When you spot a phishing site, closing the tab protects you — but reporting it protects everyone else. Reports feed the blocklists that browsers and security tools rely on, and they help the impersonated company act. Given that phishing sites often live under 12 hours before disappearing, fast reporting genuinely matters. [1] Here’s where to send what.
Report a phishing website
Getting a malicious URL onto the major blocklists means it’ll be blocked across billions of browsers:
- Google Safe Browsing — report at safebrowsing.google.com/safebrowsing/report_phish. This protects Chrome, Firefox and Safari users.
- Microsoft — report unsafe sites via the SmartScreen reporting page; this protects Edge users.
- The Anti-Phishing Working Group — forward details to [email protected], an industry clearinghouse.
- The hosting provider or registrar — a “whois” lookup shows who hosts the domain; most have an abuse-reporting address.
Report a phishing email
- Use your email client’s “Report phishing” button (Gmail and Outlook both have one) — this trains your provider’s filters and removes the message.
- Forward to the APWG at [email protected].
- In the US, forward to the Anti-Phishing Working Group and report to the FTC at ReportFraud.ftc.gov.
Report a scam text (smishing)
In many countries you can forward a spam or scam text to 7726 (it spells “SPAM”), which sends it to your mobile carrier’s abuse team. Then delete it — and don’t reply, since a reply confirms your number is active.
Tell the brand being impersonated
If a scam is impersonating a specific company — your bank, a retailer, a courier — report it to them directly. Most large organisations have a dedicated address (often phishing@<company>.com or an “report a scam” page). They can warn other customers and pursue removal of the fake.
Report to the authorities
- United States: the FBI’s Internet Crime Complaint Center at ic3.gov, and the FTC at ReportFraud.ftc.gov. In 2024 the IC3 logged hundreds of thousands of phishing-related complaints. [2]
- United Kingdom: forward emails to [email protected] (the NCSC’s Suspicious Email Reporting Service) and report fraud to Action Fraud.
- Elsewhere: most countries have a national cybercrime or consumer-protection reporting body.
How SafeToOpen fits in
Reporting by hand is valuable but slow, and it relies on you noticing in the first place. SafeToOpen automates the detection-and-reporting part: when it identifies a malicious page, it doesn’t just block it for you — it shares the threat with SafeToOpen and industry partners and blocklists, so protection improves for everyone. In an organisation, a detection can also be sent to your security team’s mailbox and feeds. SafeToOpen focuses on detecting, reporting and sharing threat intelligence — it doesn’t itself perform domain takedowns.
One detection protects everyone
When SafeToOpen catches a phishing page, it blocks it and shares the threat with partners — so the same scam is caught faster everywhere.
How Brand Protection works →The takeaway
Report phishing sites to Google Safe Browsing and Microsoft, emails via your client’s report button and the APWG, texts to 7726, and serious fraud to your national authority — and tell the impersonated brand. Each report helps get the threat blocked faster for the next person.