Scammers have built fake copies of the FBI’s Internet Crime Complaint Center website to harvest names, addresses, phone numbers, email addresses, and banking details from people who believe they are reporting fraud. The FBI published a public service announcement on Sept. 19, 2025, warning that threat actors are spoofing the official IC3 portal and using the counterfeit sites to facilitate monetary scams. The scheme turns the federal government’s primary cybercrime‑reporting tool into bait, catching victims at the exact moment they seek help.
Spoofed IC3 sites exploit trust in the FBI’s own reporting system
The Sept. 19 alert describes a straightforward but effective tactic. Threat actors create websites that closely mimic the look and URL structure of the real IC3 portal, according to the FBI’s notice on spoofed IC3 pages. The FBI’s own guidance on spoofing and phishing explains that attackers alter URLs by small changes, swapping a single letter or adding a subdomain that looks official at a glance. People who land on these fakes may hand over the very personal and financial data they were trying to protect by filing a complaint.
This website‑spoofing campaign did not appear in a vacuum. An earlier FBI public service announcement, designated I‑041825‑PSA, documented a related tactic: scammers calling or emailing people while impersonating IC3 staff and promising to recover funds lost in prior fraud. The bureau received more than 100 reports of that employee‑impersonation scheme between December 2023 and February 2025. Taken together, the two alerts show criminals working both sides of the IC3 brand, cloning the website and posing as its staff to re‑victimize people who already lost money.
The real IC3 homepage now displays a prominent notice reading “Scammers are Impersonating the IC3,” directing visitors to verify they are on the authentic complaint.ic3.gov domain before entering any information. That warning, visible on the official IC3 site, signals how seriously the bureau treats the threat to its own intake pipeline.
How fake recovery promises and cloned portals feed the same fraud cycle
The two FBI alerts, read side by side, reveal a feedback loop. A person who falls victim to an online scam may search for the IC3 site to file a complaint. If that search leads to a spoofed portal, the victim enters sensitive data into a criminal‑controlled form. The attackers then possess enough personal detail to contact the victim again, this time posing as IC3 staff and offering to help recover the original losses. Each stage of the cycle generates new data and new money for the scammers while eroding the victim’s ability to distinguish real federal outreach from fraud.
The spoofed sites also let criminals refine their targeting. A fake complaint form can ask for details that a genuine cybercrime report would contain-transaction amounts, bank names, account numbers, cryptocurrency wallet addresses, and copies of identity documents. That information is valuable not only for immediate theft, but for follow‑on schemes such as opening accounts in the victim’s name or crafting more convincing social‑engineering scripts.
The FBI has not disclosed how many spoofed IC3 domains it has identified or how many people submitted information to fake portals rather than the legitimate complaint.ic3.gov form. Without those numbers, there is no way to measure whether the spoofing campaign has reduced the volume of genuine complaints reaching the bureau. A reasonable concern, however, is that publicity around the fakes could discourage some fraud victims from filing at all, worried that any IC3‑branded page might be a trap. If that chilling effect takes hold, it would weaken the data the FBI relies on to track cybercrime trends and allocate investigative resources.
Open questions and what to do before filing an IC3 complaint
Several gaps in the public record limit a full assessment of the threat. The FBI has not published technical indicators, such as specific spoofed domain names or IP addresses, that would let security researchers or internet service providers block the fakes in real time. The bureau has also not explained how much overlap exists between the website‑spoofing cases flagged in the September alert and the more than 100 employee‑impersonation reports tallied in the April alert. Whether the same criminal groups run both operations or whether separate actors simply exploit the same brand remains unclear.
No official statistics show how many victims entered data into a spoofed portal versus the real one, so the scale of personal information already compromised through this channel is unknown. The FBI’s annual IC3 reports, which tally complaint volumes and dollar losses, could eventually reveal whether legitimate filings dipped during the months the spoofed sites were active, but the most recent annual data predates the September warning. Until updated figures are available, outside observers can only infer impact from the bureau’s decision to issue dedicated public service announcements and to add a front‑page warning to the IC3 website.
For anyone who needs to report a cybercrime right now, the single most important step is to verify the URL before typing anything. The authentic complaint form lives at complaint.ic3.gov, reached either directly or via links from ic3.gov or fbi.gov. Manually entering that address, rather than clicking a link from an email, text message, social‑media post, or search‑engine ad, sharply reduces the risk of landing on a copycat. Typing “https://complaint.ic3.gov” into the browser bar and checking for the padlock icon and a valid security certificate are simple but powerful checks.
The FBI also stresses that IC3 employees will never contact victims to request banking information, remote‑access software, or payment as a condition of recovering lost funds. Any such request is itself a scam, regardless of how convincing the caller, email, or website appears. People who receive unsolicited communications claiming to be from IC3 should hang up or stop responding, look up contact information independently on fbi.gov or ic3.gov, and, if appropriate, submit a new complaint describing the attempted impersonation.
Basic digital‑hygiene steps can further limit exposure. Saving the correct IC3 address as a bookmark, keeping browsers and security software up to date, and treating any unexpected pop‑ups or redirects as red flags all make it harder for spoofed portals to succeed. Organizations that regularly advise clients to file IC3 complaints-such as banks, law firms, and local police departments-can help by distributing the verified URL and warning that look‑alike sites are circulating.
The next development to watch is whether the FBI releases domain‑level takedown data or partners with browser and search‑engine companies to flag spoofed IC3 pages before users reach them. Public statistics on how many fraudulent domains have been identified and disabled would clarify whether this is a small, quickly contained problem or a persistent, large‑scale abuse of a critical reporting channel. Until then, the safest course for potential complainants is to assume that convincing counterfeits exist and to treat every step between opening a browser and submitting a cybercrime report as an exercise in verification.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
