How to Report Cybercrime in the US
Cybercrime reporting in the United States is structured across multiple federal, state, and sector-specific channels, each with distinct jurisdictional scope and intake procedures. Knowing which agency receives which category of complaint directly affects whether an incident receives investigative attention or gets filed without action. This page maps the reporting landscape — the agencies, portals, classification thresholds, and procedural distinctions that determine how a cybercrime complaint moves from submission to response.
Definition and scope
Cybercrime, as operationalized by federal law enforcement, encompasses offenses prosecutable under statutes including the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.), and the Identity Theft Enforcement and Restitution Act of 2008. The FBI Cyber Division, the Cybersecurity and Infrastructure Security Agency (CISA), the Secret Service's National Threat Operations Center, and the Internet Crime Complaint Center (IC3) — a partnership between the FBI and the National White Collar Crime Center (NW3C) — collectively constitute the primary federal intake infrastructure.
The scope of reportable cybercrime includes unauthorized system access, ransomware deployment, business email compromise (BEC), identity theft enabled by digital intrusion, online fraud, child exploitation facilitated by technology, and attacks on critical infrastructure. Sector-specific regulators such as the Financial Crimes Enforcement Network (FinCEN) and the Department of Health and Human Services Office for Civil Rights (HHS OCR) impose additional mandatory reporting obligations in financial services and healthcare respectively. For a broader view of how cybercrime reporting channels map onto the national threat landscape, the structural overview provides sector-by-sector detail.
How it works
Federal cybercrime reporting operates through distinct intake pathways depending on the offense category, the reporter's status (individual, business, or critical infrastructure operator), and the urgency of the incident.
Standard IC3 complaint process:
- The complainant accesses the IC3 portal at ic3.gov and submits a structured online complaint form.
- The form captures the complainant's identity, financial loss amount (if applicable), a description of the incident, and any supporting evidence such as email headers, IP addresses, or transaction records.
- IC3 analysts review and aggregate complaints; referrals are made to federal, state, local, or international law enforcement agencies based on jurisdictional fit and investigative viability.
- High-value cases — particularly BEC schemes exceeding $50,000 — may trigger a Financial Fraud Kill Chain request through IC3's Recovery Asset Team (RAT), which attempts to halt fraudulent wire transfers in transit (IC3 2023 Internet Crime Report).
CISA incident reporting (critical infrastructure operators):
Organizations operating in the 16 critical infrastructure sectors defined under Presidential Policy Directive 21 (PPD-21) report significant cyber incidents directly to CISA via report.cisa.gov or by calling 1-888-282-0870. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will eventually mandate reporting of covered cyber incidents within 72 hours and ransomware payments within 24 hours, with CISA issuing final rules through a notice-and-comment rulemaking process. The FBI's cyber division resources page details FBI-specific intake procedures for enterprise-level intrusions.
Sector-mandated reporting:
- Healthcare entities covered by HIPAA must notify HHS OCR of breaches affecting 500 or more individuals within 60 days of discovery (45 C.F.R. § 164.408).
- Financial institutions subject to the FTC Safeguards Rule must notify the FTC within 30 days of discovering a security breach affecting 500 or more customers (16 C.F.R. Part 314).
- Publicly traded companies must disclose material cybersecurity incidents to the SEC within 4 business days under SEC rules effective December 2023.
Common scenarios
Business Email Compromise (BEC): One of the costliest cybercrime categories tracked by IC3, BEC involves the compromise or spoofing of business email accounts to redirect financial transactions. These complaints route to IC3 first, with potential escalation to the FBI's field offices and Secret Service.
Ransomware attacks: Ransomware incidents affecting businesses or infrastructure are reported to both CISA (via the web portal) and the FBI (via ic3.gov or a local FBI field office). The ransomware national response framework details inter-agency coordination protocols, including StopRansomware.gov, the joint advisory hub operated by CISA, FBI, and NSA.
Identity theft: Individual victims of identity theft file with the FTC at IdentityTheft.gov, which generates a personalized recovery plan and an official Identity Theft Report usable with creditors and law enforcement. Concurrent filing with IC3 is appropriate when the theft involved a data breach or unauthorized system access.
Online fraud and scams: Investment fraud, romance scams, and tech support fraud complaints go to IC3. The FTC's ReportFraud.ftc.gov portal captures consumer fraud with broader jurisdiction over deceptive practices under 15 U.S.C. § 45.
Attacks on critical infrastructure: Power grid, water system, and transportation network incidents route to CISA as the sector risk management coordinator, with parallel notification to sector-specific agencies (e.g., FERC for energy, TSA for transportation).
Decision boundaries
The correct reporting channel depends on three classification criteria: who the victim is, what type of offense occurred, and whether mandatory regulatory reporting applies.
| Scenario | Primary Channel | Mandatory Deadline |
|---|---|---|
| Individual fraud or scam | IC3, FTC ReportFraud | None (voluntary) |
| Identity theft (individual) | FTC IdentityTheft.gov | None (voluntary) |
| BEC or wire fraud (business) | IC3, FBI field office | None (voluntary) |
| HIPAA-covered data breach (≥500) | HHS OCR | 60 days post-discovery |
| FTC Safeguards breach (≥500 customers) | FTC | 30 days post-discovery |
| SEC-material incident (public company) | SEC Form 8-K | 4 business days |
| Critical infrastructure incident | CISA, FBI | 72 hours under CIRCIA (pending final rule) |
| Ransomware payment | CISA, FBI, FinCEN (sanctions screening) | 24 hours under CIRCIA (pending final rule) |
The key distinction between IC3 and CISA reporting is scope and sector: IC3 serves as the general-public and business intake portal aggregating complaints for investigative referral, while CISA operates as the operational coordination hub for incidents that may affect national security or infrastructure reliability. The incident response national protocols page provides the procedural framework that governs agency handoffs once an initial report is filed.
State-level reporting obligations exist independently of federal channels. 50 states maintain breach notification statutes with varying thresholds and timelines. The state cybersecurity programs reference covers state attorneys general and state fusion center contacts where law enforcement engagement at the state level is appropriate.
References
- Internet Crime Complaint Center (IC3) — FBI / NW3C
- IC3 2023 Internet Crime Report
- CISA Cyber Incident Reporting Portal
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — CISA
- HHS Office for Civil Rights — HIPAA Breach Notification Rule, 45 C.F.R. § 164.408
- FTC Safeguards Rule, 16 C.F.R. Part 314
- SEC Cybersecurity Disclosure Rules — Final Rule 33-11216 (2023)
- FTC ReportFraud Portal
- FTC IdentityTheft.gov
- [StopRansomware.gov