How to Report Phishing in Gmail and Outlook

By Ṣọ Email Security3 min read

Learn the right way to report phishing emails in Gmail and Outlook. The spot-report-reset framework helps you protect yourself and train email filters to protect everyone.

PhishingGmail SecurityOutlook SecurityEmail SecuritySecurity AwarenessThreat Reporting

How to report phishing in Gmail and Outlook

2025-12-16

Last Tuesday, a founder forwarded a suspicious email and asked a simple question:

"Should I just delete this?"

That one decision mattered more than he realized.

Because when phishing emails go unreported, they don't disappear. They get refined. They get reused. And they land in someone else's inbox tomorrow.

Here's the part most people miss:

Deleting a phishing email helps you. Reporting it helps everyone.

The spot-report-reset rule

We recommend a simple framework for handling suspicious emails:

Spot

If an email creates urgency, asks for credentials, or nudges you to move money, treat it as hostile.

Watch for these patterns:

  • Unexpected requests from executives or finance teams
  • Password reset notices you didn't request
  • Delivery notifications for packages you didn't order
  • Invoices or payment requests with new bank details
  • Messages pushing you to "act now" or face consequences

The emotional pressure is the tell. Legitimate requests rarely demand immediate action with threats attached.

Report

Reporting takes seconds and directly improves email security for everyone on the platform.

In Gmail:

  1. Open the suspicious message
  2. Click the three dots (more options) in the top right
  3. Select "Report phishing"

Gmail will move the message to spam and send the data to Google's security team.

In Outlook:

  1. Select the suspicious message
  2. Click "Report" in the toolbar
  3. Choose "Report phishing"

Microsoft feeds this directly into their threat detection systems.

Why this matters: Google and Microsoft use these reports to train their filters in real time. One report can block thousands of copies of the same scam from reaching other inboxes.

Reset

If you clicked anything in the suspicious email, act immediately:

  1. Change your email password - Do this first, from a different device if possible
  2. Review recent sign-ins - Check for unfamiliar locations or devices in your account security settings
  3. Enable two-factor authentication - If you haven't already, now is the time
  4. Check sent mail and forwarding rules - Attackers sometimes set up auto-forwarding to maintain access
  5. Alert your IT team or security contact - If you're in an organisation, report internally as well

Speed matters here. The faster you act, the less time an attacker has to exploit access.

What happens after you report

When you report phishing in Gmail or Outlook, the email doesn't just disappear into a void.

Google analyses reported messages to:

  • Update Safe Browsing blocklists
  • Improve spam and phishing filters
  • Identify new attack patterns
  • Protect other users from the same campaign

Microsoft uses reports to:

  • Enhance Exchange Online Protection
  • Update Defender threat intelligence
  • Train machine learning models
  • Block malicious senders across the platform

Your single report joins millions of others, creating a collective immune system for email.

Common Questions

"What if I'm wrong and it's legitimate?"

Report it anyway. The platforms use aggregate data, not single reports. One mistaken report won't block a legitimate sender. But one unreported phishing email could compromise someone else.

"Should I also report to my company?"

Yes. Internal reporting helps your security team spot targeted campaigns, adjust email filters, and warn other employees. Most organisations have a dedicated security email or button for this.

"What about phishing on other platforms?"

The same principle applies everywhere:

  • LinkedIn: Click the three dots on the message, select "Report"
  • WhatsApp: Open the chat, tap the contact name, scroll to "Report"
  • SMS/Text: Forward to 7726 (SPAM) in many countries
  • General phishing sites: Report to Google Safe Browsing or Microsoft

"Does reporting actually do anything?"

Yes. Email providers process billions of messages daily. User reports are critical signals that help identify new threats that automated systems miss. The security teams at Google and Microsoft have confirmed that user reports directly influence their detection systems.

Building the Habit

Reporting should become automatic, like locking your door when you leave home.

Make it easier by:

  • Learning the keyboard shortcuts (in Gmail, ! marks as spam, but right-click for phishing)
  • Adding the Outlook "Report Message" button to your quick access toolbar
  • Creating a mental rule: suspicious email = report, then delete

The five seconds it takes to report is an investment in everyone's security, including yours.

What Ṣọ adds to the picture

Email providers catch a lot, but they're designed for mass threats. Targeted attacks like business email compromise often slip through because they don't match broad phishing patterns.

Ṣọ Email Security adds a layer that focuses on the attacks Gmail and Outlook miss:

  • Sender analysis that spots impersonation attempts
  • Document comparison that catches invoice fraud
  • Domain verification that flags lookalike addresses
  • Real-time alerts before you click, reply, or pay

The platform reports help catch the obvious. Ṣọ catches the convincing.

Your takeaway today: Don't just delete suspicious emails. Report them first.

It takes five seconds and quietly makes the inbox safer for everyone, including you.

Try Ṣọ Email Security free →