you've reported it — then delete.

If you already clicked a link, don't panic. Scroll to the bottom of this article for next steps.

Step 1: Report to the FTC (Takes 2 Minutes)

The Federal Trade Commission is the main U.S. agency that collects fraud reports. Reporting is free and takes about two minutes.

Option A — Forward the email directly

The fastest method: just forward the phishing email to phishing@reportfraud.ftc.gov.

You don't need to write anything in the body. The FTC's automated system reads the email and logs it. That's it.

Option B — File a full report at reportfraud.ftc.gov

A full report takes about 5 minutes and gives investigators more detail.

  1. Open your browser and go to reportfraud.ftc.gov
  2. Click the blue "Report Now" button in the center of the page
  3. On the next screen, choose "Someone used my personal information" OR "I got a scam email, text, or call" — pick whichever fits
  4. Follow the prompts. You'll describe what happened in plain language — no legal terms needed
  5. At the end, you can enter your contact information or stay anonymous

> Screenshot placeholder: reportfraud.ftc.gov homepage — "Report Now" button circled in blue

The FTC shares reports with more than 3,000 law enforcement partners across the U.S. Your report goes into a database that helps investigators spot patterns — like 500 people in Florida all getting the same fake Medicare email on the same day.

Step 2: Report to the FBI's IC3 (Takes 5–10 Minutes)

The Internet Crime Complaint Center — called IC3 — is run by the FBI. It focuses specifically on internet-based fraud.

IC3 is most useful when:

  • You actually clicked a link or gave out personal information
  • Money changed hands
  • The email claimed to be from a government agency (IRS, Social Security, Medicare)

If you caught the phishing email before clicking anything, the FTC report above is enough. But filing with IC3 as well gives federal investigators a second data point, and it only takes a few extra minutes.

How to file with IC3:

  1. Open your browser and go to ic3.gov
  2. Click "File a Complaint" — it's in the top navigation bar
  3. Read the short disclaimer and click "I Accept"
  4. You'll be asked to describe the incident. Fill in what you know:

- Date you received the email

- What the email claimed (fake bank, fake IRS, etc.)

- Whether you clicked anything or shared any information

- Estimated financial loss (enter $0 if you didn't lose money)

  1. You can paste the email's subject line and sender address into the description field
  2. Submit. You'll receive a confirmation number — write it down

> Screenshot placeholder: ic3.gov "File a Complaint" button location in top nav bar

You don't need to attach the email itself to file with IC3. A description is enough.

Step 3: Report Inside Your Email App

Your email provider — Gmail, Outlook, or Yahoo — has a built-in reporting button. When you report phishing inside your app, two things happen: the email gets flagged for their security team, and future versions of that scam get blocked for all their users.

This is the fastest step of all. Here's how to do it in each major email app.

Reporting Phishing in Gmail

On a computer:

  1. Open the phishing email (don't click any links inside it)
  2. Look for the three vertical dots (⋮) in the top-right corner of the email — next to the Reply button
  3. Click those dots to open a small menu
  4. Click "Report phishing"
  5. A popup asks you to confirm — click "Report Phishing Message"

Done. Gmail will move the email out of your inbox automatically.

> Screenshot placeholder: Gmail — three-dot menu open, "Report phishing" option highlighted

On a phone (Gmail app):

  1. Open the email
  2. Tap the three dots in the top-right corner
  3. Tap "Report phishing"

Reporting Phishing in Outlook (Hotmail)

On a computer:

  1. Open the phishing email
  2. Click the three dots (···) at the top of the email panel
  3. Hover over "Security options"
  4. Click "Mark as phishing"

Outlook will move the email to your Junk folder and send a report to Microsoft's security team.

> Screenshot placeholder: Outlook — "Security options" submenu with "Mark as phishing" highlighted

On a phone (Outlook app):

  1. Open the email
  2. Tap the three dots at the top right
  3. Tap "Report junk"
  4. Select "Phishing" from the options

Reporting Phishing in Yahoo Mail

On a computer:

  1. Open the phishing email
  2. Click the three dots (···) next to the Reply button at the top of the email
  3. Click "Report a phishing scam"

> Screenshot placeholder: Yahoo Mail — three-dot menu with "Report a phishing scam" option visible

On a phone (Yahoo Mail app):

  1. Tap and hold the email in your inbox (don't open it)
  2. Tap the flag icon or "More"
  3. Select "Report as spam" — Yahoo treats spam and phishing reports the same way internally

Step 4: Also Tell Your State Attorney General (Optional but Useful)

Every U.S. state has an Attorney General office that tracks consumer fraud. If the phishing email impersonated a local business, a state agency, or a local utility company, your state AG wants to know.

To find your state's reporting page:

  1. Open your browser
  2. Search for: [your state] attorney general report scam
  3. The official .gov page will usually appear at the top

This step is optional — the FTC and IC3 reports above are sufficient for most situations.

What Happens After You Report

Your reports don't immediately result in an arrest — but they do matter.

The FTC publishes regular fraud alerts based on report patterns. In 2023, they issued a national warning about fake Social Security suspension emails specifically because thousands of seniors reported them. That warning reached millions of people through news coverage and helped many avoid the scam.

The FBI's IC3 publishes an annual Internet Crime Report that influences federal enforcement priorities. Large-scale phishing operations have been shut down using IC3 complaint data.

Your email provider's report is the most immediately useful — it can block the same scam from reaching thousands of other inboxes within hours.

Already Clicked the Link? Do This Now

If you clicked a link in a phishing email before reading this guide:

  1. Don't enter any information on the page that opened — close it immediately
  2. Change your email password right now from a different device if possible
  3. Check your bank and credit card accounts for any unfamiliar charges in the next 48 hours
  4. Run a security scan on your computer

For that last step, a reliable home security tool can scan for anything the phishing link may have left behind.

Bitdefender Total Security is consistently rated among the best for catching threats that sneak in through bad links. It runs quietly in the background and doesn't slow down older computers — important for seniors who don't want to manage complex software.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

Quick Reference: All Three Reporting Links

| Agency | Where to Report | Best For |

|--------|----------------|----------|

| FTC | reportfraud.ftc.gov or forward to phishing@reportfraud.ftc.gov | All phishing emails |

| FBI IC3 | ic3.gov | If you clicked or lost money |

| Gmail | Three-dot menu → "Report phishing" | Gmail users |

| Outlook | Three-dot menu → Security options → "Mark as phishing" | Outlook/Hotmail users |

| Yahoo | Three-dot menu → "Report a phishing scam" | Yahoo Mail users |

You Did the Right Thing

Most people delete phishing emails and move on. The fact that you're reading this means you're thinking about it differently — as something worth reporting, not just ignoring.

Every report you file is a small brick in a larger wall. Scammers depend on people not reporting. When enough people do, the patterns become visible and action becomes possible.

Stay sharp. When an email asks you to act fast, verify your account, or provide personal information — slow down. Legitimate organizations don't demand urgency by email.

Have questions about phishing or other email scams? Sign up below and we'll send you a free weekly tip — plain English, no jargon, five minutes to read.

[Get ClearShield's Free Weekly Safety Tips →] (email capture form)

```

phishingemail scamsFTCFBI IC3reporting fraud