Learn · Reporting · Updated June 2026

How to report an online scam

The right order, the right agency, the right realistic expectation. Country guides below.

The universal order (do these in sequence)

1. Your bank or exchange first. Only they can recall a payment or freeze a deposit. The first 24–72 hours are critical.
2. National cybercrime unit second. Adds your case to the dataset that drives takedowns and any prosecution.
3. Platform third. Report the account/link to Meta, Telegram, the registrar, or the App Store — to remove the asset.
4. Community databases fourth. Add the entity to GACS so the next victim is warned within minutes.

By country

🇺🇸United States

IC3 (FBI Internet Crime Complaint Center) — Primary federal path for online crime, including crypto fraud.
FTC ReportFraud.ftc.gov — Consumer-fraud database used by 2,800+ law enforcement agencies.
State Attorney General — For consumer-protection complaints with in-state jurisdiction.
Elder Fraud Hotline 1-833-FRAUD-11 — DOJ hotline for victims 60+.

🇬🇧United Kingdom

Action Fraud — 0300 123 2040 — national fraud reporting centre.
Your bank's fraud line — For payment scams, banks may be required to reimburse under PSR APP rules — report within 13 months.

🇨🇦Canada

Canadian Anti-Fraud Centre (CAFC) — 1-888-495-8501 — national centre, feeds RCMP and partner agencies.
Local police — File a police report alongside CAFC — required by most banks for chargebacks.

🇦🇺Australia

Scamwatch (ACCC) — National consumer-scam reporting body.
ReportCyber — ACSC reporting portal — feeds federal and state police.

🇪🇺European Union

Your national cybercrime unit — Europol maintains a directory of national reporting portals.
National data-protection authority — If personal data was exposed (GDPR Art. 33).

🇮🇳India

National Cybercrime Reporting Portal — 1930 — call within 24 hours for the 'golden hour' bank-freeze chance.

🇵🇭Philippines

PNP Anti-Cybercrime Group — National police cybercrime unit.
NBI Cybercrime Division — Parallel federal investigative path.

Depth: why most reports feel like they go nowhere

National cybercrime units receive millions of reports per year and a small fraction of investigative capacity. Individual small-loss cases are almost never investigated standalone — the math doesn't work. What national centres do is aggregate: a hundred reports against the same wallet, domain or phone number triggers a pattern, which triggers a takedown, which triggers prosecution. The report that feels useless is the one that, joined with 99 others, makes the difference.

The same logic applies to platform takedowns. Meta, Telegram, App Store and registrar abuse teams act on volume and clarity — one well-documented report with screenshots, the URL, and a timestamp beats five vague ones. And community databases like GACS multiply the value: every confirmed report becomes a search result for the next person Googling the same wallet, broker or domain — usually within minutes.

What to include in a useful report

• Identifiers — exact URL, wallet address, phone number, email, social handle.
• Timeline — first contact date, money-movement dates, last contact.
• Money flow — amount, currency, your payment method, the destination (exchange + deposit address, bank + account, gift-card brand + serial).
• Evidence — screenshots of messages, transaction IDs / hashes, the platform context (which app, which site).
• One-sentence summary — what they claimed, what you did, what was lost. This is what triagers read first.

FAQ

How do I report an online scam?

Three reports, in this order: (1) your bank or exchange — to attempt a recall or freeze, this is the only step that can actually recover money; (2) your country's national cybercrime unit (IC3 in the US, Action Fraud in the UK, CAFC in Canada, Scamwatch in Australia, cybercrime.gov.in in India); (3) the platform the scam ran on — Meta, Telegram, the App Store, the registrar — to take the asset down. Add it to community databases like GACS so the next person is warned.

Does reporting actually do anything?

It does two things. First, it triggers possible recovery: bank reports filed quickly (often within 24–72 hours) can sometimes recall payments, and exchange reports can freeze deposit addresses. Second, even when individual recovery fails, the report enters a national dataset that drives takedowns, prosecutions, and pattern detection — the reason a particular phishing kit gets blocklisted at all is because thousands of people reported it.

Should I report a scam even if I didn't fall for it?

Yes — and this is one of the highest-leverage things you can do. Near-miss reports help detection systems flag emerging variants before victims appear. Add the message, link, phone number or wallet to community databases like GACS in under a minute; it costs you nothing and protects the next person.

Will the police actually investigate my report?

Realistically: individual small-loss cases are rarely investigated standalone. National centres aggregate reports and prioritise patterns — a single $400 loss won't open a case, but a hundred reports against the same wallet or domain will. That's why reporting still matters even when it feels futile: you're contributing to the dataset that drives action.

What if the scammer contacts me afterwards offering to 'recover' my money?

Block them. Recovery scams are a multi-billion-dollar industry that targets recent victims, often using lists bought from the original scammers. No legitimate recovery service will contact you out of the blue, ask for upfront fees, or guarantee recovery. The only legitimate paths are your bank, your exchange, and your country's law enforcement.