What to Do When You Receive a Suspicious Email (Quick Checklist + Next Steps)

Written by the email privacy, security, and inbox management team at Leave Me Alone. Updated for 2026.

Got a suspicious email that feels off an unexpected invoice, a "security alert" or a link asking you to log in?

Your goal is simple: avoid clicking anything dangerous, confirm whether it’s real, and report it so you get fewer of these next time.

In April 2025, the FBI reported that internet-crime losses in 2024 exceeded $16 billion, with phishing and spoofing the most common complaints. What that means for you: treating suspicious emails as potentially harmful and following a repeatable process is worth the minute it takes.

Key takeaways

• Don’t engage: don’t click, reply, call numbers in the email, or open attachments.
• Verify outside the email: go to the company’s site/app directly or use a known phone number.
• Report it: use "Report phishing/spam" in your email provider (it helps improve filtering).
• If you already interacted: change passwords, enable MFA, and contact your bank/IT if needed.
• Reduce inbox noise: fewer legit-but-annoying emails makes scams easier to spot.

Do this first: the 60-second safety checklist

Immediate steps (safe for almost every situation)

1. Stop: don’t click links or buttons, scan QR codes, download files, or reply.
2. Pause the urgency: "act now" language is a classic pressure tactic.
3. Verify separately: open a new tab and go to the company’s website or app directly (not via the email).
4. Report it using your email provider’s built-in tools.
5. Delete it (or leave it in Spam after reporting).

One exception: don’t "unsubscribe" from sketchy emails

If the email seems suspicious, don’t click the unsubscribe link inside the message. Use report/block tools instead.

If it’s a newsletter you knowingly signed up for and it looks legitimate, unsubscribing can be fine just don’t use "unsubscribe" as a way to "test" an email you don’t trust.

How to spot a suspicious email (without overthinking it)

Red flags in the sender

• Display name doesn’t match the actual address/domain.
• Lookalike domains (example: swapping letters for numbers, or adding extra words to the domain).
• "Reply-To" is different from the "From" address.
• First-time sender asking for sensitive info or payment.

These are common phishing patterns across major providers.

Red flags in the message

• Requests for private information (passwords, MFA codes, Social Security number, bank details).
• Unexpected attachments (especially if you weren’t expecting a document).
• Threats or urgency (account will be closed, payment overdue, legal action).
• Too-good-to-be-true offers (free money, prizes, refunds you didn’t request).
• Link destinations don’t match what the email claims.

Microsoft and Google both call out urgency, mismatched domains, and suspicious links/attachments as key warning signs.

If you see a warning banner, treat it like a stop sign

Gmail may show a warning or move a message to Spam when it suspects phishing. If you get a warning, avoid clicking links, downloading attachments, or entering personal information.

How to verify an email safely (without using links in the message)

Step 1: Decide what claim you’re verifying

Most suspicious emails boil down to one claim: Something happened to your account, You owe money, or You need to open this document. Say the claim out loud then verify it using a trusted path, not the email.

Step 2: Go to the real website or app directly

Open a new browser tab and type the organization’s web address yourself (or use a bookmark you already trust). If the email is about a Google account security event, Google recommends checking your account’s security notifications directly instead of trusting the email link.

Step 3: Use a known-good contact method

If it’s a bank, delivery company, employer, or subscription service: use the phone number on the back of your card, an old statement, or the official support page not any number inside the email. Microsoft recommends contacting the organization using official numbers/emails from its site when you’re unsure.

Step 4: If it looks like it’s from someone you know, verify out-of-band

Call or text the person using the number you already have saved. Don’t hit "reply" and don’t use phone numbers provided in the suspicious email.

How to report and remove a suspicious email (Gmail, Outlook, Apple Mail)

Reporting does two useful things: it removes the message from where you’ll accidentally interact with it, and it helps providers improve filtering for future messages.

How to Report a Suspicious Email

This table shows what to do for each major email service.

Email Service	What to Do
Gmail	Use Gmail’s Report phishing option (on a computer: open the message, open the “More” menu near Reply, then select Report phishing). Gmail notes that when you move a message to Spam or report it, Google receives a copy and may analyze it to help protect users from spam and abuse. If you want to stop a specific sender, Gmail also lets you block them so future messages go to Spam.
Outlook / Outlook.com	Microsoft recommends using Outlook’s built-in Report phishing feature. If needed, attach the message to a new email and send it to phish@office365.microsoft.com so headers can be reviewed.
Apple Mail / iCloud	If an email is pretending to be Apple, forward it to reportphishing@apple.com. Apple also provides reporting options for iCloud Mail and Messages.
Work or school email	Use your organization’s Report phish button or forward-as-attachment process so your security team can investigate. If you’re not sure, report it anyway and ask IT what they prefer for next time.

Gmail recommends using its built-in Report phishing option to protect users and improve spam detection.

Gmail

Use Gmail’s Report phishing option (on a computer: open the message, open the "More" menu near Reply, then select Report phishing). Gmail notes that when you move a message to Spam or report it, Google receives a copy and may analyze it to help protect users from spam and abuse.

If you want to stop a specific sender, Gmail also lets you block them so future messages go to Spam.

Outlook / Outlook.com

Microsoft recommends using Outlook’s built-in Report phishing feature to flag suspicious emails and help improve spam and security filters. For full guidance, see Microsoft – Protect yourself from phishing.

Apple Mail / iCloud

Apple recommends using the built-in reporting tools in Apple Mail and iCloud Mail to flag phishing and scam emails. For official guidance, see Apple – Recognize and avoid social engineering scams.

Work or school email

Use your organization’s "Report phish" button or forward-as-attachment process so your security team can investigate. If you’re not sure, report it anyway then ask IT what they prefer for next time.

If you clicked a link, opened an attachment, or replied

Do this now (damage-control checklist)

1. Write down what happened (what you clicked, what info you entered, which account was involved).
2. Change passwords immediately for affected accounts—and anywhere you reused the same password.
3. Turn on multi-factor authentication (MFA) wherever possible.
4. Notify the right people: your workplace IT team, and your bank/card provider if payment info was shared.
5. Report it to local law enforcement if money was lost or identity theft is involved.

Microsoft outlines these steps as recommended actions after a suspected phishing event.

If the message was part of a broader scam (money transfer, crypto payment, impersonation, etc.), you can also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Make suspicious emails easier to spot (reduce inbox noise)

Simple habits that help

• Separate emails by purpose: one address for accounts/banking, another for sign-ups and shopping.
• Keep subscriptions under control: fewer marketing emails makes unusual messages stand out.
• Use built-in security prompts: pay attention when your email provider flags a message or sender.
• Never reuse passwords and enable MFA where you can.
  

How Leave Me Alone can help (without pretending to be a security product)

• Find and unsubscribe from subscription emails so your inbox is less cluttered.
• Bundle newsletters into Rollups so they arrive as a digest instead of dozens of separate emails.
• Screen new senders and block unwanted categories with Inbox Shield, so unknown senders don’t land directly in your inbox.

Less noise doesn’t eliminate scams but it can make "this looks weird" moments much easier to notice quickly.

What can change

• Scam patterns evolve: attackers shift from obvious "bad grammar" emails to realistic messages that mimic your real services.
• Email app menus move: "Report phishing" might be under a different menu on mobile vs. desktop.
• Reporting addresses and processes vary by provider and employer when in doubt, use the built-in report button and check your provider’s help page.

If you’re unsure, CISA recommends reporting suspicious emails using built-in tools and official reporting channels

Frequently Asked Questions

Is it safe to click “unsubscribe” in a suspicious email?

If the email seems suspicious, don’t click its unsubscribe link. Use your email provider’s report/block tools instead, then delete the message.

What if the email looks like it’s from a company I use?

Don’t use the link inside the email. Open a new tab, go to the company’s website or app directly, and check your account there. If needed, contact them using a trusted phone number or support page.

How can I check where a link goes without clicking it?

On desktop, hover your mouse over the link to preview the destination. On mobile, press and hold the link to preview it. If anything looks off, don’t open it.

How do I report phishing in Gmail?

Open the email in Gmail on a computer, open the More menu near Reply, and choose Report phishing. Gmail will move the message and use the report to improve protection.

How do I report phishing in Outlook?

In Outlook, select the suspicious message and use the built-in Report feature to report it as phishing. If you don’t have that option, follow your organization’s instructions for reporting.

What should I do if I already entered my password or payment details?

Change your password immediately (and anywhere else you reused it), enable multi-factor authentication, and contact your bank or card provider if financial details were shared. If it’s a work account, notify your IT team.

Can a plain-text email infect my device?

Usually, the risk comes from interacting with the message clicking links, scanning QR codes, or opening attachments. Treat unexpected links and attachments as unsafe until verified.

Can Leave Me Alone stop phishing emails?

Leave Me Alone can reduce inbox noise and help screen or block unwanted senders, which can make suspicious messages easier to spot. It doesn’t replace careful verification and your email provider’s security protections.