Lesson 5.1

Who to Tell

10 minutes

You have evidence. Who gets it? The answer depends on the message. A phishing attempt at your work email, a brand impersonation at your personal email, and a message that already cost you money all flow to completely different destinations. The goal of this lesson is to replace the vague instruction “report it” with a concrete decision tree you can apply in under a minute.

The Decision Tree

Four branches. Pick the one that matches the message you’re holding, and send it where the branch says. You can send to more than one destination at a time — in most cases, you should.

Work email (anything to your work account)

Your IT/security team first, via forward-as-attachment. Many workplaces have a "Report Phishing" button in Outlook or Gmail that does this in one click — use it if available, it handles the forwarding, preserves headers, and files the report to the right internal inbox automatically.

Always report work phishing to work IT, even if you also report it elsewhere. Your employer may be the actual target of the campaign, and internal visibility matters more than any external report.

Personal email impersonating a brand (bank, shipping, Amazon, etc.)

Forward the message (as an attachment, to preserve headers) to the impersonated brand's abuse mailbox. Most major brands use one or both of these standard patterns:

  • phishing@[brand].com — works for Chase, PayPal, Amazon, Apple, Microsoft, and most other majors.
  • abuse@[brand].com — older pattern, still active for many brands.

In addition, always send a copy to [email protected] — the Anti-Phishing Working Group, an industry consortium that aggregates reports for takedowns and filter updates.

Financial impact (you lost money or gave credentials)

Call your bank or card issuer immediately, using the phone number printed on the back of your card — not a number from the email. Financial action comes before any report. Once the account is contained:

  • File with IC3ic3.gov, the FBI's Internet Crime Complaint Center.
  • File with the FTCreportfraud.ftc.gov.

Both reports feed into federal investigations and consumer protection data.

Government impersonation (IRS, SSA, Medicare, etc.)

Forward to the agency's fraud or Inspector General office. Each agency has a dedicated address:

  • IRS — [email protected]
  • Social Security Administration — report through oig.ssa.gov
  • Other agencies — search for "[agency] report phishing" on the agency's official .gov site.

The APWG Universal Target

If you only remember one address from this lesson, remember this one: [email protected]. The Anti-Phishing Working Group is an international consortium of banks, ISPs, email providers, security vendors, and law enforcement. Reports sent there are parsed, de-duplicated, and fed into shared threat-intel feeds used by registrars, browser makers, and filter providers. A single report can trigger a domain takedown with the hosting registrar, a Safe Browsing warning in Chrome and Firefox, a SmartScreen flag in Edge, and filter-rule updates at Google and Microsoft. A well-written report there can protect millions of people from ever seeing the campaign. Most people have never heard of APWG. It is the highest-leverage address in this lesson.

What If I’m Not Sure?

Default to three destinations: your work IT team (if the message arrived at work), APWG, and the impersonated brand. Three reports is fine — it’s not redundant, it’s routing the evidence to three different defense layers. Under-reporting is the real failure mode. Nobody will call you for sending an extra copy; plenty of campaigns run free for weeks because every recipient assumed someone else would report it.

You were told to "report suspicious emails" with no guidance on where. You now have a decision tree — use it.

Key Takeaways

  1. Work email → work IT first. Use the Report Phishing button if available; otherwise forward-as-attachment to your internal security address.
  2. Personal email impersonating a brand → phishing@[brand].com + [email protected]. Both addresses, every time.
  3. Financial impact → call your bank on the number on the card first. Then file with IC3 and the FTC. Containment before reporting.
  4. When in doubt, over-report. Three destinations is routine, not excessive. Under-reporting is how campaigns survive.