How to Report a Cyberattack (FBI IC3 and Beyond)
When your small business is hit by a cyberattack, one question comes up fast: who do you even tell? Reporting a cyberattack can feel intimidating, but it matters — it can help you recover stolen funds, meet legal obligations, and contribute to stopping the criminals. This guide explains where and how to report a cyberattack in the United States, and why each channel matters.
Why reporting matters
Many small businesses never report cyberattacks, assuming nothing will come of it. That is a mistake. Fast reporting can occasionally help recover wired funds before they vanish, it may be required under laws or your insurance policy, and it feeds the intelligence that helps law enforcement disrupt criminal operations and warn others. Reporting also creates an official record that supports insurance claims and demonstrates due diligence to regulators and customers.
The FBI’s IC3: your primary federal channel
For most cybercrime, your primary report goes to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. IC3 is the central hub for reporting internet crime to the federal government — phishing, business email compromise, ransomware, fraud, and more. File as much detail as you can: dates, amounts, account numbers involved, email headers, and how the attack unfolded. For wire fraud and business email compromise especially, report immediately, because the FBI’s Recovery Asset Team can sometimes help freeze and claw back fraudulent transfers if you act within a short window.
Act fast on wire fraud — call your bank first
If money was wired to a criminal, time is everything. Call your bank immediately to request a recall or freeze of the transfer, then file with IC3 and ask about the Recovery Asset Team. The first 24 to 72 hours are critical — funds can sometimes be intercepted if banks and the FBI act quickly, but once the money is withdrawn or moved offshore it is usually gone. This single step has saved businesses from catastrophic losses.
The FTC and identity-theft reporting
The Federal Trade Commission (FTC) takes reports of fraud and data theft at reportfraud.ftc.gov, and if customer or employee identities were exposed, IdentityTheft.gov provides recovery resources. The FTC also enforces rules like the Safeguards Rule, so for businesses with data-protection obligations, reporting and documentation matter. These reports help the FTC track and act against widespread scams.
State and industry reporting obligations
Beyond federal channels, you may have state-level obligations. Most states have data-breach notification laws requiring you to notify affected residents — and sometimes the state attorney general — within a set timeframe when personal information is exposed. Regulated industries have their own requirements: healthcare has HIPAA breach reporting, financial firms have their regulators, and some contracts require prompt notification. Know the rules that apply to you before an incident; our guide on what to do after a data breach covers notification duties.
CISA and critical infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) accepts voluntary reports of cyber incidents and can provide guidance, and reporting to CISA helps protect the broader community. If your business is part of critical infrastructure or you simply want to contribute to national awareness, CISA is a valuable channel. Reporting is increasingly encouraged across all sectors, and new rules continue to expand mandatory reporting for certain entities — so confirm current requirements for your industry.
Don’t forget your insurer and your customers
If you carry cyber insurance, notify your carrier as soon as possible — policies often have strict, short notification deadlines, and your insurer may provide an incident-response team, legal counsel, and breach-notification support. Separately, if customer data was affected, you will likely need to notify those customers, both because the law often requires it and because transparency protects the trust your business depends on.
What to have ready when you report
Reports go faster and carry more weight when you bring the details. Before you file with IC3 or call your bank, gather what you can: the dates and times the incident occurred and was discovered; the dollar amounts and any account, routing, or wire-transfer numbers involved; the email addresses, names, and any phone numbers the attacker used; copies of the malicious emails with their full headers; and a short written timeline of what happened and what you have done so far. For wire fraud, have your own bank account details and the recipient bank information ready so a recall request can move immediately. The more complete your report, the better the odds that investigators — or your bank’s fraud team — can actually act on it.
Put it in your incident response plan
The time to figure out who to call is before an attack, not during the chaos. Build the reporting steps — bank, IC3, FTC, state AG, insurer, customers — into your incident response plan with names, numbers, and deadlines, so your team can act in minutes rather than scrambling. If you want help building that plan or navigating a live incident, Veteran Forge Strategies works with small businesses on exactly this. Confirm current reporting requirements with official sources, as obligations change.
Key takeaways
- Report most cybercrime to the FBI’s IC3 (ic3.gov) with as much detail as possible.
- For wire fraud, call your bank immediately and report fast — the first 24–72 hours can mean recovery.
- Use the FTC (reportfraud.ftc.gov) for fraud and identity theft, and check state breach-notification laws.
- Notify your cyber insurer promptly — policies have short deadlines and provide real help.
- Build all reporting contacts and deadlines into your incident response plan in advance.
Frequently asked questions
Where do I report a cyberattack? Start with the FBI’s IC3 at ic3.gov; for wire fraud also call your bank immediately, and report fraud to the FTC at reportfraud.ftc.gov.
Can reporting help me get my money back? Sometimes — for wired funds, fast reporting to your bank and the FBI’s Recovery Asset Team can occasionally freeze or recover the transfer if you act within days.
Am I legally required to report a breach? Often yes — most states require notifying affected individuals, and regulated industries have additional rules. Check the requirements that apply to your business.