Skip to content
Email Tools

guide · Gmail Spam & Phishing

How to report spam in Gmail (2026 guide)

Report spam in Gmail the right way — button, keyboard shortcut, mobile path, what Google does next, Report Spam vs Phishing vs Block vs Unsubscribe, and where to escalate phishing in the US, UK, EU.

Alexis Dollé By Alexis Dollé · ·
How to report spam in Gmail (2026 guide)

The UK’s National Cyber Security Centre passed 54.5 million scam reports through its Suspicious Email Reporting Service by April 2026, leading to 248,000 takedowns across 440,000 URLs — every one of those reports started with a single user clicking “report” instead of “delete”. Reporting spam is the most under-used lever in the inbox: it costs you two seconds, it actively shrinks the sender’s reach for everyone, and on Gmail web a single keystroke (!) does the whole job. This guide covers the exact gestures on web and mobile, the difference between Report Spam, Report Phishing, Block, and Unsubscribe, what actually happens to a reported message inside Google’s pipeline, and where to escalate true phishing to government bodies in the US, UK, France, Germany, and Spain when Gmail alone is not enough.

TL;DR — Report spam in one keystroke

On Gmail web with keyboard shortcuts enabled, press ! (Shift+1) with the message open or selected to report spam instantly. With the mouse, click the octagonal stop-sign “Report spam” icon in the message toolbar. On mobile, open the message → three-dot menu → Report spam. For mail that impersonates a brand or asks for credentials, use Report phishing instead — the three-dot menu → Report phishing — to send a stronger signal to Google’s anti-fraud team.

If you remember nothing else from this article, remember the keystroke: !. It is the fastest moderation action in Gmail, faster than archiving, and it does more for everyone than blocking. Enable keyboard shortcuts at Settings → General → Keyboard shortcuts → On if you have not already.

Spam vs Phishing vs Block vs Unsubscribe — decision table

Four overlapping actions, four different outcomes. Reporting spam teaches Gmail’s classifier. Reporting phishing escalates to Google’s fraud team and Safe Browsing. Blocking only filters that one address on your account. Unsubscribing actually removes you from the sender’s list. The right choice depends on whether the mail is malicious, unwanted, or legitimately-opted-into.

ActionWhat it doesWhat it does NOT doUse when
Report SpamMoves message to Spam, sends signal to Google’s global classifier, tightens your per-user filter for similar mailDoes not unsubscribe you, does not block the sender if they switch domainsUnwanted bulk mail you never opted into, repetitive promos, low-quality newsletters
Report PhishingSame as Report Spam plus escalation to Google’s anti-fraud team and Safe Browsing — can result in URL takedownDoes not prosecute the sender (separate process)Mail impersonating a brand, asking for credentials, linking to fake login, attaching malware
Block senderFuture mail from that exact address routes straight to Spam on your accountDoes not affect anyone else, does not stop new addresses from the same actor, does not unsubscribePersistent individual senders ignoring unsubscribe, harassers, single-address scammers
Unsubscribe (inline link)Triggers RFC 8058 one-click unsubscribe; sender must remove your address within two business days per Google’s bulk-sender rulesDoes not flag the sender to Google, does not help anyone elseLegitimate marketing from senders you once opted into and now want off

The rule of thumb I use: if the mail is trying to deceive me, Report Phishing. If it is unwanted but legitimate-looking, check whether I recognise the sender — recognised → Unsubscribe, unrecognised → Report Spam. Block is reserved for the rare case where one specific human will not stop emailing.

If the message is legitimate marketing you no longer want, unsubscribing is the right move — but doing it one newsletter at a time wastes hours. Try Leave Me Alone free

For the full strategy on shrinking your overall spam volume — filters, address compartmentalisation, the unsubscribe stack — see the broader anti-spam strategy guide. This article is specifically about the report action.

How to report spam on Gmail web (button + ! shortcut)

On Gmail web there are three ways: the toolbar button (octagonal stop-sign icon labelled “Report spam”), the three-dot menu inside the message, or the keyboard shortcut !. Any of the three moves the message to Spam and sends a signal to Google’s classifier.

Method 1 — The toolbar button

  1. Open the spam email in Gmail web at mail.google.com.
  2. In the message toolbar at the top, find the octagonal red stop-sign icon with an exclamation mark inside. Hover to confirm the tooltip reads “Report spam”.
  3. Click it. The message moves to Spam, you return to the inbox, and a yellow banner shows “Conversation reported as spam” with an Undo link active for a few seconds.

Method 2 — The three-dot menu

Useful when you want to choose between Report Spam and Report Phishing.

  1. Open the email.
  2. Click the three-dot “More” menu in the top-right of the message header (next to Reply).
  3. Choose Report spam or Report phishing depending on intent.

Method 3 — The ! keyboard shortcut

The fastest path. Requires keyboard shortcuts enabled at Settings → General → Keyboard shortcuts → On.

  1. With the message open OR selected in the inbox list, press ! (Shift+1).
  2. The message is reported and moved to Spam in one keystroke.

You can also select multiple messages with x (toggle select) or * then a (select all), then press ! to report the whole batch at once.

Reporting from the Spam folder

If Gmail already flagged the message and you want to reinforce the signal — or report a phishing email that landed in Spam (Report Phishing is a stronger signal than the auto-classifier) — open Spam, open the message, use the three-dot menu → Report phishing.

How to report spam on Gmail mobile (iOS + Android)

On both Gmail iOS and Android the path is identical: open the message, tap the three-dot menu in the top-right of the message header, choose Report spam or Report phishing. Long-press in the inbox list selects multiple messages for batch reporting.

iOS (Gmail app)

  1. Open the Gmail app and tap the message to open it.
  2. Tap the three-dot menu (⋮) in the top-right of the message header — not the browser-style top bar.
  3. Scroll the action sheet and tap Report spam or Report phishing.
  4. Confirm in the popup. The message moves to Spam.

For batch reporting: from the inbox list, long-press one message to enter selection mode, tap the others you want, then tap the three-dot menu in the top toolbar → Report spam.

Android (Gmail app)

  1. Open the Gmail app and tap the message.
  2. Tap the three-dot menu to the right of the sender name.
  3. Tap Report spam or Report phishing.
  4. Confirm.

Long-press for batch selection works identically to iOS.

Why mobile feels slower

The mobile UI hides Report Phishing one tap deeper than Report Spam on some Android versions — Google has shuffled the menu order at least twice in the past two years. If you cannot see Report Phishing immediately, scroll the sheet; on smaller screens it often sits below the fold.

What happens after you click Report spam

Three things happen in parallel. First, the message moves to your Spam folder and auto-deletes after 30 days. Second, Google receives a copy and feeds it into its global spam classifier — your signal joins billions of others to score that sender’s future mail. Third, your per-user model tightens for that address, domain, and content pattern, so similar mail is more likely to be flagged on arrival next time.

According to Google’s Gmail Help page on reporting spam, the company explicitly states: “As you report more spam, Gmail identifies similar emails as spam more efficiently.” That phrasing matters — it confirms the per-user reinforcement loop, not just a global one.

The sender-side consequences are less visible but real. Sending IPs and authenticated domains (those signing with SPF, DKIM, DMARC) accumulate a reputation score. Repeated spam reports from many recipients push the score down, which means future mail from that sender is more likely to land in Spam folders across Gmail’s ~1.8 billion users — not just yours. Google’s February 2024 bulk-sender enforcement made that reputation score even more consequential: senders with high spam-report rates (>0.3% sustained) are throttled or blocked outright.

The implication: a single click on Report Spam contributes, in a small but measurable way, to fewer spam emails landing in everyone else’s inbox. It is the closest thing the inbox has to civic-duty mechanics.

How to report phishing (and why it matters more)

Report Phishing is structurally the same gesture as Report Spam — three-dot menu → Report phishing — but the signal routes differently inside Google. Phishing reports go to the anti-fraud team and feed Google Safe Browsing, which protects Chrome, Firefox, and Safari users from clicking the malicious URLs. Use Report Phishing for any mail that tries to deceive, even if it looks “just spammy”.

The Gmail web button for Report Phishing is hidden in the three-dot menu (it is not in the toolbar). On mobile the same path. There is no keyboard shortcut.

Use Report Phishing when the message:

  • Impersonates a brand (PayPal, Amazon, your bank, Microsoft, Google itself)
  • Asks you to “verify” your account, password, or 2FA code
  • Links to a login page on a domain that does not match the brand
  • Attaches a file claiming to be an invoice, receipt, voicemail, or shipping notice
  • Threatens account closure, legal action, or arrest if you do not act
  • Comes from a domain that looks like a real brand with a slight misspelling (paypaI.com with capital I, m1crosoft.com)

The escalation matters because a phishing report can result in URL takedown via Safe Browsing within hours — meaning the attacker loses the landing page that was harvesting credentials from other victims. A plain spam report does not trigger the same workflow.

What NOT to do — the four mistakes

Four actions look helpful but make things worse: clicking the unsubscribe link in a suspicious email, replying “stop” or “unsubscribe”, forwarding the message to friends or colleagues without preserving headers, and opening any attachment to “see what it is”.

1. Do not click unsubscribe in suspicious mail

Unsubscribe links in legitimate marketing emails are safe — they trigger the RFC 8058 one-click flow Google enforces since February 2024. Unsubscribe links in phishing or pure spam are weapons. Clicking can:

  • Confirm your address is live — the link includes a unique tracker. The sender now sells your “verified active” address at premium rates on spam markets.
  • Load malware — the link redirects to a drive-by-download page.
  • Harvest credentials — the link opens a fake login page asking you to “log in to unsubscribe”.

Rule: if you do not recognise the sender, do not click anything in the body. Report Spam or Report Phishing.

2. Do not reply “stop” or “unsubscribe”

Same logic as above, amplified. A reply confirms your address is monitored by a human. Spammers buy and sell active address lists; replying triples the price of your address on those lists.

3. Do not forward to friends or colleagues without context

Forwarding a phishing email to a colleague to warn them often backfires — they receive it from your trusted address, the malicious link is now one click away, and the headers are stripped. If you must warn someone, forward as attachment (preserves original headers) and add a written warning above. The Gmail Forward-as-attachment option keeps the .eml intact for IT analysis.

4. Do not open attachments

Even just previewing a PDF, DOCX, or HTML attachment in the Gmail web preview can trigger embedded exploits on unpatched systems. If you suspect phishing, Report Phishing immediately and let Google’s sandbox analyse the file — do not open it yourself.

Escalating to Google Safe Browsing and APWG

Beyond clicking Report Phishing inside Gmail, two cross-platform escalations matter: Google’s general abuse report form (for Gmail users sending abuse from Gmail addresses) and the Anti-Phishing Working Group, which aggregates phishing reports across email providers and feeds them to browsers, CERTs, and law enforcement worldwide.

Google’s Gmail abuse report

If a Gmail user is sending you abusive, harassing, or spam mail from a @gmail.com address, use Google’s abuse report form directly. This is in addition to Report Spam — the form lets you submit detailed context and original headers, which the in-inbox button does not capture.

Anti-Phishing Working Group (APWG)

Forward the suspicious email as an attachment to reportphishing@apwg.org. APWG is a non-profit industry consortium that aggregates phishing reports from Microsoft, Google, banks, ISPs, and individual reporters, then redistributes the indicators (URLs, sending IPs, samples) to browser vendors, CERTs, and law enforcement. Reports submitted here feed Chrome’s, Firefox’s, and Safari’s anti-phishing warnings.

Use Forward-as-attachment so the original headers survive — APWG’s analysts need the full envelope to trace the sending infrastructure.

Reporting to government bodies — US, UK, FR, DE, ES

Every country has a national reporting channel. Most are free, take under a minute, and feed real takedown and prosecution workflows. Pick the one for your country and bookmark it now — you will use it more than you think.

United States

  • Federal Trade Commission (FTC): file at reportfraud.ftc.gov for any unwanted commercial email, scam, or fraud. The FTC uses these reports to build cases and publishes monthly Consumer Sentinel data.
  • Anti-Phishing Working Group: forward as attachment to reportphishing@apwg.org (covered above).
  • FBI Internet Crime Complaint Center (IC3): report at ic3.gov if you lost money or sensitive information to a phishing attack — IC3 routes complaints to FBI field offices for investigation.

United Kingdom

  • NCSC Suspicious Email Reporting Service (SERS): forward the email to report@phishing.gov.uk. As of April 2026, SERS had processed 54.5+ million reports and removed 248,000 scams across 440,000 URLs — making it one of the world’s most effective citizen-driven takedown services.
  • Action Fraud: report at actionfraud.police.uk if you lost money or are the victim of a confirmed scam.

France

  • Signal Spam: report via signal-spam.fr using the browser plugin or by forwarding to the address it generates after signup. Reports route to ARCEP, CNIL, and the senders’ ISPs.
  • 33700 (SMS spam): forward any spam SMS to the short code 33700. The number is run by the French mobile carriers’ anti-spam initiative and feeds daily action on offending numbers.
  • Signal Conso: report deceptive commercial emails at signal.conso.gouv.fr, the official DGCCRF (consumer-protection authority) reporting tool.

Germany

  • Verbraucherzentrale Phishing-Radar: forward suspicious emails to phishing@verbraucherzentrale.nrw. The NRW consumer protection office aggregates and publishes weekly phishing alerts.
  • BSI (Bundesamt für Sicherheit in der Informationstechnik): see bsi.bund.de for the federal cyber agency’s reporting guidance and the BSI für Bürger (citizens) portal.

Spain

  • INCIBE (Instituto Nacional de Ciberseguridad): call 017 (free) or report online at incibe.es — the national cybersecurity helpline handles phishing, fraud, and online abuse for citizens.
  • OSI (Oficina de Seguridad del Internauta): citizen-focused portal at osi.es with reporting forms and alert subscriptions.

Workspace admin reporting flow

Google Workspace admins can configure organisation-wide reporting: a “Report phishing” button that routes copies of reported mail to a security mailbox, security investigation tool integration, and automated takedown workflows. End users in Workspace get the same Gmail buttons plus, optionally, a corporate “Report to IT” button.

If your organisation uses Google Workspace and you receive a suspicious email at your work address:

  1. Use Report phishing in Gmail first — it still trains Google’s classifier across the global user base.
  2. Then forward as attachment to your internal security inbox if your org has one (commonly phishing@company.com or security@company.com). Use Forward as attachment so the headers reach the security team intact.
  3. For Workspace admins: enable “Enhanced pre-delivery message scanning” in the Admin console, configure the user-reported-phishing collection mailbox under Security → Alert center, and review the Security Investigation Tool for the reported messages.

Admins can also retrospectively quarantine matching messages across all users’ inboxes via the Security Investigation Tool’s “Delete from inbox” action — which is the highest-leverage anti-phishing move available in Workspace.

For more on Workspace-side protections, see Google’s admin help on phishing protections.

Alexis Dollé, founder of Email Tools
Alexis Dollé
Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

LinkedIn
Sources & references
  1. Google Support — “Mark or unmark emails as spam in Gmail” — official Gmail documentation on Report Spam mechanics and per-user filter learning. Accessed 2026-05-17. support.google.com/mail/answer/1366858
  2. Google Support — “Avoid and report phishing emails” — guidance on Report Phishing and what Google does with the report. Accessed 2026-05-17. support.google.com/mail/answer/8253
  3. Google Support — “Report abuse, phishing, or spam in Gmail” — abuse form for Gmail users sending abuse. Accessed 2026-05-17. support.google.com/mail/contact/abuse
  4. Google Support — “Email sender guidelines” — February 2024 bulk-sender requirements including spam-report-rate thresholds. Accessed 2026-05-17. support.google.com/mail/answer/81126
  5. US FTC — “Report Fraud” — official US consumer fraud reporting portal. Accessed 2026-05-17. reportfraud.ftc.gov
  6. FBI — “Internet Crime Complaint Center (IC3)” — for financial loss or sensitive-data theft. Accessed 2026-05-17. ic3.gov
  7. Anti-Phishing Working Group — “Report Phishing” — industry consortium aggregating phishing reports. Accessed 2026-05-17. apwg.org/reportphishing
  8. NCSC UK — “Phishing scams” collection — SERS (report@phishing.gov.uk) and reporting statistics. Accessed 2026-05-17. ncsc.gov.uk/collection/phishing-scams
  9. Signal Spam — French national spam reporting platform. Accessed 2026-05-17. signal-spam.fr
  10. 33700 — France mobile-carrier SMS spam reporting. Accessed 2026-05-17. 33700.fr
  11. Verbraucherzentrale NRW — Phishing-Radar (phishing@verbraucherzentrale.nrw). Accessed 2026-05-17. verbraucherzentrale.nrw
  12. INCIBE — Instituto Nacional de Ciberseguridad (017 helpline, ciudadania portal). Accessed 2026-05-17. incibe.es/ciudadania

Frequently asked questions

What is the keyboard shortcut to report spam in Gmail? On Gmail web with keyboard shortcuts enabled (Settings → General → Keyboard shortcuts on), the shortcut is the exclamation mark (Shift+1, written as !). With the conversation open or selected in the list, pressing ! reports it as spam and moves it to the Spam folder. There is no native shortcut for Report Phishing — that one still requires the three-dot menu.

What actually happens after I click Report spam in Gmail? Three things happen at once. The message moves to your Spam folder where it auto-deletes after 30 days. Google receives a copy for its global spam classifier, which uses your signal alongside billions of others to score future mail from that sender. And your per-user filter tightens for that sender’s domain, address, and content patterns — so similar messages are more likely to be flagged on first delivery next time.

Should I click Report spam or Report phishing — what is the difference? Report Spam is for unwanted but non-malicious mail — marketing you never opted into, repetitive promos, low-quality newsletters. Report Phishing is for mail that impersonates a brand, asks for credentials, links to a fake login page, or attaches malware. Phishing reports go to Google’s anti-fraud team and feed Safe Browsing — they carry more weight than a plain spam report, so use Report Phishing whenever the message tries to deceive.

Is it safe to click the unsubscribe link in spam? Only if the message comes from a sender you actually recognise and once gave your address to. For unknown senders, the unsubscribe link can be a tracker (it confirms your address is live), a malware loader, or a redirect to a credential-harvesting page. The rule: unrecognised sender → Report Spam or Report Phishing, never click anything in the body. Recognised sender → use the inline Unsubscribe link Gmail shows next to the sender name (not the footer link).

Where do I report a phishing email outside Gmail? US: forward to reportphishing@apwg.org and file a complaint at reportfraud.ftc.gov; if you lost money, also report at ic3.gov. UK: forward to report@phishing.gov.uk (NCSC Suspicious Email Reporting Service). France: forward via signal-spam.fr and report SMS spam by texting 33700. Germany: forward to phishing@verbraucherzentrale.nrw. Spain: report to INCIBE on 017 or via incibe.es and osi.es.

Can I report spam from the Gmail mobile app? Yes. On both iOS and Android, open the message → tap the three-dot menu in the top-right of the message header → Report spam (or Report phishing for impersonation/credential mail). Long-pressing a message in the inbox list also lets you select multiple messages and report them in one action. The shortcut key (!) is web-only — mobile keyboards do not trigger Gmail actions.

Related: How to stop getting spam email completely — the broader anti-spam strategy. How to block someone on Gmail — when blocking is the right move. How to create a filter in Gmail — automate the report-or-route decision. Gmail account not receiving emails — what to do when legitimate mail is mis-classified as spam. Best unsubscribe tools 2026 — for the unsubscribe-not-report path. Best way to mass unsubscribe — bulk unsubscribe workflows.