How to Report Phishing to the Office of Information Security

The Office of Information Security is pleased to announce the rollout of a new security feature coming to your inbox. The Phish Alert Button (PAB), pictured below, will appear in the upper right-hand corner of your e-mail in Office 365 and Outlook mobile for Android and iOS. 

Phishing is the most common tool used by cybercriminals to steal login credentials, personal information, data, and intellectual property. If you receive a “phishy” email (i.e., an email that demands unexpected quick action, comes from an unknown sender, asks you to supply login credentials or other personal information, etc.), please protect yourself and others at our institution by using the Phish Alert Button (PAB). When you report a phish using the PAB, our office will investigate the threat and take any necessary action, such as removing all similar messages from systems and notifying our community of the threat. 

A Closer Look at the PAB

The appearance of the PAB varies slightly according to the version of Outlook you use. In all versions, the PAB icon appears as an open letter with an orange fishhook. When there is accompanying text, some versions will read “Phish Alert” while others will say “Report Phish”. Please see below for examples of the icon in various environments.

Office365 in Browser

Windows 10 Client

WIn 10 PAB (Report Phish)

macOS Client

Mobile Outlook Client

The following screenshots are from iOS. We will include an annotated photo of the Android interface as well. Please note that the PAB is accessed by tapping on the ellipsis menu (or kebab menu in Android) below the time stamp in the message itself.

Below, you will find an example of the button on Android.

For device-specific PAB guidance, please refer to the documents below: 

PAB for Office Online

PAB for Outlook (New Interface)

PAB for Outlook (Classic Interface) 

Don’t have the PAB? Report phishing by sending us an attachment.

Report the phishing message to the Office of Information Security by sending it as an attachment to infosec@wustl.edu. The guidance below provides step-by-step instructions for sending an email as an attachment in the most common desktop clients. Unfortunately, the ability to send an email as an attachment is not available on most mobile clients.