How do users report phishing to Gmail or Outlook?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get a suspicious email. It looks like your bank, your boss, or maybe a shipping company you've never heard of. You want to do the right thing and report it. But will clicking that button actually protect you, or are you just feeding data into a black hole?
The good news is that reporting phishing emails does two things at once. It helps train the provider's filters to catch similar attacks faster, and it protects your own account by flagging that sender as hostile.
How to report phishing in Gmail
Open the suspicious email in Gmail. Click the three-dot menu next to the reply button (top right of the message). Select "Report phishing." That's it. Gmail moves the message out of your inbox, flags the sender, and sends the signal to Google's abuse team.
You can also click "Report spam" if the email is more annoying than dangerous, but "Report phishing" specifically tells Google this message is attempting to steal credentials or impersonate a trusted brand. That triggers a more serious review.
How to report phishing in Outlook
In Outlook on the web, select the email and click "Report" in the toolbar, then choose "Report phishing." If your organization uses Microsoft 365 with Microsoft Defender, you'll have a dedicated "Report Message" add-in that gives you more granular options (phishing, junk, not junk).
So you can also forward the suspicious email directly to phish@office365.microsoft.com. Microsoft's security team reviews forwarded samples and uses them to update their threat intelligence across the entire platform.
Does reporting actually help you?
Yes, directly. When you report phishing, the provider marks that sender or domain as suspicious in your account. Future emails from that same source are more likely to get filtered before they reach you. If enough users report the same campaign, the provider can block it platform-wide, which protects everyone else too.
What it doesn't do is immediately delete the attacker's account or help ensure you'll never see a similar attack again (of course, phishing kits get recycled under new domains all the time). But it's one of the fastest, lowest-effort things you can do to make your inbox a little safer.
If you're an email sender and you want to understand how DMARC protects your domain from being impersonated in phishing attacks like these, that's a whole other conversation worth having. Not sure where your domain stands? Our free DMARC Parser can show you exactly what your record is doing right now.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.