How to report a scam website in the United States.
A useful report has three things: the full URL, what you can prove, and the right destination. Here's exactly where each kind of scam site actually goes.
Reporting a scam website does two things at once: it protects you, and it protects the next person who would have clicked the same link. Fake sites impersonate banks, retailers, delivery companies, government agencies, and social platforms — some are built to steal passwords, some to steal card numbers, and some to install malware the moment the page loads. Most of them are gone within days, replaced by a near-identical copy on a new domain, which is exactly why a single report rarely feels like it accomplished much on its own.
But reports aren't meant to work one at a time. A report only helps if it contains the right evidence and lands with the right agency or company. A vague message to the wrong inbox does nothing. A specific one, sent to the right place, becomes one data point in a much larger pattern — and it's that pattern, not any single complaint, that gets a page pulled down, a domain registrar notified, or a whole campaign traced back to its infrastructure. The rest of this guide covers what to capture before the page disappears, and exactly which of several destinations actually fits your situation.
Save the full URL first
Copy the complete address straight from the browser bar — not retyped from memory, and not shortened to "the fake Amazon site." Include everything after a "?" if there is one; those parameters often encode which specific campaign, affiliate, or victim batch the link belongs to, and they can help investigators trace the infrastructure behind it, not just the one page you saw. Two links that look identical at a glance — same brand name, same general layout — can point to entirely different operations once you compare the full string.
If the link arrived by text message, email, or a messaging app, save that original message too — including the sender's phone number or email address, not just the text of what it said. Forward or export the message itself rather than paraphrasing it; the routing details attached to a text or email (a short code, a spoofed "From" address, a link-shortener redirect) are often more useful to investigators than the visible words.
Screenshot before it disappears
Scam sites are often disposable by design. Once a page has served its purpose — harvested a batch of logins, collected a run of card numbers — it can go down within hours, sometimes minutes after being reported by someone else, and it's rarely worth waiting to "make sure" before you capture it. Capture the landing page in full, any form asking for personal or payment information, and anything that copies a real brand's logo, color scheme, or layout. If the site walked you through multiple steps — a fake login page followed by a fake payment page, for instance — screenshot every step, not just the first one; investigators and platforms can use the full sequence to identify the kit being used to build the scam. These screenshots are often the only surviving record once the domain is gone.
Note how you found it and when
Where the link came from matters for classification and prioritization. A text message, an email, a social media ad, a search result, a marketplace listing, a QR code on a flyer or parking meter — each of these points to a different kind of campaign and sometimes a different scale of operation. A wave of near-identical texts, for example, usually means an automated, high-volume campaign; a single convincing marketplace listing might point to a more targeted operation working one platform at a time. Recording exactly how you encountered it, along with the date, helps whichever agency receives your report sort it correctly and connect it to related reports faster, without needing to ask you follow-up questions later when the trail has gone cold.
Report to the FTC
The Federal Trade Commission runs the primary US consumer fraud intake at reportfraud.ftc.gov. This is the real, correct channel for reporting scam websites, fake online stores, and phishing attempts, whether or not you lost any money. Reports filed here feed into Consumer Sentinel, a shared database that federal, state, and local law enforcement use to spot patterns across large numbers of victims — a single report rarely triggers an individual investigation on its own, but it's part of what lets investigators see a campaign at scale instead of one isolated complaint. The form walks through the same fields covered above: the URL, how you encountered it, and what happened next, so having that information ready before you start makes the whole process faster.
Report to the FBI's Internet Crime Complaint Center (IC3)
If real financial loss, identity theft, or what looks like organized fraud is involved, file a report with the FBI's Internet Crime Complaint Center at ic3.gov. IC3 is the FBI's dedicated cybercrime reporting channel, and it's the right destination once money has actually moved, sensitive personal data has been handed over, or the operation looks bigger than a single throwaway page. Filing with both the FTC and IC3 isn't redundant — they route to different pipelines and different levels of response.
Report to Google and Microsoft
Beyond law enforcement, the browser makers themselves can act directly on a single report. Google's phishing-report form at safebrowsing.google.com/safebrowsing/report_phish/ feeds Safe Browsing, the system that flags dangerous sites inside Chrome, Firefox, and other browsers that use it. Microsoft's equivalent, at microsoft.com/en-us/wdsi/support/report-unsafe-site-guest, feeds the SmartScreen filter used in Edge. Reporting to both can get a page flagged with a warning inside two of the most widely used browsers, protecting anyone else who clicks the same link before it's taken down entirely.
Notify the real company being impersonated
If the fake site is impersonating a specific bank, retailer, delivery company, or platform, that company almost certainly has its own phishing or abuse reporting channel. Find it by typing the real company's website address yourself and navigating to their security or "report phishing" page — never by using a contact link, phone number, or email address found on the fake site itself, since that "helpline" may just be part of the scam. Brands generally want to know when they're being impersonated; it's often the fastest way to get a convincing copycat taken down, since the company can act on its own hosting provider, domain registrar, and trademark relationships far faster than a government agency can.
If you already entered information
What you do next depends on what you typed in. If you entered card details, contact your card issuer immediately — see our guide on what to do after entering your card on a fake website for the exact steps. If you entered a password, change it right away, and turn on two-factor authentication anywhere you haven't already, starting with your email account. If you entered your Social Security number or other identity documents, start a recovery plan at identitytheft.gov, the FTC's official identity-theft recovery site — it walks through a personalized plan based on exactly what was exposed.
A report template you can actually use
Most reporting forms just need a few plain facts, written clearly. You can copy this directly into the FTC, IC3, or a company's abuse form and fill in the brackets:
"I'm reporting a suspected scam website that impersonates a legitimate organization and requests personal or financial information. Full URL: [paste]. How I found it: [SMS/email/social media/search]. Approximate date: [date]. I can provide screenshots on request."
