Cybercrime Reporting Resources in the US

The United States maintains a distributed network of federal, state, and sector-specific agencies responsible for receiving, triaging, and acting on cybercrime complaints. Understanding which agency handles which category of cybercrime — and how those intake processes are structured — is essential for victims, legal professionals, and security practitioners navigating the post-incident landscape. This page maps the primary reporting channels, their jurisdictional scope, and the factors that determine where a given incident should be directed. The Digital Security Providers on this site document service providers operating across these same sectors.

Definition and scope

Cybercrime reporting in the US encompasses the formal submission of incident information to authorized government bodies with jurisdiction to investigate, refer, or act on digital offenses. These offenses range from unauthorized computer access under 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act) to financial fraud, identity theft, ransomware, and critical infrastructure attacks.

The reporting ecosystem is not monolithic. Jurisdiction is distributed across:

• Federal law enforcement (FBI, Secret Service, HSI)
• Sector-specific regulators (FTC for consumer fraud, FinCEN for financial institutions, HHS OCR for healthcare breaches)
• Civilian intake platforms (IC3, the FTC's ReportFraud portal)
• State-level agencies (attorneys general offices, state police cybercrime units)

The FBI's Internet Crime Complaint Center (IC3) serves as the primary federal intake point for the general public and businesses. In fiscal year 2022, IC3 received 800,944 complaints with reported losses exceeding $10.3 billion (IC3 2022 Internet Crime Report), marking it the single largest civilian cybercrime reporting volume in the agency's history at that time.

The provides additional context for how this service sector is organized at the provider network level.

How it works

Cybercrime reporting follows a structured triage model regardless of which agency receives the complaint. The general flow breaks into four phases:

1. Intake — The complainant submits a report through an agency-designated portal or hotline. IC3 uses a web-based form; the FTC uses ReportFraud.ftc.gov. Financial institutions may report directly to FinCEN via the Bank Secrecy Act E-Filing System.

2. Triage and classification — Submissions are reviewed against jurisdictional thresholds. Federal agencies prioritize cases involving national security, critical infrastructure, organized criminal networks, or losses above specific dollar thresholds. The FBI's cyber division focuses on cases with systemic or national-security implications.

3. Referral or escalation — IC3 analysts route complaints to appropriate FBI field offices, state authorities, or partner agencies. Not every complaint triggers an active federal investigation; the agency's published guidance notes that submission establishes a formal record and contributes to aggregate threat intelligence.

4. Enforcement or civil action — The FTC and state attorneys general can initiate civil enforcement under statutes like the FTC Act (15 U.S.C. § 45) for deceptive or unfair practices tied to data security failures. Criminal prosecution is coordinated through the Department of Justice's Computer Crime and Intellectual Property Section (CCIPS).

CISA (Cybersecurity and Infrastructure Security Agency) operates a separate reporting channel for critical infrastructure incidents under its mandate established by the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA's report form handles incidents affecting sectors classified under Presidential Policy Directive 21 (PPD-21).

Common scenarios

Different cybercrime categories route to different agencies based on the nature of the offense, the victim type, and the applicable statute:

Business Email Compromise (BEC): Route to IC3. BEC was the highest-loss category in IC3's 2022 report, accounting for $2.7 billion in adjusted losses (IC3 2022 Internet Crime Report).

Identity theft: Report to the FTC via IdentityTheft.gov, which generates a personal recovery plan and official report. The FTC coordinates with the Social Security Administration and credit bureaus.

Ransomware against critical infrastructure: CISA and the FBI both request notification. CISA's ransomware guidance, published at StopRansomware.gov, is maintained jointly with FBI and NSA.

Healthcare data breaches: Entities covered by HIPAA must notify HHS Office for Civil Rights (OCR) within 60 days of discovery of a breach affecting 500 or more individuals, per 45 C.F.R. § 164.408. The HHS breach portal is maintained at hhs.gov/hipaa/for-professionals/breach-notification.

Financial fraud and wire fraud: The Secret Service's Electronic Crimes Task Forces handle financial cybercrime with bank or wire fraud elements. Reports can also be submitted to FinCEN via Suspicious Activity Reports (SARs) for institutions covered by the Bank Secrecy Act.

Decision boundaries

Selecting the correct reporting channel is a function of victim type, offense category, and urgency — not personal preference. The distinctions below govern practical routing:

IC3 vs. FTC: IC3 is law-enforcement-oriented and feeds FBI databases; it handles criminal offenses including hacking, fraud, and extortion. The FTC handles consumer protection matters — deceptive practices, unwanted contact, and identity theft — and builds civil enforcement cases rather than criminal referrals.

CISA vs. FBI: CISA focuses on infrastructure resilience and situational awareness; reporting to CISA shares threat indicators with the broader critical infrastructure community. FBI reporting initiates a potential criminal investigation. For ransomware incidents affecting hospitals, utilities, or financial systems, parallel reporting to both is standard practice per joint advisories.

State vs. federal: State attorneys general and state police cybercrime units are the appropriate first contact for incidents that are geographically localized, below federal thresholds, or governed by state-specific data breach notification statutes. As of 2023, all 50 states have enacted data breach notification laws (NCSL State Security Breach Notification Laws), though thresholds, timelines, and covered data types vary by jurisdiction.

Practitioners cross-referencing service providers in this sector can consult the Digital Security Providers or review guidance on how to use this digital security resource for navigation within the broader provider network.