The FBI has issued a consumer alert after discovering cybercriminals are creating fake versions of its Internet Crime Complaint Center (IC3) website. The IC3 platform is one of the most important tools for reporting online scams, but now attackers are using convincing clones of the site to harvest sensitive personal data from unsuspecting victims.
How the Spoofed IC3 Websites Work
The FBI’s public service announcement (PSA) explains that spoofed websites are designed to closely mimic the real IC3 site but often contain subtle red flags. These can include slightly misspelled URLs, use of different top-level domains, low-quality graphics, or suspicious forms.
When victims try to submit what they think is a legitimate cybercrime report, the information they enter is captured by criminals. This allows threat actors to collect names, home addresses, emails, phone numbers, and even banking details. Once in the wrong hands, this personally identifiable information (PII) can be used to commit identity theft, financial fraud, or targeted phishing and social engineering attacks.
Rising Cases of IC3 Impersonation Scams
The problem is growing. Between December 2023 and February 2025, the FBI received over 100 reports of IC3 impersonation scams. Many involved fraudsters contacting victims on social media, promising to help them recover lost funds, and then directing them to spoofed “recovery service” sites that demanded payment.
This makes victims suffer twice — once from the original scam and again when they are tricked while trying to report it.
How to Recognize a Fake IC3 Website
The FBI offers clear guidance to spot fake websites:
- Verify the Domain: The official IC3 website uses a .gov domain and HTTPS connection: https://www.ic3.gov/.
- Type URLs Directly: Always type “www.ic3.gov” into the browser address bar rather than clicking search engine results.
- Avoid Sponsored Links: Paid search results are often used by scammers to redirect victims to malicious sites.
- Look for HTTPS and Lock Icons: A secure .gov site will always display “https://” and a padlock symbol in the address bar.
What the IC3 Will Never Do
The FBI also reminds users of what IC3 will not do:
- It will not ask for payment to recover stolen funds.
- It will not refer victims to third-party companies requesting payment.
- It does not maintain any social media presence.
- It will never directly contact individuals by phone, email, social media, or messaging apps.
Any communication claiming otherwise is fraudulent and should be ignored or reported.
Steps to Report and Submit a Strong Complaint
If you need to file a complaint, go to the official IC3 site: www.ic3.gov. The FBI recommends gathering as much detail as possible before filing, including:
- Names, aliases, and contact details of the scammer
- Screenshots, URLs, and methods of communication used
- Detailed description of the interaction
- Financial transaction details such as dates, amounts, payment methods, account numbers, bank name and address, or cryptocurrency wallet addresses
The more detail you provide, the better investigators can trace the fraud and potentially assist in recovery efforts.
Protective Measures to Reduce Risk
Beyond avoiding spoofed sites, the FBI urges internet users to adopt basic security practices:
- Never share sensitive information with strangers or people you have only met online.
- Do not send money, gift cards, cryptocurrency, or other assets to unknown individuals.
- Use strong, unique passwords and enable multi-factor authentication where possible.
- Monitor financial accounts regularly for suspicious activity.
Key Takeaway
Spoofing the IC3 website is a malicious tactic designed to exploit those seeking help. A simple habit of manually typing the IC3 address, verifying the .gov domain, and avoiding sponsored links can prevent additional harm. Anyone who suspects they used a spoofed site should immediately report it to the real IC3, notify their bank, and consider placing fraud alerts or credit freezes.
