Scammers are impersonating the FBI to steal your personal data

Been scammed? Hoping to report it to the FBI? Definitely do so, but be careful. Spoofed versions of the FBI’s Internet Crime Complaint Center (IC3) website are now circulating online, and they lead straight back to the scammers.

The FBI issued an advisory last week, warning that cybercriminals are setting up fake versions of their site to tempt people into entering their personal information:

“Members of the public could unknowingly visit spoofed websites while attempting to find FBI IC3’s website to submit an IC3 report.”

Criminals spoof legitimate sites like the IC3 portal using techniques including ‘typosquatting’. They’ll create web domains that look like the target, but have subtle differences in the URL. They’ll often misspell or add characters to a domain name, which can deceive users attempting to report cybercrime incidents.

The IC3 is the primary hub for cybercrime reporting in the US, and its services are now in high demand. According to the 2024 IC3 Crime Report, victims filed 859,532 complaints with it last year, totalling $16.6 billion in losses (up a third from 2023).

Criminals recognize that victims seeking help are often vulnerable to secondary attacks. After all, they already got caught out once, and are likely already at an emotional disadvantage. So they often succeed in attracting those victims to fake portals like these, with a view to scamming them again. A distracted or distraught victim can often hand over their sensitive data for a second time, including names, addresses, phone numbers, email addresses, and banking information.

This threat follows a disturbing pattern of law enforcement impersonation lately. In April this year, the FBI reported that criminals were targeting victims via social media, emails, and phone calls. In some cases, scammers would use fake social media accounts to approach members of fraud victim groups, convincing them that their funds had been recovered.

Attackers often impersonate law enforcement directly. In March, the FBI Philadelphia Field Office reported that scammers were routinely spoofing authentic law enforcement and government agency phone numbers to extort money from victims. A 2023 NPR investigation revealed how criminals leverage caller ID spoofing and voice cloning technology to impersonate real US Marshals.

As far back as 2022, the FBI reported that people were impersonating its officials. In one particularly nasty scenario, people were being duped by romance scammers, and when they became wise to the trick and cut communications, the organization behind the scam would contact them pretending to be a government official asking for help to catch romance scammers. Or they would tell the victim that they need to clear their name, which has been linked to a crime.

If you do fall victim to this kind of fraud, it’s far from certain that you’ll get your money back. The IC3’s 2024 report documents the Recovery Asset Team’s efforts to combat fraud through the Financial Fraud Kill Chain, which achieved a 66% success rate freezing cash from fraudulent transactions. According to that report, the average victim to online crime lost almost $20,000.

How to protect yourself

The main thing to remember is that IC3 employees will never contact you directly via phone, email, or social media, and will never request payment for fund recovery. If someone recommends that you visit a site for fund recovery, take that recommendation with several swimming pools-worth of salt.

If you suspect you’ve already been scammed, then quick reporting is key. Stop talking to the scammers immediately and get in touch with the IC3 now. Do that by typing the www.ic3.gov web address directly into your browser rather than relying on someone else’s link or a search result.

All online crime is nasty, but this portal scam is particularly horrid, because it often targets people who have already been hit once. As always, check in with your less-tech-savvy friends and relatives to ensure they haven’t fallen victim to something like this, especially if they’re older. One infuriating stat from the IC3 report is that the older the victim, the greater the loss.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!