How to Report Cybercrime in the US

Cybercrime reporting in the United States is distributed across multiple federal agencies, each with jurisdiction over specific offense categories. Understanding which agency receives which type of complaint — and what happens after a report is filed — determines whether a case enters the right investigative pipeline. This page maps the reporting landscape, the functional process, the major scenario types, and the threshold questions that determine jurisdictional routing.

Definition and scope

Cybercrime, as defined operationally by the Federal Bureau of Investigation (FBI), encompasses criminal acts in which a computer network or device is either the instrument of the offense, the target of the offense, or both. The FBI's Internet Crime Complaint Center (IC3), established in 2000 as a joint initiative between the FBI and the National White Collar Crime Center (NW3C), serves as the primary national intake point for public cybercrime complaints.

The scope of reportable cybercrime spans financial fraud, identity theft, ransomware attacks, network intrusions, child exploitation material, and critical infrastructure targeting. The IC3 2022 Internet Crime Report recorded 800,944 complaints with reported losses exceeding $10.3 billion — the highest annual loss total in the center's history. Scope boundaries matter because federal agencies do not hold universal jurisdiction: the Cybersecurity and Infrastructure Security Agency (CISA) handles infrastructure-sector incidents separately from consumer fraud, which falls under the Federal Trade Commission (FTC).

The National Online Safety Authority's directory of cybersecurity resources provides categorized listings of agencies and services operating within this reporting infrastructure.

How it works

Cybercrime reporting follows a structured intake-and-routing process rather than a single centralized workflow. The process has five discrete phases:

1. Complaint submission — The victim or witness submits a report through the appropriate agency portal. For most internet crimes, this is the IC3 online complaint form at ic3.gov. For identity theft specifically, the FTC operates IdentityTheft.gov as a dedicated intake system.
2. Intake screening — IC3 analysts review submissions for completeness, jurisdictional fit, and whether the complaint contains actionable investigative leads. Complaints lacking key identifiers (IP addresses, transaction records, account numbers) are often archived rather than actively pursued.
3. Jurisdictional routing — Complaints are forwarded to the appropriate federal, state, or local law enforcement body based on offense type, dollar threshold, and victim category. CISA receives referrals for incidents involving the 16 critical infrastructure sectors defined under Presidential Policy Directive 21 (PPD-21).
4. Investigation initiation — Not all complaints generate active investigations. The FBI and Secret Service both operate cybercrime task forces, but resource constraints mean cases under a dollar-loss threshold or lacking interstate/foreign nexus may be declined at the federal level and referred to state attorneys general or local law enforcement.
5. Victim notification — IC3 does not provide status updates on individual complaints as a standard practice. Victims who require confirmation of report receipt should retain their IC3 complaint number, which serves as a reference for any subsequent law enforcement contact.

Common scenarios

Cybercrime complaints fall into distinct categories that determine which agency and statute apply.

Business Email Compromise (BEC) — Attackers impersonate executives or vendors to redirect wire transfers. BEC is reported to IC3; wire fraud falls under 18 U.S.C. § 1343. The IC3 Recovery Asset Team (RAT) can in some cases initiate a Financial Fraud Kill Chain (FFKC) to freeze fraudulent transfers if reported within 72 hours of the transaction.

Ransomware attacks — Attacks encrypting organizational data for extortion. Reportable to IC3 and CISA via cisa.gov/report. CISA's ransomware reporting aligns with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which establishes mandatory reporting timelines for covered entities.

Identity theft — Unauthorized use of personal identifying information. Primary intake is the FTC's IdentityTheft.gov. The Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028) governs federal prosecution.

Child sexual exploitation material (CSEM) — Reports go to the National Center for Missing and Exploited Children (NCMEC) CyberTipline, which is mandated by 18 U.S.C. § 2258A for electronic service providers.

Hacking and unauthorized access — Governed by the Computer Fraud and Abuse Act (18 U.S.C. § 1030); reported to IC3 and, for network intrusions affecting organizations, directly to the local FBI field office.

The purpose and scope of this directory includes further context on how cybercrime resources are classified within the national service landscape.

Decision boundaries

The threshold question in cybercrime reporting is whether the incident involves a federal nexus — interstate communication, foreign actors, or federally regulated systems — or whether it is purely a state-level matter.

Federal vs. state jurisdiction: Federal agencies prioritize cases involving losses above $50,000, organized criminal groups, foreign state-sponsored actors, or attacks on critical infrastructure. Incidents below these thresholds are typically referred to state attorneys general or local cybercrime units. All 50 states maintain computer crime statutes that parallel or extend federal law.

Civil vs. criminal: Data breaches that do not involve intentional criminal conduct may trigger civil regulatory action rather than criminal investigation. The FTC enforces Section 5 of the FTC Act (15 U.S.C. § 45) against unfair or deceptive data security practices. Sector-specific regulators — the Office for Civil Rights (OCR) at HHS for healthcare, the SEC for publicly traded companies — operate parallel reporting obligations that exist independently of criminal complaint intake.

Individual vs. organizational reporters: IC3 accepts complaints from both individuals and organizations. CISA's reporting infrastructure at cisa.gov/report is oriented toward organizational and infrastructure operators. The FTC's IdentityTheft.gov is designed exclusively for individual consumer victims.

For navigational context on how this resource is structured within the broader directory framework, see how to use this online safety resource.

References

• FBI Internet Crime Complaint Center (IC3)
• IC3 2022 Internet Crime Report
• Cybersecurity and Infrastructure Security Agency (CISA)
• Federal Trade Commission (FTC) — IdentityTheft.gov
• National Center for Missing and Exploited Children (NCMEC) CyberTipline
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — CISA
• Computer Fraud and Abuse Act — 18 U.S.C. § 1030
• Identity Theft and Assumption Deterrence Act — 18 U.S.C. § 1028
• Presidential Policy Directive 21 (PPD-21)
• HHS Office for Civil Rights