What to Do If You Are Receiving Phishing Emails: A Quick Action Guide

Have you ever received an email titled “your bank” that asks you to confirm your account. Something smells fishy. What to do if you received phishing emails? Suddenly, it becomes a pressing question. What do you do first? Do you ignore it? Do you click to see more? Do you forward it to IT?

If you have ever asked yourself, “What do I do if I’ve received a phishing email?” you are not alone. Phishing is one of the most common and most effective forms of cybercrime. However, the good news is that if you know how to react, you have the advantage.

In this article, we will take you through exactly what to do if you receive phishing emails. And what you should not do? 

What Is Phishing?

Phishing is a cyberattack that occurs when someone pretends to be someone you know and trust to obtain sensitive information (passwords, credit cards or even access to your company’s device).

These messages usually:

• Appears to be from someone that you know (boss, colleague, vendor)
• Contains an urgent request
• Request that you click a link or download a file
• Appears almost legitimate (but not quite).

Phishing was the most reported cybercrime in the FBI’s 2023 Internet Crime Complaint Center (IC3) report, with over 300,000 incidents reported for losses of $52 million. At the same time, the UK’s National Cyber Security Centre (NCSC) has reported an increase in targeted (aka Spear Phishing) phishing attacks across small businesses and the public sector and it doesn’t just come in email! 

Phishing can also occur by:

• Text messages (this is referred to as smishing)
• Phone calls (this is referred to as vishing)
• Social media messages
• Collaboration messaging tools like Teams and Slack

The message may come in a variety of forms, however, the intent is the same: to make you click, type or transfer something valuable. This is why it’s critical to know what to do with suspicious emails before they compromise your data.

What Should You Do First If You Receive a Phishing Email?

When you receive an email you suspect is not legitimate, you may become frightened, particularly if the email appears to be from a trusted source. Whether you’re in a threat environment or simply logging into your email account, it’s critical to take action quickly and appropriately. Phishing schemes want you to act fast so you can become a victim, but your first line of defense is to act calmly and rationally.

Now let’s take things a step further. Suspicion is good – action is better. Here’s what to do with a phishing email:

1. Confirm the source

• Do not use the contact information given in the email.
• Instead, go to the actual website or call the person with a known phone number.
• Verify that what is being asked of you matches contextual clues from previous communications or expectations.

2. Use the “Report phishing” feature

• Both Gmail and Outlook have this. 
• In Outlook, click on the three dots (More actions) > Report > Phishing.

3. Inform your IT or security team

• Many organizations have an email dedicated to this.
• Your notification could help protect others in your company.

4. Delete it

• After reporting, safely delete it from your inbox and your trash.

What to Do If You Get a Phishing Email in Microsoft Outlook?

Microsoft Outlook is among the most popular email applications for both business and personal use, which also makes it a prime target for phishing. If you’re using Outlook, following the proper steps can easily help stop a threat before it spreads. Below is a simple user guide on how to report and handle phishing emails, specifically from Outlook. Below is a simple user guide on what to do if you receive phishing emails in Outlook.

In order to remediate the potential attack:

• Identify the suspicious message.
• Click the three dots (More Actions) on the toolbar.
• Select Report > Phishing.
• (If your IT team asks for screenshots or other information, you could also just notify them manually.)
• Now, empty your Deleted Items folder.

Bonus Tip for Outlook users: If you have not enabled the “Report Message” add-in, do so! It streamlines the source reporting and also helps Microsoft with its threat detection efforts.

Additionally:

• If you’re using Outlook in a work use case, check for a company “report phishing” button (often via integration with Microsoft Defender).
• Always follow up if you accidentally clicked something. Don’t wait to see if the damage is done.
• If you’re IT, use the “View Source” or “Message Header Analyzer” in Outlook to check suspicious headers. (Very actions just for IT teams.)

Defending Yourself: Best Practices to Avoid Getting Phished

According to The National Cyber Security Centre (NCSC), the UK’s training security awareness that uses real-world scenarios, supporting the report-don’t-punish culture, is a stronger training than using counterfeit phishing tests that penalize employees. Although it’s important to react effectively, it’s even better to be proactive. The following instructions outline how to guard yourself and your organization:

1. Use 2FA (two-factor authentication)

Even if someone steals your password, they can’t do anything with it without getting a second code.

2. Update your software

Phishers take advantage of out-of-date software. Take control and set your software to update automatically.

3. Use anti-phishing filters

Surveillance systems have your back. Outlook, Gmail, Microsoft Defender and Google Safe Browsing can protect you from phishing.

4. Train and mock regularly

Phishing tactics change over time. Even if you receive training just annually or quarterly, it helps refresh your brain for phishing red flags.

What If You Fall for a Phishing Email?

Even the most observant users can be snared – phishing emails are made for deceiving purposes, not simply to test your knowledge. If you’ve clicked on a link, downloaded an attachment, or shared personal information, don’t be alarmed. Whatever you do next is the most important part. Act quickly, decisively and you can reduce the damage and protect your accounts and systems.

It happens to even the best of us at tech! The important thing is to get going quickly: 

• Unplug your internet connection, and if you opened a file or clicked a link, go offline.
• Change all your passwords related to those sites, especially if you typed anything suspicious somewhere.
• Run a full scan with your antivirus software, and alert your IT/security team.
• If you shared sensitive data (like customer information), then notify anyone affected. 

Report the Scam:

If you’ve been targeted by a phishing email in India, you can report it to:

• E-mail: [email protected] 

• Use this email for phishing: [email protected] 

Include:

• A copy of the email (attach if possible)
• Full email headers
• A brief summary of what happened

You can also report phishing and other scams from banks to your bank’s fraud service and the National Cyber Crime Reporting Portal at: https://cybercrime.gov.in 

Beyond the Basics in Phishing

Most of the time, we stop at “Don’t Click”—but the hackers are evolving quickly and you should evolve your awareness quickly also. Here are some talking points your competitors probably didn’t mention:

1. Phishing is not just in email anymore

Attacks are happening over Microsoft Teams, Slack, and other collaboration tools. 

These collaboration tools can often bypass simple email filters.

2. Beware of Multi-channel Phishing (Vishing)

Some attackers will combine emails with phone calls while posing as customer service or tech support.

This combination increased perceived credibility and urgency to the victim.

3. DMARC Protects Your Domain Reputation

Domain-based Message Authentication, Reporting & Conformance (DMARC) protocols can prevent an attacker from spoofing your company domain. 

Organizations can try TDMARC to protect the outbound email workflow to ensure email authentication and security.

4. Simulated Phishing Tests Are Only Part Of the Picture

Testing is not everything – you need a strong culture of reporting without retribution.

Praise users for reporting suspected activity.

5. Grammar and Spelling Are Not Reliable Signals Any Longer

Many phishing emails are now written with proper grammar and even personalized content.

Phishing emails rely on sender verification and context, not on language quality.

Stay one step ahead by being informed, aware, and responsive.

Conclusion

What to do if you receive phishing emails next time? Just remember that Phishing is more than just a nuisance – it is one of the most prevalent threats we see online. But you don’t have to be an expert in cybersecurity to stay safe. If you take the appropriate steps as soon as you notice something is fraudulent, you’ll outsmart even the most sophisticated scams.

So the next time you get an unexpected “must-click” email in your inbox, remember to pause, investigate, report, and delete!