Skip to content
Phishing
Foundation·3 min·DE · EN

Report suspicious emails the right way

A reported phishing mail protects the whole company. Here's how to report safely, quickly, and without destroying forensic evidence.

Why reporting matters

Every reported phishing mail is an early-warning signal. When one person reports, IT can remove identical mails from other inboxes before anyone clicks. A single report often prevents hundreds of clicks.

01

Don't click, don't forward

Not even to warn a colleague. Every click on a phishing link sends data to the attackers.

02

Report with original headers

Use the report button or forward as an attachment - otherwise the forensic trail is lost.

03

Delete only after confirmation

Wait until IT security confirms. Until then, leave the mail untouched in your inbox.

Step 1 - Use the report button

Outlook, Gmail, and most mail clients have a report button ("Report Phishing", "Report Spam", or a company plugin). It's the fastest and cleanest way.

Why the button and not just forward?

  • The button preserves the original headers (routing info, IP addresses, authentication results). A normal forward strips all that.
  • IT gets a machine-readable signal immediately and can update mail gateway rules.
  • You get feedback ("we're checking" or "false positive, you can open it").

Step 2 - If there's no button

Forward the mail as an attachment (in Outlook: File → Attach → Email file). Send it to your IT security address - usually security@company.com or phishing@company.com.

Add two lines of context:

  • When did you receive it?
  • Did you click anything or enter data? (Be honest!)
Real case

Mrs. Bender gets a "Your Microsoft account is locked" mail. She isn't sure, but doesn't click. Instead of just deleting, she hits the report button. IT finds 47 identical mails across the company, removes them centrally - and a colleague who was already entering credentials gets warned just in time.

The report prevented an active click. One report, many protected accounts.

Step 3 - What to do if you already clicked

Don't panic, but act immediately. What matters most in the first few minutes:

  1. Report it - now, without shame. IT needs the time.
  2. If you entered credentials: change your password immediately, revoke MFA codes.
  3. Disconnect from the network if you opened an attachment.
  4. Leave the laptop alone - IT security needs to see the original state.

There is no "stupid" in phishing. Only "reported in time" or "reported too late".

Common questions

What if I'm not sure it's phishing?

Report anyway. Better ten false positives than one false negative. IT welcomes every report - that's literally their job.

Should I open the mail to check first?

No. Modern phishing can load tracking pixels just from opening an HTML mail. Report directly, then have it deleted.

What if the sender is a colleague?

Their account may be compromised. When in doubt, ask in person - never reply by email.

Training catalogue

See more modules

12 modules covering phishing, MFA, compliance, and remote work.

View catalogue →

Member area

With quiz and certificate

Track progress, complete the quiz, get your PDF certificate.

Sign in →

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping - for your industry.

Book a demoContact us