← All guides
June 3, 2026 · 8 min read

How to Report an Email as Phishing in Outlook

Step-by-step instructions to report a phishing email in Outlook — on the web, the new desktop app, classic Outlook, and mobile — plus what to do if you already clicked.

Short answer: Outlook has a built-in Report button. Select the suspicious email, choose Report → Report phishing, and Outlook moves it out of your inbox and sends it to Microsoft (and your IT team, if you're on a work account) for analysis. The exact path differs slightly between Outlook on the web, the new desktop app, classic Outlook, and mobile — all four are below.

Reporting matters more than people think. It trains your inbox's filters, helps Microsoft shut down the sender faster, and — on a work account — alerts security staff to a campaign that may be hitting your coworkers too. It takes about five seconds.

Quick check: Reporting a phishing email is safe — you're not opening links or replying, just flagging the message. The risk is in clicking a phishing email, never in reporting one. When in doubt, report it and delete it.

In this guide

Report phishing in Outlook on the web

This covers Outlook.com and Microsoft 365 webmail in a browser.

  1. Select the suspicious email (or open it).
  2. In the toolbar at the top of the message, click the Report button. If you don't see it, click the three-dot (More actions) menu.
  3. Choose Report phishing.
  4. Confirm if prompted. The message moves to Deleted Items / Junk and is sent to Microsoft.

Tip: don't click any links or download attachments first. Reporting works on the email as-is.

Report phishing in the new Outlook for Windows or Mac

The "new Outlook" app shares the web experience, so the steps match closely.

  1. Select the email in your message list.
  2. On the ribbon or the message toolbar, click Report.
  3. Select Report phishing.
  4. Confirm. The email leaves your inbox and is reported.

If Report isn't visible, your organization may have replaced it with a custom add-in (see below).

Report phishing in classic Outlook

In the traditional desktop Outlook (the long-standing Windows app):

  1. Select the message you want to report.
  2. On the Home ribbon, look for the Report or Report Message button. Many organizations install the Report Message or Report Phishing add-in, which appears here.
  3. Click it and choose Phishing.
  4. The email is moved and submitted to Microsoft and/or your IT department.

If you only see Junk options, use Junk → Block Sender as a fallback and forward the message to your IT/security team if you're on a work account.

Report phishing in the Outlook mobile app

On iPhone or Android:

  1. Open the email, or swipe to select it.
  2. Tap the three-dot menu in the top corner of the message.
  3. Tap Report junk, then choose Phishing.
  4. Confirm. The message is reported and removed.

The wording is sometimes "Report junk → Phishing" rather than a standalone "Report phishing," but it routes to the same place.

Knowing how to report a phishing email is half the battle — knowing for sure that an email is phishing is the other half. If you're not certain, forward the message to FraudRoom before you touch a single link and get a plain-English verdict on whether it's safe, suspicious, or a definite scam.

If there is no Report button

A few reasons the button may be missing, and what to do:

  • Your organization customized the ribbon. Many companies deploy Microsoft's Report Message add-in or a third-party security button (the icon may say "Report Phishing," "PhishAlert," or similar). Look on the Home ribbon or in the message's More menu.
  • You're using a very old client. Update Outlook, or use Outlook on the web instead, where the Report button is standard.
  • It's a personal account with the button hidden. Use Junk → Phishing, or forward the email to Microsoft's reporting address for your account type if your IT/admin has published one. When unsure, mark as Junk and block the sender, then delete.

Junk vs phishing vs block: which to use

These three options look similar but do different things:

  • Report phishing — for emails pretending to be a real company or person to steal logins, payment details, or money. This is the one to use for scams. It teaches the filters and (on work accounts) alerts security.
  • Report junk / spam — for unwanted marketing or bulk mail that's annoying but not trying to deceive you.
  • Block sender — stops future mail from that exact address. Useful as an add-on, but scammers rotate addresses constantly, so blocking alone won't stop a campaign. Reporting phishing does more.

For a genuine scam, choose phishing. Block as a bonus if you like, but don't rely on it.

What happens after you report

  • The message is removed from your inbox (to Junk or Deleted Items).
  • A copy is sent to Microsoft to improve detection for everyone.
  • On a work or school account, it's typically also sent to your IT/security team, who can hunt for the same email in other inboxes and block the sender org-wide.
  • Your own filters get a little smarter about similar messages.

You don't need to do anything else — unless you interacted with the email before reporting it.

Should you forward it anywhere else

Reporting it in Outlook is usually enough, but for certain scams a second report helps shut the operation down faster:

  • If it impersonates a specific brand, forward it to that company's phishing address. Common ones: spoof@paypal.com (PayPal), stop-spoofing@amazon.com (Amazon), reportphishing@apple.com (Apple). Many banks have a phishing@ or abuse@ address listed on their real website.
  • In the US, report scams to the FTC at reportfraud.ftc.gov. Phishing emails generally can be forwarded to the Anti-Phishing Working Group at reportphishing@apwg.org.
  • At work, if your company has a security or IT address, a quick forward lets them warn colleagues who got the same email.

You don't need to do all of these for every spam message — Outlook's Report phishing covers the basics. Add a brand report when the email is clearly impersonating a company you use. For a fuller channel-by-channel guide, see how to report a scam email.

If you already clicked

Reporting is for emails you didn't fall for. If you clicked a link, entered details, or opened an attachment, reporting isn't enough — switch to recovery mode:

  1. Don't enter anything else; close the page.
  2. Change the password for any account you may have exposed, from the real site, and turn on two-factor authentication.
  3. If you shared card or bank details, call your bank using the number on your card.
  4. Run the full checklist in what to do if you clicked a phishing link.

You can still report the email as phishing afterward — it helps protect the next person.

FAQ

Where is the Report phishing button in Outlook?

In Outlook on the web and the new Outlook app, it's the Report button on the message toolbar; click it and choose Report phishing. In classic desktop Outlook it's the Report / Report Message button on the Home ribbon. On mobile, tap the three-dot menu → Report junk → Phishing.

Is it safe to report a phishing email?

Yes. Reporting doesn't open links, download attachments, or reply to the sender — it just flags and forwards the message. The danger is in clicking a phishing email, not in reporting one. When unsure, report and delete.

What's the difference between junk and phishing in Outlook?

Junk is for unwanted bulk or marketing mail. Phishing is for messages impersonating a real company or person to steal information or money. Use Report phishing for scams, because it both trains the filters and (on work accounts) alerts your security team.

Does reporting actually do anything?

Yes. It improves Microsoft's spam and phishing detection, and on a work account it lets your IT team find and remove the same email from other inboxes and block the sender. It's a small action with outsized impact.

Key takeaways

  • Use Report → Report phishing (or Report junk → Phishing on mobile) for scam emails.
  • Reporting is safe; it doesn't click links or reply, it just flags the message.
  • Choose phishing over junk for impersonation scams — it does more and alerts IT on work accounts.
  • If the Report button is missing, your org may use a custom add-in, or use Outlook on the web.
  • Reporting protects others, but if you already clicked, switch to the recovery steps right away.

Not sure about a message?

Forward it to check@fraudroom.com and get a plain-English scam check in minutes.

Try it free — 5 checks, no card