Cybercrime Reporting Resources in the US

Cybercrime reporting in the United States is distributed across a network of federal, state, and sector-specific channels, each with defined jurisdiction and intake procedures. Understanding which agency receives which category of complaint determines whether a report reaches investigators with actual authority to act. This reference maps the principal reporting infrastructure, the types of incidents each channel handles, and the structural boundaries that govern where a report belongs. Practitioners managing cybersecurity reporting obligations will find the agency landscape here organized by function and jurisdiction.

Definition and scope

Cybercrime reporting resources are the formal mechanisms through which individuals, organizations, and government entities document and route reports of computer-related offenses to law enforcement or regulatory bodies with jurisdiction to investigate or respond. The scope spans consumer fraud, network intrusion, ransomware, business email compromise, critical infrastructure attacks, and crimes involving minors online.

At the federal level, jurisdiction is allocated by statute and agency mandate. The Internet Crime Complaint Center (IC3), operated by the Federal Bureau of Investigation, serves as the primary national intake point for internet-facilitated crimes (IC3, FBI). The Cybersecurity and Infrastructure Security Agency (CISA) receives reports of cyber incidents affecting critical infrastructure and coordinates response under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (CISA). The Federal Trade Commission (FTC) administers ReportFraud.ftc.gov for consumer-facing fraud, identity theft, and phishing schemes (FTC).

State attorneys general and state-level fusion centers hold parallel jurisdiction for crimes violating state computer fraud statutes. The 50-state patchwork of breach notification laws, catalogued through resources such as State Cybersecurity Laws by State, creates additional mandatory disclosure obligations that operate alongside, but are legally distinct from, law enforcement reporting.

How it works

Federal cybercrime reporting follows intake, triage, and referral phases:

Intake — A complaint or incident report is submitted through a designated portal. IC3 accepts structured complaint submissions online. CISA accepts incident reports via its 24/7 hotline (1-888-282-0870) and the online reporting form at cisa.gov/report. The FTC's Consumer Sentinel Network aggregates fraud reports from ReportFraud.ftc.gov and partner agencies.
Triage — Agencies screen submissions for jurisdiction, severity, and actionability. IC3 analysts assess whether a submission meets thresholds for federal investigation referral or should be routed to state and local law enforcement. CISA triage focuses on whether the incident affects sectors designated under Presidential Policy Directive 21 (PPD-21), which identifies 16 critical infrastructure sectors.
Referral and coordination — IC3 shares complaint data with more than 4,000 law enforcement and regulatory partners. CISA coordinates with sector-specific agencies (SSAs) such as the Department of Energy for the energy sector or the Department of Health and Human Services for healthcare, both of which carry independent reporting obligations. Organizations operating under the healthcare cybersecurity requirements framework face parallel HIPAA breach notification requirements to HHS alongside any law enforcement report.
Feedback and case tracking — IC3 issues an annual Internet Crime Report aggregating complaint volume and financial losses by crime type. The 2023 IC3 report documented $12.5 billion in reported losses, the highest total in the program's history (IC3 Annual Report 2023).

Sector-specific agencies maintain supplementary reporting channels. Financial institutions regulated by the Financial Crimes Enforcement Network (FinCEN) file Suspicious Activity Reports (SARs) for cyber-enabled financial crimes under the Bank Secrecy Act (FinCEN). Defense contractors operating under CMMC or DFARS obligations must report cyber incidents to the DoD's Defense Industrial Base (DIB) Cybersecurity program within 72 hours of discovery, as detailed in government contractor cybersecurity requirements.

Common scenarios

The following incident categories illustrate how reporting channel selection functions in practice:

Business Email Compromise (BEC) — Reported to IC3. BEC accounted for $2.9 billion in 2023 IC3 complaint losses (IC3 Annual Report 2023). If funds were transferred, the IC3 Financial Fraud Kill Chain (FFKC) process enables coordination with financial institutions to attempt fund recovery within 72 hours.
Ransomware affecting critical infrastructure — Reported to both CISA and IC3. CIRCIA mandates covered entities report substantial cyber incidents within 72 hours and ransom payments within 24 hours; implementing regulations remain under development by CISA as of the statute's 2022 enactment. Organizations managing ransomware defense resources should maintain reporting templates aligned to both channels.
Identity theft and consumer fraud — Reported to the FTC via IdentityTheft.gov or ReportFraud.ftc.gov. The FTC operates the Consumer Sentinel Network, which shares reports with over 3,000 law enforcement partners.
Child exploitation material (CSAM) — Reported to the National Center for Missing and Exploited Children (NCMEC) CyberTipline, which is federally mandated under 18 U.S.C. § 2258A for electronic service providers. NCMEC routes tips to the FBI and appropriate state law enforcement.
Election-related cyber threats — Reported to CISA's election security team and the FBI's election crimes unit. State election authorities maintain parallel intake points documented under election security resources.

Decision boundaries

Selecting the correct reporting channel requires matching incident characteristics to agency jurisdiction along three axes:

Victim type vs. crime type — IC3 handles complaints from individuals and organizations regardless of sector. CISA prioritizes critical infrastructure entities. The FTC prioritizes consumer protection violations. An individual victim of a phishing scheme routes to IC3 and the FTC; a hospital experiencing a network intrusion routes to IC3, CISA, and HHS (under HIPAA).

Civil vs. criminal — Law enforcement channels (FBI/IC3, Secret Service, local prosecutors) handle criminal conduct. Regulatory agencies (FTC, SEC, HHS Office for Civil Rights) handle compliance violations that may lack criminal thresholds. A data breach exposing health records triggers both HHS OCR notification (regulatory) and potentially an IC3 report (criminal referral) — these are parallel obligations, not alternatives.

Voluntary vs. mandatory — IC3 complaints from non-covered entities are voluntary. CIRCIA reporting for covered critical infrastructure entities is mandatory once implementing rules are final. HIPAA breach notification to HHS is mandatory within 60 days of discovery for breaches affecting 500 or more individuals (HHS Breach Notification Rule, 45 CFR §164.400–414). FinCEN SARs are mandatory for covered financial institutions. The distinction between voluntary and mandatory reporting determines legal exposure for non-reporting, a distinction explored further in federal cybersecurity compliance requirements.

The Secret Service also operates a parallel investigative channel focused on financial crimes and network intrusions through its network of Cyber Fraud Task Forces — a distinct intake path from IC3 that applies when financial system compromise is the primary harm.

References

📜 4 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator