What Should You Do If You Receive a Phishing Email?
If you receive a phishing email, it can be a bit scary. Fortunately, nothing infects your computer if you don’t click any links or respond. Here’s what to do (and what not to do) if you receive a phishing email.
In a phishing email, the sender tries to get you to click a link or provide personal information, like bank details or passwords. They are a conventional social engineering attack. We’ve explained in detail how phishing emails work, which is worth a read if you’re unfamiliar with them or don’t know how to spot one.
But what should you do if you receive a phishing email?
Don’t Panic and Don’t Click Any Links
When you get a suspected phishing email, don’t panic. Modern email clients, like Outlook, Gmail, and Apple Mail, do a great job of filtering out emails that contain malicious code or attachments. Just because a phishing email lands in your inbox, it doesn’t mean your computer is infected with a virus or malware.
It’s perfectly safe to open an email (and use the preview panel). Mail clients haven’t allowed code to run when you open (or preview) an email for a decade or more.
Phishing emails are a genuine security risk, though. You should never click a link in an email or open an attachment to one unless you are 100 percent confident you know and trust the sender. You should also never reply to the sender even to tell them not to send you any further mail.
Phishers might send emails to thousands of addresses every day, and if you reply to one of their messages, it confirms your email address is live. This makes you even more of a target. Once the phisher knows you’re reading his emails, he’ll send more attempts and hope one of them works.
So to be clear: Don’t click any links, don’t open any attachments, and don’t reply.
Check with the Sender
If a suspicious email appears to be from someone you know or a company you use, check with them to see if the message is legitimate. Do not reply to the email. If it appears to be from someone you know, create a new email message, or text or call the person and ask if they sent you the mail. Don’t forward the email, as that just spreads the potential phishing attack.
If the email claims to be from a company you use, like your bank, gym, medical institution, or online retailer, go to their website and contact them from there. Again, do not click any links in the email. Type in the website address yourself (or use your preferred search engine) and use their contact options to ask the company if they sent it out.
If it appears the email was sent to a lot of people, such as communication about upgrading an app, you can also send a tweet to the company at their official handle and ask them directly. The representative won’t know about individual emails, but he’ll know if the company has sent out a communication to all customers.
Report the Email
There are four types of organization you can report phishing emails to:
- Your company
- Your email provider
- A government body
- The organization the email is allegedly from
Report It to Your Company
If you receive a phishing email at your work address, you should follow your company’s policy rather than doing anything else. Your IT security policies might require you to forward a phishing email to a specific address, fill out an online report, log a ticket, or merely delete it.
If you’re not sure what your company’s policy is, ask your IT security team. We recommend you find this out before you get a phishing email, if possible. It’s better to prepare and be ready.
Report It to Your Email Provider
Your email provider probably has a process you can follow to report phishing emails. The mechanism varies from provider to provider, but the reason is the same. The more data the company has on phishing emails, the better it can make its spam/junk filters to prevent scams from getting through to you.
If Google or Microsoft provide your email account, they have a reporting mechanism built into their clients.
In Google, click the three dots next to the Reply option in the email, and then select “Report phishing.”
A panel opens and asks you to confirm you want to report the email. Click “Report Phishing Message,” and then Google reviews the email.
The Outlook client doesn’t provide an option to report an email to Microsoft, but the Outlook web app does. It works the same way as Gmail. Click the three dots next to the Reply option in the email, and then select “Mark as phishing.”
This opens a panel to confirm you want to report the email. Click “Report,” and then Microsoft reviews the email.
You can’t report a phishing email directly within the Apple Mail client. Instead, Apple requests you forward the message to firstname.lastname@example.org.
For any other mail providers, search online to see how you report phishing emails to them.
Report It to a Government Body
Some countries have agencies that deal with phishing emails. In the US, the Cyber Security and Infrastructure Security Agency (a branch of the Department of Homeland Security) ask you to forward the mail to email@example.com. In the U.K., you can report the mail to Action Fraud, the National Fraud, and Cyber Crime Reporting Centre.
In other countries, a quick search should tell you if and how you can report a phishing email to the authorities.
If you report a phishing email to either your provider or a government body, you shouldn’t expect a response. Instead, email providers and government agencies use the information you send them to try to stop the accounts that send out the emails. This includes blocking the senders (or adding them to spam/junk filters), shutting down their websites, or even prosecuting them if they’re breaking any laws.
When you report phishing emails, it helps everyone because you help the authorities stop as many of them as possible. The more people report phishing emails, the more agencies and providers can prevent the senders from sending them.
Report It to The Company That Allegedly Sent the Mail
If the phishing email pretends to be from a company, you can often report it directly to that company. For example, Amazon has a dedicated email address and form to report both email and phone phishing.
Most companies and government agencies (especially those that deal with financial or medical business) have ways you can report phishing. If you search “[company name] report phishing,” you should be able to find it pretty quickly.
Mark the Sender as Junk or Spam
You probably don’t want to get any more emails from the person who sent this one. Mark it as spam or junk, and your email client will block any further mail from that address. We cover how to do this in our Gmail guide and this article on Outlook.
You can add senders to a spam/junk list in any email client. If you use something other than Gmail or Outlook, search the company’s documentation to find out how you mark a message as junk.
Delete the Email
Finally, delete the email. Usually, this sends it to the recycle bin or deleted items folder, so remove it from there as well. There’s no need to keep it after you report it.
You don’t need to run a virus scan or clear your browser history just because you received a phishing email. However, you should run an antivirus program (we like Malwarebytes for both Windows and Mac), and it doesn’t hurt to scan from time to time.
If you run an antivirus program that updates regularly, it should catch anything malicious before it runs. Plus, if you don’t click a link or open an attachment in the email, it’s improbable it unloaded anything malicious on your system, anyway.
Don’t Worry and Carry On
Phishing emails are annoyingly frequent. Fortunately, your spam or junk filters catch them most of the time, and you never see them. Sometimes, they don’t even get that far because your provider stops them. To defeat the few that do get through, just be careful and don’t click any links or attachments unless you’re sure they’re safe.
Millions of phishing emails are sent every day, so don’t worry you’re not usually a target. Just follow the simple steps we covered above, and then carry on with your day.