Don’t Take the Bait: How to Report Phishing Email, Identify, and Avoid Them in 2026

Every day, an estimated 3.4 billion phishing messages land in inboxes around the world. That number comes from the Anti-Phishing Working Group (APWG), and it means several of those deceptive emails have almost certainly reached you or someone on your team already. Phishing remains the single most prevalent type of cybercrime in the United States, and it is the leading cause of data breaches globally, with IBM reporting that 15% of all breaches stem directly from phishing attacks.

As a Chicago managed IT services company, we see the aftermath of these scams every week. A single click on a malicious link or a single response to a suspicious message can expose your organization to stolen credentials, ransomware, financial fraud, and lasting reputational damage. The average cost of a data breach now sits at $4.9 million according to IBM’s 2024 report, and for small-to-midsize businesses the consequences can be existential.

The good news is that phishing is a problem you can fight back against. This guide walks you through everything you need to know: what phishing looks like in 2026, how to recognize a scam before it does damage, exactly where and how to report phishing emails, and the steps your organization should take to build real, lasting protection. If you only take one thing away, let it be this: never click anything, never respond, then report it.

What Is Phishing and Why Is It So Dangerous?

Phishing is a form of social engineering in which scammers impersonate a reputable organization or trusted person to trick you into revealing sensitive data such as account credentials, passwords, Social Security numbers, or credit card details. These phishing emails may even appear to come from a friend, making them especially deceptive. The attack typically arrives as an email, but phishing messages can also come through text messages (known as smishing), phone calls (vishing), social media platforms, or even fake website pop-ups.

For a phishing attempt to succeed, it requires an action on the part of the victim. That action might be clicking a link that installs malware on your computer, downloading a malicious attachment, or entering your login details on a spoofed page. Once the attacker has what they need, the consequences cascade quickly: stolen credentials lead to account takeovers, unauthorized purchases, identity theft, and access to your broader company network. Phishing emails may include forged purchase invoices or payment requests to trick victims into making payments or divulging financial information. For a deeper look at how hackers exploit email systems specifically, see our guide on how hackers infiltrate your business using email.

A phishing attack on a business can freeze company systems, expose proprietary data, and result in devastating financial loss. According to Proofpoint’s 2023 State of the Phish report, 84% of organizations reported falling victim to an email-based phishing attack in 2022, and more than half dealt with multiple successful attacks. The FBI’s Internet Crime Complaint Center (IC3) reported that business email compromise (BEC) attacks alone accounted for nearly $2.9 billion in losses in 2023.

Types of Phishing Attacks Every Business Should Recognize in 2026

Phishing has evolved far beyond the obvious scam emails of the early 2000s. In 2026, cybercriminals use advanced AI tools, deepfake voice technology, and detailed personal information scraped from social media to craft attacks that can fool even experienced users. Understanding the different forms will help you and your employees identify threats no matter how they arrive.

Email phishing is the most common form. Attackers send messages that mimic trusted sources like your bank, a vendor, or even a colleague, and direct you to a fake website or ask you to download an attachment. These emails often create a sense of urgency, claiming there is a problem with your account or requesting immediate payment.

Spear phishing targets a specific person or organization using publicly available information like job titles, company details, or recent transactions to make the message highly convincing. Unlike broad phishing campaigns, spear phishing emails reference things only a legitimate contact would know.

Business email compromise (BEC) involves an attacker compromising or spoofing an executive’s email account to send fraudulent requests, usually demanding urgent financial transactions or sensitive data from employees. These attacks bypass many traditional security measures because they appear to come from inside the organization.

Smishing (SMS phishing) uses text messages instead of email. Smishing attacks surged over 328% in 2020 alone, and 76% of businesses reported facing them. In 2026, smishing scams have become even more sophisticated with QR code phishing attacks leading recipients to malicious sites.

Common smishing scams include:

• Fake delivery notifications
• Phony customer support alerts
• Gift card promotions
• Fraudulent bank verification requests

The link in a smishing text either installs malware on your phone or redirects you to a malicious site designed to steal your information.

Vishing (voice phishing) uses phone calls to manipulate targets. The caller may pose as tech support, a government agency, or your bank, pressuring you to share account details, confirm a password, or make a payment over the phone. AI-generated voice cloning makes this particularly dangerous in 2026, as scammers can now convincingly impersonate executives or family members.

Domain spoofing and pop-up phishing round out the toolkit. Spoofing involves forging an email address or creating a fake website that looks identical to a legitimate site. Pop-up phishing uses fake notifications on compromised websites to trick you into entering personal details. In every case, the attacker’s goal is the same: get you to act before you think.

How to Identify a Phishing Email: The S.E.C.U.R.E. Method

With phishing messages in 2026 becoming more sophisticated—especially with AI tools like ChatGPT and Claude helping scammers craft polished, error-free copy—you need a systematic approach to evaluate every suspicious email. The S.E.C.U.R.E. method gives you and your team a simple, memorable framework to use every time something feels off.

S – Start with the Subject Line. Is it unusual? Excessive forwarding markers like “FWD: FWD: FWD: review immediately” or alarming claims like “Your account has been compromised” are classic red flags. Legitimate companies rarely use panic-inducing subject lines.

E – Examine the Email Address. Do you recognize the sender? Look closely at the actual email address, not just the display name. Scammers often use addresses that are one character off from the real thing, like sallystrom@gmail.com instead of sallystorm@gmail.com. Hover over the sender’s name to reveal the true address.

C – Consider the Greeting. A generic salutation like “Dear Customer” or “Hello Ma’am” should immediately raise suspicion. If a company you do business with has your account information, they will typically address you by name.

U – Unpack the Message. Is there extreme urgency pushing you to click a link, download an attachment, or respond with personal details? Scammers manufacture urgency to bypass your rational thinking. If someone genuinely needed something urgently, they would likely contact you by phone. Learn more about how attackers exploit human psychology in our guide on social engineering and human error.

R – Review for Errors. Grammatical mistakes, odd misspellings, and awkward phrasing can signal a phishing attempt. Note that AI-generated phishing has reduced this tell in recent years, so do not rely on errors alone. But a message from a reputable organization should still read professionally.

E – Evaluate Links and Attachments. Never click links or download files from unexpected emails. Hover over any link without clicking to see where it really leads. If the URL looks suspicious, misspelled, or unfamiliar, do not proceed. Legitimate organizations will not ask you to download attachments from unsolicited messages.

When in doubt, reach out to the supposed sender through a separate communication channel you control. Call their verified phone number or navigate to their website directly in your browser rather than using any links in the email.

Dealing with a Suspicious Message

When you receive a suspicious message—whether it’s an email, text, or unexpected phone call—your first priority should be caution. Phishing messages are designed to look like they come from a reputable organization, such as your bank or a well-known company, but their real goal is to trick you into giving up sensitive information or money. If you spot a suspicious email or message, do not click any links, download attachments, or respond to requests for personal details. Instead, take a moment to verify the sender by contacting the organization directly using a trusted phone number or website—not the contact information provided in the message.

If you believe the message is a phishing attempt, report it right away. Forward the suspicious email to your email provider’s security service or to official addresses like reportphishing@apwg.org or report@phishing.gov.uk. Reporting helps law enforcement partners and security teams investigate the source and prevent future phishing attacks. The Federal Trade Commission (FTC) also accepts reports of phishing messages and can provide guidance on next steps. By reporting, you not only protect yourself but also help shield others from falling victim to similar scams.

Where and How to Report Phishing Emails: Step-by-Step Guide

Reporting phishing attempts helps protect not just your organization but the broader community. Every report contributes to tracking campaigns, identifying threat actors, and shutting down malicious infrastructure. It is important to inform relevant authorities or organizations when you report phishing, as this enables them to take appropriate action. Here is where and how to report phishing messages.

After you submit a phishing report, please note that organizations may be unable to provide specific updates or outcomes regarding your report. However, your information is valuable and helps support ongoing investigations.

Report to the Federal Trade Commission (FTC)

The FTC uses phishing reports to track scams and bring cases against fraudsters.

How to report:

1. Forward the phishing email to reportphishing@apwg.org
2. Forward the same message to spam@uce.gov
3. You can also file a complaint at ReportFraud.ftc.gov

Report to the Anti-Phishing Working Group (APWG)

The APWG is a global coalition fighting phishing and cybercrime. They analyze reports to identify trends and coordinate takedown efforts.

How to report:

• Forward the phishing email to reportphishing@apwg.org
• Include the full email header if possible

Report to the FBI Internet Crime Complaint Center (IC3)

The FBI’s IC3 collects reports of internet crime, including phishing, business email compromise, and ransomware.

How to report:

• Visit IC3.gov
• Complete the online complaint form
• Include as much detail as possible: sender information, message content, any financial losses

Report Phishing Impersonating Specific Companies

If the phishing email impersonates a legitimate company, report it directly to that organization:

• Microsoft: Forward to phish@office365.microsoft.com
• Google: Forward to reportphishing@google.com
• Apple: Forward to reportphishing@apple.com
• Amazon: Forward to stop-spoofing@amazon.com
• PayPal: Forward to phishing@paypal.com

Most major companies have dedicated phishing reporting addresses. Check their official website for instructions.

Report SMS Phishing (Smishing)

If you receive a phishing text message:

1. Forward the message to 7726 (SPAM) on most U.S. carriers
2. Report it to the FTC at ReportFraud.ftc.gov
3. Delete the message after reporting

What to Include in Your Report

When reporting phishing, provide:

• The full email or message (do not just describe it)
• The sender’s email address or phone number
• Any links or attachments (do not click them)
• The date and time you received it
• Any actions you took (clicked, replied, provided information)

The more detail you provide, the more effective the investigation and response.

The Role of Reporting in Prevention

Reporting phishing emails and suspicious messages is a powerful way to protect yourself and the wider community from cybercrime. When you report a phishing email to your security service, the Federal Trade Commission, or law enforcement partners, you provide valuable information that helps identify and investigate the source of the scam. This data enables security teams to alert other users, block malicious senders, and improve spam and phishing detection systems, making it harder for scammers to reach new victims.

Your report can also help law enforcement partners take down fraudulent websites and disrupt phishing campaigns before they cause more harm. The more phishing attempts are reported, the better email providers and security services can refine their filters to keep malicious messages out of inboxes. For more tips on how to protect yourself and to learn how to report phishing emails, visit the Federal Trade Commission’s website. By taking a few moments to report phishing, you play a direct role in making the internet safer for everyone.

What to Do If You Click on a Phishing Link or Provide Information

If you suspect you have fallen for a phishing scam, act immediately. Fast response limits damage.

1. Change your passwords immediately. Start with the account or system you believe was compromised, then change passwords for any accounts that share the same or similar credentials. Use strong, unique passwords for each account. After changing your password, securely sign into your account directly (not through any links in the suspicious email) to check for unauthorized activity and update your credentials as needed.
2. Enable multi-factor authentication (MFA). If you have not already, turn on MFA for every account that supports it. Use an authenticator app or hardware security key rather than SMS-based codes, which can be intercepted.
3. Contact the affected institution. If you entered banking details, credit card numbers, or other financial information, contact your bank or card issuer right away. They can freeze your account, reverse unauthorized transactions, and issue new credentials.
4. Monitor your accounts. Watch for unusual activity across your email, financial accounts, and any linked online services. Set up alerts where available so you are notified of logins from unfamiliar devices or locations. Consider enrolling in dark web monitoring to see if your credentials have been compromised and sold on criminal marketplaces.
5. Run a full security scan. Use up-to-date antivirus software to scan your computer and mobile devices for malware that may have been installed when you clicked a link or opened an attachment.
6. Consider a credit freeze. If your Social Security number or other identity data may have been stolen, contact the three major credit bureaus (Equifax, Experian, and TransUnion) to place a fraud alert or credit freeze. This prevents criminals from opening new accounts in your name.
7. Report the incident. Follow the reporting steps in the previous section and also notify your employer’s IT team if a work account was involved.

Next Steps

If you’ve already fallen victim to a phishing scam, acting quickly is essential to minimize the impact. Start by notifying your bank or financial institution immediately to report any suspicious activity on your account and to prevent further unauthorized transactions. Change your password and update any other sensitive information that may have been compromised. It’s also important to contact the Federal Trade Commission (FTC) or your local law enforcement agency to report the incident and receive guidance on how to proceed.

Monitor your account activity and credit report closely for signs of fraud or identity theft. If you notice any unusual requests or transactions, respond by alerting your bank and taking additional security measures. Never respond to suspicious messages or requests for personal information, and always be cautious when clicking on links or providing sensitive details online. For more information on how to protect yourself from phishing and other cyber threats, visit the website of the National Cyber Security Centre (NCSC). By following these next steps, you can help protect your identity, secure your accounts, and reduce the risk of future scams.

Building a Phishing-Resistant Organization

Technology alone cannot stop phishing. According to Verizon’s 2023 Data Breach Investigations Report, human error accounts for 74% of all data breaches, and every organization is only as secure as its least-prepared employee. A strong defense requires combining employee awareness with the right tools and processes.

Security Awareness Training

Regular training is the foundation. Employees need to understand what phishing looks like, how social engineering tactics work, and what steps to take when they spot a suspicious email. Training should be ongoing, not a one-time event, because phishing tactics evolve constantly.

Essential training topics include:

• Identifying phishing red flags
• Recognizing spoofed addresses and domains
• Handling unexpected attachments safely
• Verifying unusual requests through a separate communication channel

Learn more about building a security-first culture in our article on employee training and cybersecurity awareness.

Phishing Simulation Testing

One of the most effective ways to reinforce training is through phishing simulations. These are controlled exercises where your IT team or a managed service provider sends realistic but harmless fake phishing emails to your employees.

Simulations provide:

• Practical experience in a safe environment
• Visibility into which individuals or departments need additional guidance
• Measurable improvement in threat recognition and reporting

Organizations that run regular simulations see measurable improvement in their employees’ ability to recognize and report real threats, which directly reduces the likelihood of a successful attack.

Establish Clear Reporting Protocols

Make sure every person in your organization knows exactly what to do when they receive a suspicious message. A simple internal process, such as forwarding suspicious emails to a dedicated security alias and notifying a manager, removes ambiguity and ensures threats are flagged quickly. When reporting is easy and encouraged, employees are more likely to speak up rather than second-guess themselves or quietly delete a suspicious email.

Technical Defenses That Protect Against Phishing

While employee awareness is your first line of defense, the right technical controls significantly reduce the number of phishing messages that ever reach an inbox in the first place.

• Spam and email filters. Modern spam filters have up to 99% accuracy and can block the vast majority of malicious emails before users ever see them. Make sure your organization’s email filtering is enabled and properly configured.
• Multi-factor authentication (MFA). Requiring a second form of verification, such as an authenticator app or biometric scan, blocks unauthorized access even if a password is stolen. MFA should be enabled on every account across your organization.
• Email authentication protocols. Implementing SPF, DKIM, and DMARC records on your domain verifies the legitimacy of outgoing email and makes it much harder for attackers to spoof your organization’s email address.
• Antivirus and endpoint protection. Keep antivirus software current on all devices. Scan email attachments automatically before they can be downloaded or opened. Endpoint detection tools can catch malware that slips past email filters.
• Firewalls and web filtering. A properly configured firewall creates a barrier between your internal network and external threats, monitoring incoming traffic and blocking known malicious sites.
• Regular software updates and patching. Outdated software and legacy email platforms are prime targets for exploitation. Keeping operating systems, email clients, and security tools up to date closes known vulnerabilities that attackers rely on. See our guide on why software updates matter for more details.
• Email encryption. Encrypting your email communications protects messages from being intercepted by unauthorized parties. Many providers like Gmail offer encryption options, but you may need to enable them manually.

No single tool provides complete protection. The most effective approach layers multiple defenses together so that if one fails, the next catches the threat. For a broader look at how these protections fit into your overall security posture, see our guide to cybersecurity best practices for SMBs.

Protect Your Business from Phishing Attacks in 2026

Phishing scams will continue to evolve, but you do not have to face them alone. A managed IT service provider brings the expertise, advanced threat detection tools, and proactive monitoring needed to stay ahead of emerging attacks in 2026 and beyond. From employee training programs and phishing simulations to multi-layered email security and dark web monitoring for exposed credentials, the right partner makes your organization significantly harder to compromise.

LeadingIT is Chicagoland’s trusted advisor for organizations with 25–250 users, specializing in IT and cybersecurity solutions that align with your business goals. Our unlimited support model means your team always has the help they need, when they need it, with no hidden costs. If you want to find out where your organization stands, we offer a free security risk assessment that gives you a clear blueprint for next steps. Call us at 815-788-6041 or book yours today.