Why this matters
The most common response to a suspicious email is deletion. That is better than clicking — but it is not good enough. Suspicious emails are forensic artefacts. They contain information about the attacker: infrastructure used, intent, sending domain. Deleting destroys evidence.
More importantly: most phishing campaigns are not a single shot. When an attacker sends a phishing email to your organisation, dozens or hundreds of employees typically receive it simultaneously. The first person to report gives the security team the chance to delete it for everyone else — before that one click happens.
Reporting is not a sign of insecurity. It is the most valuable security contribution an employee can make.
How to do it right
Do not click, do not reply
Even an 'unsubscribe' link in a spam email can be malicious. Click nothing — not even to confirm the email is phishing.
Use the right channel
Use the 'Report phishing' button in your email client (Outlook, Gmail), not 'Mark as spam'. The spam button helps the spam filter — the phishing button informs your IT security team.
Preserve full headers
When forwarding an email (to security@, IT, CERT), forward it as an attachment — not as plain text. Only then are the email headers preserved, which are critical for analysis.
Screenshot after reporting
Taking a screenshot of the suspicious email is helpful — but only after you have reported it. The screenshot helps with follow-up questions from the IT team.
Report even false positives
If you are only 50% certain: report anyway. False positives cost 3 minutes of IT time. A missed attack costs days or weeks of incident response.
Tools we recommend
- Microsoft 365 'Report phishing' button — available in the Outlook ribbon; reports directly to Microsoft Defender and optionally your own SOC; configurable via Exchange Admin Center
- Google Workspace 'Report phishing' — via three-dot menu next to reply; routes to Google filters and optionally your IT department
- Outlook PhishHook Add-in (third-party) — enables one-click reporting with automatic notification of the internal security team; useful when the Microsoft default is insufficient
If you only remember one thing
Report beats delete. Always. Even when you are unsure — especially then.
Communicate the reporting channel to your team
Ensure all employees know how to report suspicious emails in your organisation — which button, which email address, what response time to expect. Without a known channel, no one reports.