How to report ransomware-related phishing emails?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You got an email threatening to lock your files unless you pay a Bitcoin ransom. Maybe it claims to already have your data. Either way, you're looking at a ransomware phishing attempt, and the instinct to just delete it and move on is understandable. But reporting it takes less than five minutes, and those five minutes actually help catch the people behind these campaigns.

Here's how to do it properly.

Step 1: Don't click anything. Screenshot it first.

Before you report, grab a screenshot of the full email, including the sender address, subject line, and body. Then use your email client's built-in reporting feature rather than forwarding manually. This preserves headers, which are more useful to investigators than a plain forward.

Step 2: Report it in your email client

In Gmail, open the email, click the three-dot menu in the top right corner, and select "Report phishing." That's it. Google reviews the report and uses it to improve spam filters across all Gmail accounts.

In Outlook, right-click the email in your inbox list and choose "Report" then "Report phishing." Or open the email, click the three-dot menu at the top, and select "Report phishing" from there. Microsoft 365 users get additional admin-level reporting tools if your org has them enabled.

Step 3: Report to law enforcement

If you're in the US, file a complaint with the FBI IC3 (Internet Crime Complaint Center) at ic3.gov. You'll fill out a form with your name, contact details, how you were targeted, what the email said, and whether any money or data was involved. The whole thing takes about 10 minutes. You won't hear back immediately (or possibly ever), but IC3 aggregates reports to map active ransomware campaigns and pass intelligence to federal investigators.

If you're in the UK, report to Action Fraud at actionfraud.police.uk. The process is similar. You get a crime reference number at the end, which matters if you're filing an insurance claim or escalating to your IT team.

Realistic timeline note: law enforcement rarely investigates individual reports. What they do is look for patterns. Ten people reporting the same campaign from the same infrastructure is what triggers action. Your report alone might not do much. Your report plus everyone else's does.

Step 4: Forward to APWG (optional but useful)

The Anti-Phishing Working Group (APWG) collects phishing samples from around the world at reportphishing@apwg.org. Forward the email as an attachment (not inline) with a brief note. APWG shares this data with security researchers, email providers, and browser vendors. It's a five-second step that feeds into blocklists and filter updates faster than law enforcement channels do.

If you're a business sender

If someone is using your domain to send ransomware phishing to others, that's a spoofing problem, not just a threat you received. Check whether your DMARC policy is set to reject or quarantine. If it isn't, spoofed emails from your domain can sail right through. You can also check your domain's current authentication setup with our free DMARC Generator if you haven't locked that down yet.

And if this is an active incident at your organization, don't just report and wait. Isolate the account that received the email, check for any suspicious inbox rules that may have been set, and loop in whoever manages your email infrastructure.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized reporting steps

I just received a ransomware phishing email and I want to report it properly. Based on my email client and location, help me figure out the exact steps I should take, what information to gather, and which reporting channels apply to me. My email client: Gmail / Outlook / Other My country: US / UK / Other Did I click anything in the email: Yes / No Is this affecting a business domain or personal account: Business / Personal Did any money change hands or was any data involved: Yes / No / Unsure Please give me: 1. The exact reporting steps for my email client 2. The right law enforcement channel and what to include in the report 3. Whether APWG or other bodies are worth contacting in my situation 4. Any immediate protective steps I should take right now

Edit the yellow boxes, then send to the AI of your choice.