Reporting Phishing to IC3, FTC, and Authorities

Reporting phishing is not just administrative housekeeping — it directly disrupts criminal operations. The FBI’s IC3 received 859,532 cybercrime complaints in 2024, and the intelligence gathered from these reports enabled the IC3’s Recovery Asset Team to freeze $561 million in fraudulent transfers. Every report contributes to pattern detection, takedown operations, and prosecution.

Despite this, the vast majority of phishing attempts go unreported. Estimates suggest fewer than 15% of phishing victims file formal complaints. This guide covers exactly where and how to report phishing to maximize impact.

Where to Report: The Complete Directory

FBI Internet Crime Complaint Center (IC3)

What to report: All phishing attacks resulting in financial loss, credential theft, identity theft, or business email compromise.

How to report:

1. Visit ic3.gov
2. Click “File a Complaint”
3. Provide victim information (individual or business)
4. Describe the incident with as much detail as possible
5. Include financial information if money was lost
6. Attach relevant evidence (screenshots, email headers)

What happens next: IC3 analysts review complaints, identify patterns, and refer cases to appropriate FBI field offices and law enforcement partners. For BEC cases involving wire transfers, IC3’s Recovery Asset Team works with financial institutions to freeze funds — time is critical, so report within 72 hours of a fraudulent transfer.

Federal Trade Commission (FTC)

What to report: Phishing scams, identity theft resulting from phishing, and deceptive practices.

How to report:

1. Visit reportfraud.ftc.gov
2. Select the category that matches your experience
3. Provide details about the scam
4. For identity theft specifically, use identitytheft.gov for a personalized recovery plan

What happens next: FTC reports feed into the Consumer Sentinel Network, a database used by over 2,800 law enforcement agencies. While the FTC does not resolve individual complaints, aggregate data drives enforcement actions against major scam operations.

CISA (Cybersecurity and Infrastructure Security Agency)

What to report: Phishing targeting critical infrastructure, government agencies, or involving sophisticated threat actors.

How to report:

• Email: [email protected]
• Phone: 1-888-282-0870
• Online: cisa.gov/report

CISA is particularly interested in phishing campaigns targeting multiple organizations in a sector, attacks using novel techniques, and incidents involving critical infrastructure.

Anti-Phishing Working Group (APWG)

What to report: Any phishing email, regardless of whether you clicked or lost money.

How to report: Forward the phishing email as an attachment (not inline) to [email protected].

APWG analyzes reported phishing to produce its quarterly Trends Reports, which documented 3.8 million attacks in 2025. Your report contributes to the global understanding of phishing trends.

Email Provider Reporting

Provider	Method
Gmail	Click three-dot menu > “Report phishing”
Outlook	Select message > “Report” > “Report phishing”
Yahoo Mail	Click three-dot menu > “Report phishing”
Apple iCloud Mail	Move to Junk, then report to [email protected]

Provider reports train spam and phishing filters that protect billions of users.

ISP and Hosting Provider Reporting

If you can identify the hosting provider of a phishing site (using WHOIS lookup), report abuse to their abuse contact. Most hosting providers have [email protected] addresses and will take down phishing sites within hours. See our reporting to ISPs guide for the process.

What Information to Collect Before Reporting

Gather the following before filing any report:

1. Full email headers — see our email header analysis guide for extraction methods
2. Screenshots of the phishing email and any phishing websites
3. URLs — the actual links (hover to reveal, do not click)
4. Sender information — full email address and display name
5. Timeline — when the message was received, when (if) you clicked, what information was entered
6. Financial details — amounts, account numbers, transaction IDs if money was sent
7. Any reference numbers from initial reports to other agencies

Reporting for Organizations

Internal Reporting

Forward suspicious emails to your security team or designated phishing inbox (typically [email protected] or [email protected]). Most organizations use phishing report button plugins (like KnowBe4’s Phish Alert Button or Microsoft’s Report Message add-in) that automate evidence collection.

Do not forward phishing emails to colleagues as warnings — this spreads the malicious content. Instead, alert your security team and let them issue a sanitized advisory.

Incident Response Integration

Phishing reports should feed directly into your incident response process. When a report indicates someone clicked a link or entered credentials, the response shifts from awareness to containment:

1. Isolate affected accounts
2. Reset compromised credentials
3. Check for unauthorized access or forwarding rules
4. Scan endpoints for malware
5. See our credential compromise response guide for the full checklist

Sector-Specific Reporting

• Healthcare: Report HIPAA-related phishing to HHS Office for Civil Rights (ocrportal.hhs.gov)
• Financial services: Report to FinCEN and your primary regulator
• Education: Report to your institution’s CISO and the REN-ISAC

See our sector-specific guides for healthcare, finance, and education.

Common Reporting Mistakes

Deleting the evidence. Do not delete phishing emails before reporting. If you already deleted one, check your trash folder.

Reporting only after financial loss. Report phishing attempts even if you did not click or lose money. Attempt data is valuable for pattern detection.

Waiting too long. For BEC wire fraud, the IC3 Recovery Asset Team’s success rate drops dramatically after 72 hours. Report immediately.

Filing only one report. Report to multiple agencies — IC3, FTC, your email provider, and the impersonated organization. Each serves a different function.

Key Takeaways

• IC3 is the primary federal reporting channel; their Recovery Asset Team has frozen hundreds of millions in fraudulent transfers
• FTC reports feed a database used by 2,800+ law enforcement agencies
• Forward phishing emails as attachments to [email protected]
• Collect headers, screenshots, and URLs before reporting
• Report within 72 hours for best recovery chances on financial fraud
• Report attempts even without financial loss — every report strengthens pattern detection

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

• FBI IC3 Annual Reports
• FTC ReportFraud.gov
• CISA Phishing Guidance: Stopping the Attack Cycle at Phase One

This content is for educational purposes only. If you have experienced financial loss from phishing, report to ic3.gov immediately and contact your financial institution.