How do I report phishing emails abusing my brand?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Someone is sending phishing emails that look like they came from your company. Your customers are getting tricked, your reputation is taking the hit, and you want it stopped. Here's how to actually do something about it.

Step 1: Gather your evidence first

Before you report anything, collect what you'll need. A screenshot alone won't cut it. You want the full email headers from the phishing message (these reveal the true sending IP, the mail server used, and the authentication results), a copy of the email body, and the sending domain or URL being abused. Most reports go nowhere without this data.

To get headers in Gmail, open the email, click the three-dot menu, and select "Show original." In Outlook, open the message, go to File, then Properties, and copy the text in the "Internet headers" box. Save all of this before the email disappears.

Step 2: Report to the email provider

The fastest way to protect your customers is to report the phishing campaign directly to the inbox provider their recipients use. Gmail and Outlook both have abuse channels that can block or filter the campaign for their users. Send the full headers, a brief description of the impersonation, and a clear statement that this isn't your sending domain.

  • Gmail / Google: Forward the phishing email as an attachment to phishing-report@us-cert.gov, or use Gmail's built-in "Report phishing" option (three-dot menu inside the email). For large-scale abuse, file a formal report at google.com/safebrowsing/report_phish/.
  • Outlook / Microsoft: Forward to phish@office365.microsoft.com with the full headers included. Microsoft's abuse team reviews these and can act on active campaigns targeting their users.

Step 3: Report to the registrar and host of the spoofed domain

So if the phishing email is sent from a lookalike domain (think yourcompany-support.net instead of yourcompany.com), you can get that domain suspended. Look up the registrar using a WHOIS lookup tool, then go to that registrar's abuse page and file a complaint. Include the phishing email headers, screenshots, and a short explanation of how the domain is impersonating your brand.

Now the hosting provider for any phishing landing page is a separate report. The IP address in the headers (or the URL in the email body) will point you to the host. Most major hosts respond to abuse reports within 24 to 72 hours if the evidence is solid. This ties closely to the broader process covered in requesting a domain takedown.

Step 4: Report to industry threat-sharing groups

These reports don't stop the current attack immediately, but they matter. They feed into shared blocklists and threat intelligence databases that protect everyone downstream.

  • APWG (Anti-Phishing Working Group): Submit at reportphishing@apwg.org. APWG aggregates phishing data across the industry and feeds it to browsers, filters, and ISPs.
  • PhishTank: Submit the phishing URL at phishtank.org. The URL gets verified by the community and added to a public blocklist that many security tools pull from.
  • Your sector ISAC: If you're in finance, healthcare, or another regulated industry, your sector's Information Sharing and Analysis Center (FS-ISAC, H-ISAC, etc.) accepts these reports and can coordinate a response with others in your space.

Step 5: Check your own authentication setup

Reporting the attack is urgent. But making it harder for attackers to impersonate you in the first place is the longer-term fix. If your domain has a strict DMARC policy (p=reject or p=quarantine), mailbox providers will automatically reject emails that fail authentication checks and claim to come from your domain. It won't stop every attack, but it closes the easiest door attackers walk through.

If you're not sure whether your DMARC is set up and enforced, you can check it with our free DMARC parser. And if the attack is active and customers are already getting hurt, don't wait around. Our SOS hotline is free and we can help you triage fast.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a step-by-step reporting checklist

Phishing emails are being sent that impersonate my company. Tell me step by step what to report, to whom, and exactly what information to include in each report (headers, screenshots, domain details). Also tell me what to prioritize if I can only take one action right now.

Edit the yellow boxes, then send to the AI of your choice.