The antiphishing workgroup does a good job at it to my knowledge:
1. Create a new mail to email@example.com.
2. Drag and drop the phishing email from your inbox onto this new email message
* In Netscape drop it on the 'attachment' area
3. Do not use "forward" if you can help it, as this approach loses information and requires more manual processing. The exception is when you use the Web interface to outlook: in that case forward is the only solution.
I hope the antiphising workgroup is authorative enough to allow a URL.