How do you report a scam website or fraud to the authorities? (the 2026 reporting manual)

Scams are a common part of the internet, but ignoring them only helps them grow. Every report you file helps slow scammers down. It gives authorities more information to track and shut down fraud networks.

So, is reporting a scam website actually effective? Yes. Agencies like the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI), through the Internet Crime Complaint Center (IC3), use these reports to spot patterns and connect cases. This helps them focus on the biggest scams first. While not every report leads to its own case, together reports help these agencies shut down scam websites, catch larger groups, and sometimes recover stolen money.

Reporting isn’t just about trying to get your money back. It helps build cases against scammers and helps authorities take real action. Each report can lead to entire scam operations being shut down, not just one case at a time.

If you’re unsure what qualifies as a scam worth reporting or what details matter most, security solutions like Bitdefender can help you. Bitdefender Scam Protection Pro helps you recognize threats, gather the right evidence, and understand exactly what to report and why, so your action has real impact.

The reporting hierarchy: where to send your evidence first

Reporting scams to the right authority can feel overwhelming. Multiple government agencies handle different types of fraud, and sending your complaint to the wrong place can slow things down or lead to missed opportunities for investigation.

Many people ask: should I report a scam to local police or the FBI? Truth is, it’s often both. Filing a police report creates an official record of the incident, which can be useful for insurance claims or identity theft recovery. At the same time, reporting to federal agencies ensures your case helps larger investigations track and stop scam groups.

To simplify things, here’s where your report should go and why:

• Local police. If the situation is urgent, involves threats, in-person fraud, or identifiable suspects, start here. Even for non-urgent cases, a police report creates documentation that can support bank disputes, insurance claims, or identity theft recovery. However, they typically don’t handle complex, cross-border cybercrime investigations.
• FTC. This is the main online fraud reporting portal for consumer scams, including phishing, fake websites, and identity theft. While it does not investigate individual cases, your report helps authorities detect patterns and take action against widespread fraud. Think of it as feeding intelligence into a national fraud database.
• IC3. Run by the FBI, the organization focuses on online crimes, especially those involving wire transfers, crypto, or significant financial losses. It connects individual complaints to larger investigations, particularly when scams involve organized or international actors. The more detailed your evidence, the more useful your report becomes.
• United States Postal Inspection Service. Use this if the scam involved fraudulent letters, fake prizes, or schemes asking you to send money through postal services. Postal inspectors have federal authority to investigate crimes tied specifically to the mail system.
• Cybersecurity and Infrastructure Security Agency (CISA). CISA handles cyber threats targeting businesses, government systems, and critical systems. This includes ransomware attacks, data breaches, and network compromises. It’s not typically used for individual consumer scams, but essential for organizational-level incidents.

So, the first step when reporting is to start with your local police if the situation is urgent or involves immediate harm. Then, report the scam website to the FTC to ensure it’s logged and tracked. If the incident occurred online or involves financial transfers, report internet fraud to the FBI IC3 by submitting a detailed complaint there as well.

Often, reporting to more than one authority, including organizations like the Better Business Bureau, isn’t redundant. It strengthens your case, creates a clearer record, and helps investigators connect your experience to a much bigger picture.

Gathering the digital evidence: what the authorities need

Each scam or fraud report is only as strong as the evidence behind it. Authorities don’t act on vague descriptions and accusations. They rely on clear proof that helps them trace the source and assess the scale of the fraud. So, what documents do you actually need?

Start with the basics. Save the full URL of the scam website, including any specific pages you interacted with. If money was involved, collect payment confirmations, transaction IDs, wallet addresses (for cryptocurrency payments), or bank transfer details. These are critical for tracking financial flows. Next, gather all communication logs: emails, chat messages, or SMS exchanges with the scammer.

Make sure you include timestamps, sender details, and email addresses. When it comes to emails, also copy the full email headers. They show where the email really came from, which investigators use to find where the message was sent. Most email providers allow you to view and copy these headers through advanced settings.

Reaching out to the website’s hosting provider is often the quickest way to take down a scam website. However, this can be tricky, as scammers often hide behind layers of protection, such as CDNs or privacy shields.

So, the question is how to identify the real hosting provider behind a scam site. Fortunately, security solutions like Bitdefender can reveal this information through threat detection logs, showing server locations, IP addresses, or associated platforms.

Think of everything you collect as part of an evidence pack. The more complete and organized it is, the easier it is for authorities to start the investigation and for hosting providers to take the site down. In many cases, a well-documented report will lead to faster takedowns, helping prevent more people from falling victim.

Reporting to infrastructure: Google, Microsoft, and browsers

When you’re browsing online, you’ve probably seen options to report suspicious ads, websites, or search results. It might seem minor, but this is actually one of the fastest and most effective ways to fight scams.

Reporting directly to tech giants like Google, Microsoft Security Intelligence, or your browser helps flag dangerous sites almost instantly. In many cases, these reports trigger visible warnings for other users, stopping the scam from spreading further. While authorities take time to investigate, this kind of reporting can slow down or even disrupt a scam within hours.

One of the key systems behind this is Google Safe Browsing. It’s a security service used by browsers like Google Chrome, Mozilla Firefox, and Apple Safari to identify unsafe websites. When a site is flagged, users see a red warning screen before they can proceed, clearly stating that the page may be deceptive or harmful.

To report phishing sites to Google, you simply fill out the Safe Browsing form by selecting the threat type, choosing a category like phishing or malware, and pasting the suspicious URL. It only takes a minute, but it feeds directly into a system that protects millions of users.

You can also act even faster by using built-in browser tools. Most modern browsers have a “Report phishing” option right in the menu. In Chrome, click the three-dot menu, go to “Help,” and select “Report a phishing site.” In Firefox, you can right-click the page or use the help menu to report deceptive content. These tools automatically send the page data, including the URL and metadata, to security teams such as Microsoft Security Intelligence for review. Once flagged, the site can be added to blocklists used across multiple browsers and platforms.

The critical next steps: protecting your own perimeter

If you’ve fallen victim to a scam, even after reporting it, you’re not safe yet. The moment you spot the scam, assume your personal data could be exposed and act fast to lock things down.

Start by changing passwords for your most important accounts: your email, the compromised account, banking apps, primary social media, and your password manager (if you use one). Make sure each password is strong and unique. Wherever possible, turn on multi-factor authentication (MFA), and contact your bank right away if any money was involved. They can flag suspicious activity and may help you recover lost funds through a chargeback.

A common question is: how do you know if your data has already been sold? The best tell-tale sign many victims experience is a so-called second wave of attacks, where new scammers start reaching out using the stolen data. This can look like more spam, targeted phishing emails, or repeated login attempts on your accounts. If you’re using breach monitoring systems like Bitdefender Digital Identity Protection, you may also get alerts if your information shows up in known leaks or on dark web marketplaces.

To lock down your digital command center, take a few extra steps while authorities handle the investigation. Review your account recovery options and remove any unfamiliar phone numbers or email addresses. Check active sessions and log out of all devices you don’t recognize. Set up login alerts so you’re notified of any suspicious access in real time.

Finally, consider freezing your credit or setting fraud alerts if sensitive financial or identity data was exposed, especially if documents like your ID or Social Security number were involved.

Visit Bitdefender

How Bitdefender orchestrates your proactive reporting defense

Think of Bitdefender as your first responder. The moment something feels off, it steps in to handle the immediate technical threat so you can focus on the bigger picture, like reporting the scam and protecting your accounts. While authorities build a legal case, Bitdefender helps you take control of the situation right away.

Reporting a scam properly takes time. You have to figure out who to report to, collect solid evidence, and often submit reports to multiple agencies. That’s where Bitdefender acts as your evidence layer, breaking down exactly why a site or message is dangerous so you’re not guessing when you file a report.

One of the most useful features here is Scam Protection Pro. It analyzes suspicious websites in real time, looking at things like code behavior, domain reputation, and known threat patterns. Instead of just saying “this looks shady,” it gives you clear, technical reasons you can include in reports to agencies like the FTC, which makes your submission much stronger.

Then there’s online scam protection, which works proactively in the background. It blocks malicious sites before you even interact with them and can catch newer scam tactics that haven’t fully spread yet. It’s like a safety net that reduces your chances of needing to report anything in the first place.

Bitdefender also covers other common attack angles. Features like Email Protection, Remote Access Protection, and Scam Radar help detect phishing attempts, fake apps, and social engineering tricks across different channels, not just your browser.

Finally, Bitdefender Digital Identity Protection closes the loop. After a scam, the risk doesn’t just disappear. Your data might still be circulating. This tool continuously monitors your accounts and personal data for leaks. If your information shows up somewhere it shouldn’t, you’ll know early and can act fast.

Put simply, Bitdefender handles immediate damage control and technical support, while your reports help authorities pursue the people behind the scam. It’s a two-layer defense: you protect your data now, and authorities work on shutting it down for good.

FAQ