How to report phishing: Email, texts, calls, websites

Feb. 17, 2026 ET — Phishing has evolved into a polished, AI‑driven threat that now sparks a large share of data breaches. Knowing what phishing is, how to stop interacting with a scam, and where to report it can help investigators shut down campaigns and protect other potential victims.

What is phishing and why it matters

Phishing is any attempt to trick you into revealing sensitive information or installing malware by pretending to be a trusted contact or organisation. Modern attacks are not limited to clumsy emails; they span SMS messages (smishing), phone calls or voicemails (vishing), fake websites, and multi‑channel narratives that build credibility over time. Industry data for 2026 indicates phishing now initiates a substantial portion of global breaches, and attackers increasingly use AI to craft near‑perfect language and believable sender identities. That shift makes behavioural red flags — unusual requests for money or credentials, unexpected urgency, or asks to verify private data — more reliable signals than grammar alone.

How to report phishing: email, texts, calls and websites

Stop interacting immediately. Do not click links, open attachments, or reply. Then follow these steps tailored to the medium:

• Email: Use the reporting tool built into your mail client or webmail. Open the suspicious message, access the message options, and choose the option to report it as phishing or mark it as junk. Forward any clear impersonation attempts to the legitimate organisation’s official abuse or fraud contact if you can verify it independently, and then delete the message.
• Text messages (smishing): Many mobile carriers support a short code that spells SPAM on the keypad for reporting unwanted texts. Forward the message to that code if your carrier supports it; otherwise, block the sender and report the incident to your national consumer protection or cybercrime agency.
• Phone calls and voicemails (vishing): Do not provide personal details over the call. Note the caller’s number, the time and content of the call, and report the incident to your national authorities responsible for cybercrime or consumer fraud. If the call impersonated a financial institution, notify the institution through verified contact channels.
• Fraudulent websites: Report malicious sites through the abuse or unsafe content forms maintained by major browser and search providers so they can assess and block access. If the site impersonates a brand, inform that company’s official abuse or fraud team using the contact details on its verified website.

Reporting helps investigators take down malicious domains, disrupt ongoing campaigns, and improve protective filters for everyone.

If you clicked a link or entered information

If you clicked a link but did not enter credentials, disconnect from the internet and run a full antivirus or anti‑malware scan on the device. If you entered login details or financial data, change passwords immediately on the affected accounts using a different device if possible, and enable multi‑factor authentication. Contact your bank or payment provider to flag potential fraud and consider freezing or monitoring accounts for suspicious activity. Where identity data was submitted, consider placing fraud alerts on credit files with the appropriate agencies in your country.

Longer term, adopt layered defences: use unique passwords or passkeys, enable multi‑factor authentication, keep devices and apps updated, use DNS filtering or reputable security tools, and establish out‑of‑band verification or safety words for sensitive communications. Treat trust as a security boundary — unexpected requests for personal data deserve extra scrutiny even when messages look flawless.

Phishing remains one of the most common cyber threats. Prompt reporting and quick action after an exposure reduce harm and help disrupt the increasingly sophisticated operations behind modern scams.