Now criminals have started cloning the FBI’s Internet Crime Complaint Center, spinning up sophisticated lookalike sites to pilfer victims’ data and money. The FBI has issued a public service announcement, cautioning that spoofed versions of its complaint portal are being distributed on the internet — baiting people who might reach out to report fraud.
So why go after the FBI’s own reporting center? Because it’s trusted, and it’s highly motivated traffic — people visit there after a crime. Trade on a fake portal that looks and sounds like a government site, and it could quietly steal your name, address, account number, or cajole you into paying “recovery” or “case processing” fees.
How IC3 spoof websites work and trick victims
Bad actors register domains that appear almost identical to the real thing, perhaps by swapping letters, adding a character, or changing the top-level domain from .gov to something more common. Others leverage international characters that look like English letters, also known as an IDN homograph attack. The result is a page that looks official; it’s got seals and forms and an (apparent) submission button.
Two routes are common: In one, the form requests personal information and your payment under a “verify your report” heading. In the other, victims are approached by so-called “recovery partners” who claim they can retrieve stolen funds — for a fee. The FBI also says it doesn’t work with private recovery companies, will not request money, and does not cold-call victims for more payments.
Why spoofed IC3 complaint portals are a serious threat
The IC3 is a central repository for victims of online crime in the United States. According to the FBI’s most recent Internet Crime Report, last year saw hundreds of thousands of complaints logged by the center, with reported losses in the tens of billions. Phishing and spoofing are the most prevalent types of crime reported to the IC3, and the vast majority of victims report a loss. Business email compromise (BEC) is a type of email attack targeting corporations in which criminals gain access to an employee’s legitimate business email through social engineering or computer intrusion to conduct unauthorized transfers of funds.
The Federal Trade Commission’s Consumer Sentinel Network also monitors the scale of the problem, recording millions of fraud, identity theft, and other reports annually. Compounding the harm is that a fake IC3 portal ultimately channels victims already attempting to do the right thing into giving sensitive data to criminals again.
How to verify the official IC3 site and avoid impostors
- Go direct. Type the IC3’s official .gov URL in your browser’s address bar rather than selecting search results or ads. Sponsored links can be manipulated to elevate impostor sites over legitimate ones.
- Check the domain ending. U.S. federal government websites use the .gov top-level domain, which is run by the Cybersecurity and Infrastructure Security Agency’s DotGov program. If it isn’t .gov, it isn’t the FBI.
- Inspect the address carefully. Pay attention to minor typos, swapped letters, extra punctuation, or strange characters. If something seems awry, it likely is.
- Ignore the padlock icon; it’s not what you think. A lock only indicates that the connection is encrypted, not that the site is trustworthy. If you know how, you can check the site certificate to verify that it was issued to a U.S. government organization.
- Use tools that fight phishing. A password manager will not autofill your credentials on a domain it does not recognize. Current browsers and reputable security suites should alert you to known spoofed sites.
Warning signs of spoofed IC3 sites to notice quickly
- Requests for fees, gift cards, cryptocurrency, or wire transfers to file or expedite a complaint are fraudulent. The FBI never demands payment for reports and does not collect payments on behalf of victims.
- Promises to recover your money or threats of legal action if you don’t pay immediately are classic pressure tactics. That is not how government agencies operate.
- In IC3 reports, textual harassment is a concern, but legitimate agencies will not text to threaten to “hunt you down and kill you.” If in doubt, manually go to the official .gov address and verify.
If you believe you used a fake IC3 site, do this
Secure your accounts immediately. Update email and financial account passwords; turn on multi-factor authentication where available. If you reused passwords, change them wherever they were used.
If you are concerned about fraud, contact your bank or card issuer to put a hold on outgoing payments and monitor transactions. Consider placing a fraud alert or a credit freeze with the national credit bureaus.
Report the incident to the actual IC3 and to the Federal Trade Commission’s resources on identity theft. If you gave your Social Security number or government identification, watch for new account openings and consider additional identity monitoring.
Finally, tell others. Spoofed government sites try to exploit urgency and trust. A prompt warning to neighbors, family, or community groups can prevent the next person from giving up what criminals crave.