How to Report a Cybercrime in the US
Cybercrime reporting in the United States is distributed across multiple federal agencies, each with distinct jurisdictional authority depending on the nature of the offense, the identity of the victim, and the type of system involved. Understanding which agency receives which type of report determines whether an incident enters a federal investigative pipeline, contributes to national threat intelligence, or triggers a sector-specific regulatory response. This page maps the reporting landscape, the mechanisms each channel uses, and the classification boundaries that determine where a report belongs.
Definition and scope
A cybercrime, for federal reporting purposes, is any criminal offense in which a computer network, digital system, or internet-connected device is either the instrument of the offense or the target. The statutory foundation for most federal cybercrime prosecutions is the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which covers unauthorized access, damage to protected computers, and extortion facilitated through computer systems.
Scope extends across five major offense categories recognized by the FBI's Internet Crime Complaint Center (IC3):
- Financial fraud — Business email compromise (BEC), investment fraud, ransomware with financial demands
- Identity-based crimes — Account takeover, credential theft, synthetic identity fraud
- Infrastructure attacks — Denial-of-service attacks, intrusions into critical infrastructure
- Extortion and ransomware — Data encryption for ransom, sextortion, threat-based extortion
- Child exploitation — Online enticement, child sexual abuse material (CSAM) distribution
The IC3's 2023 annual report documented over 880,000 complaints with reported losses exceeding $12.5 billion (IC3 2023 Internet Crime Report), establishing the quantitative scale of the federal reporting intake.
How it works
Federal cybercrime reporting operates through parallel intake systems that do not automatically cross-communicate. A complaint filed with IC3 does not automatically notify CISA, and a CISA report does not substitute for an FBI investigation request. Each channel feeds a distinct process.
Step 1 — Identify the primary harm category. Financial crimes, personal victimization, and infrastructure attacks route differently. The offense type determines the first filing destination.
Step 2 — File with IC3. The FBI's IC3 (ic3.gov) is the primary intake portal for individual and organizational victims of internet-facilitated crime. Complaints are reviewed by FBI analysts and referred to field offices or partner agencies when thresholds for investigation are met.
Step 3 — Report infrastructure or critical system incidents to CISA. The Cybersecurity and Infrastructure Security Agency receives reports of incidents affecting federal civilian executive branch systems and critical infrastructure sectors. CISA's reporting portal is available at cisa.gov/report. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) establishes mandatory reporting timelines — 72 hours for covered entities experiencing a significant cyber incident, and 24 hours for ransomware payments — once implementing regulations are finalized (CISA CIRCIA overview).
Step 4 — Notify sector-specific regulators where applicable. Financial institutions report to the Financial Crimes Enforcement Network (FinCEN) and, where applicable, to prudential regulators. Healthcare entities experiencing breaches of protected health information notify the HHS Office for Civil Rights under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
Step 5 — Preserve evidence. Federal investigators require logs, email headers, transaction records, and screenshots. Evidence preservation standards align with those described in NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response (csrc.nist.gov).
Step 6 — File a local law enforcement report where required. Insurance carriers and identity theft recovery programs frequently require a police report number. Local reports also support FTC identity theft filings at IdentityTheft.gov.
Common scenarios
Business Email Compromise (BEC). Wire fraud initiated through spoofed or compromised executive email accounts is reported to IC3. The FBI's Recovery Asset Team (RAT) operates a Financial Fraud Kill Chain for BEC incidents where funds were transferred within the previous 72 hours — time-sensitive filing materially affects fund recovery probability.
Ransomware attack on an organization. IC3 receives the primary complaint. If the organization operates in a critical infrastructure sector (defined across 16 sectors by Presidential Policy Directive 21), CISA notification is a parallel obligation. The FBI does not endorse ransom payment; both IC3 and CISA maintain ransomware-specific guidance.
Identity theft. The FTC's IdentityTheft.gov generates a personalized recovery plan and an official Identity Theft Report, which carries legal weight with creditors and government agencies. This channel is distinct from IC3 and is the appropriate first step for individual victims.
Online child exploitation. Reports go to the National Center for Missing and Exploited Children (NCMEC) CyberTipline, which is the federally designated reporting mechanism under 18 U.S.C. § 2258A. NCMEC forwards tips to the relevant law enforcement agency.
Data breach affecting consumers. The FTC (ftc.gov) receives reports under its authority over unfair or deceptive practices. State attorneys general may have independent notification obligations under state breach notification laws, which exist in all 50 states.
Decision boundaries
The reporting destination changes based on three classification axes: victim type, offense category, and sector affiliation.
| Axis | Distinguishing Factor | Primary Channel |
|---|---|---|
| Victim type | Individual consumer | FTC / IC3 |
| Victim type | Business or organization | IC3 / CISA |
| Offense category | Financial fraud | IC3 + FinCEN |
| Offense category | Child exploitation | NCMEC CyberTipline |
| Sector affiliation | Healthcare | HHS OCR (HIPAA) |
| Sector affiliation | Critical infrastructure | CISA |
IC3 versus CISA represents the most consequential distinction for organizational reporters. IC3 is investigative intake — it feeds law enforcement action. CISA is operational and defensive — it produces threat intelligence, issues advisories, and coordinates sector-wide response. A ransomware event affecting a hospital network warrants both filings, serving different functions simultaneously.
Reporting to IC3 does not constitute legal disclosure under HIPAA, CIRCIA, or state breach notification laws. Each regulatory framework carries independent timelines, recipient agencies, and documentation requirements. Failure to file under HIPAA's 60-day breach notification window, for instance, is a separate compliance violation from the underlying incident, regardless of any IC3 filing (HHS Breach Notification Rule summary).
For structured context on how cybersecurity service providers are categorized within the broader incident response sector, or to understand the purpose and scope of this directory, the listings and scope pages provide relevant framing. Additional guidance on how to use this cyber safety resource is available for readers orienting to the site's organization.
References
- FBI Internet Crime Complaint Center (IC3)
- IC3 2023 Internet Crime Report
- CISA — Report a Cyber Issue
- CISA — Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
- FTC — IdentityTheft.gov
- FTC — Official Site
- HHS Office for Civil Rights — HIPAA Breach Notification Rule
- 45 CFR Part 164 — HIPAA Security and Breach Notification Rules (eCFR)
- FinCEN — Financial Crimes Enforcement Network
- NCMEC CyberTipline
- 18 U.S.C. § 1030 — Computer Fraud and Abuse Act
- [NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response](https://csrc.nist.gov/publications/detail/sp/800-