How to Report Cybercrime in the US

Cybercrime reporting in the United States is distributed across multiple federal agencies, each with jurisdiction over distinct offense categories. Understanding which channel handles which offense type determines whether a complaint reaches investigators with actual enforcement authority. This page maps the federal reporting infrastructure, describes how complaints are processed, and establishes the classification boundaries that distinguish one reporting pathway from another.

Definition and scope

Cybercrime, as defined by the Federal Bureau of Investigation (FBI), encompasses criminal acts in which a computer or network is either the instrument of the offense, the target of the offense, or both. The Internet Crime Complaint Center (IC3), operated by the FBI, serves as the primary national intake mechanism for cybercrime complaints from individuals, businesses, and government entities across all 50 states.

Federal jurisdiction over cybercrime derives principally from the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which criminalizes unauthorized access to protected computers and related conduct. The scope of reportable offenses includes — but is not limited to — ransomware attacks, business email compromise (BEC), identity theft, phishing schemes, online fraud, and critical infrastructure intrusions.

Reporting volume illustrates the scale of the problem: the IC3 received 880,418 complaints in 2023, with reported losses exceeding $12.5 billion (IC3 2023 Annual Report). That figure represents a 22 percent increase in losses over the prior year.

How it works

The federal cybercrime reporting system operates across 4 primary intake channels, each feeding into a distinct investigative or regulatory pipeline.

  1. IC3 (Internet Crime Complaint Center) — The FBI's centralized online complaint portal at ic3.gov accepts reports from victims of internet-facilitated crimes. Complaints are reviewed by IC3 analysts and referred to appropriate law enforcement agencies at the federal, state, tribal, or local level. IC3 does not conduct direct investigations but functions as a triage and referral hub.

  2. CISA (Cybersecurity and Infrastructure Security Agency) — The Cybersecurity and Infrastructure Security Agency accepts incident reports involving critical infrastructure sectors — energy, water, transportation, financial services, and 12 additional sectors designated under Presidential Policy Directive 21 (PPD-21). CISA's reporting portal handles both voluntary disclosures and, under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), mandatory reporting obligations for covered entities.

  3. FTC (Federal Trade Commission) — The FTC's ReportFraud.ftc.gov portal handles consumer-facing cybercrime with a fraud component — including identity theft, phishing, and online scams. FTC reports feed into the Consumer Sentinel Network, a law enforcement database accessible to over 2,800 agencies.

  4. Secret Service — The U.S. Secret Service maintains Electronic Crimes Task Forces (ECTFs) in 42 cities and accepts direct reports for financial cybercrimes, including large-scale BEC operations and network intrusions targeting financial institutions.

Complaints submitted through any of these channels do not guarantee prosecution. IC3 data is aggregated to identify patterns and resource investigations; individual low-dollar complaints may not result in direct follow-up.

Common scenarios

Different offense types map to different primary reporting channels. The table below captures the dominant classifications found in the cybersecurity providers and IC3 reporting taxonomy.

Business Email Compromise (BEC): Report to IC3. BEC was responsible for $2.9 billion in losses in 2023 alone (IC3 2023 Annual Report), making it the highest-loss category tracked by the agency. Wire transfer recovery may be possible through IC3's Financial Fraud Kill Chain (FFKC) if reported within 72 hours.

Ransomware: Report to both IC3 and CISA. CISA's #StopRansomware initiative coordinates multi-agency response. Covered critical infrastructure entities face mandatory CIRCIA reporting within 72 hours of a confirmed incident.

Identity Theft: Report to the FTC at IdentityTheft.gov, which generates a personalized recovery plan. A separate IC3 complaint is appropriate if the theft involved computer intrusion.

Phishing and Online Fraud: Report to IC3 and the FTC. Phishing targeting specific organizations should also be reported to the Anti-Phishing Working Group (APWG) at [email protected].

State-Sponsored Intrusions / Espionage: Report directly to the FBI field office with jurisdiction. The FBI's Cyber Division handles nation-state threat actors; these cases fall outside IC3's standard consumer complaint process.

Decision boundaries

The choice of reporting channel depends on 3 classification factors: the nature of the victim (individual, business, or infrastructure operator), the type of harm (financial fraud, data breach, service disruption, or espionage), and the presence of mandatory reporting obligations under federal or sector-specific law.

Individual vs. organizational victims: Individuals experiencing fraud-based cybercrime should lead with IC3 and FTC. Organizations — particularly those in regulated sectors such as healthcare, finance, or energy — face layered obligations. HIPAA-covered entities must report data breaches affecting 500 or more individuals to the HHS Office for Civil Rights within 60 days of discovery (45 CFR § 164.408). Financial institutions regulated under the Gramm-Leach-Bliley Act carry separate notification duties to their primary federal regulator.

Voluntary vs. mandatory reporting: Most IC3 and FTC submissions are voluntary. CIRCIA, once fully implemented through CISA rulemaking, will impose mandatory 72-hour reporting on critical infrastructure covered entities and 24-hour reporting for ransomware payments specifically. The distinction between voluntary and mandatory pathways is documented in the reference framework.

Local incidents — such as harassment, threats, or fraud below federal thresholds — are best directed to state attorneys general or local law enforcement, in addition to any applicable federal channel. The how to use this cybersecurity resource page provides further orientation on navigating the professional services and agency landscape covered across this reference.

 ·   · 

References

Read Next

Cybersecurity Listings ANA › Professional Services Authority › National Cyber › National Cybersecurity Cybersecurity Providers The providers assembled here... Cybersecurity Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cybersecurity Cybersecurity Network: Purpose and Scope The National... National Cybersecurity Incident Response Protocols ANA › Professional Services Authority › National Cyber › National Cybersecurity National Cybersecurity Incident Response Protocols...