Forbes contributors publish independent expert analyses and insights.
Republished on September 23 with more details on these malicious websites.
The FBI has issued multiple warnings over the last year, as fake websites steal millions of dollars from citizens. These have included holiday discount websites, charity websites after emergencies and disasters, even fake document converters. But the FBI's latest warning is a surprise. No one is safe from attack -- not even the bureau itself.
"Threat actors are spoofing the FBI Internet Crime Complaint Center () government website," the bureau warned on September 19. The www.ic3.gov website is included in all the bureau's warnings as attacks and scams surge across the U.S. It's a reporting and information tool. But now it's being faked for "possible malicious activity."
Once threat actors trick you into using the wrong website, they can initiate a range of scams -- soliciting payment, stealing login credentials, even pushing malicious software downloads. Stolen data can include a person's "name, home address, phone number, email address, and banking information." It's a honeypot.
The irony here is that "members of the public could unknowingly visit spoofed websites while attempting to find FBI IC3's website to submit an IC3 report," the FBI says.
The bureau's guidance is simple:
The FBI also stresses it "will never ask for payment to recover lost funds, nor will IC3 refer someone to a company requesting payment for recovering funds." This follows multiple warnings as attackers impersonating federal, state and local law enforcement have demanded payment to avoid arrest or for outstanding fines.
This advisory follows prior warnings where attacks have used social media lures to trick users into visiting fake IC3 websites "to assist in recovering funds." The bureau confirms that "IC3 does not maintain any social media presence."
The FBI asks internet users to "report any interactions with websites or individuals impersonating IC3." To do so, it says, just visit IC3 at www.ic3.gov. Clearly, you'll need to be very sure you are using the right website before you do so.
Meanwhile, more details on the spoofing of the FBI's IC3 website have now come to light, courtesy of Cybersecurity News, "Beginning in mid-September 2025, victims attempting to access IC3's official portal were redirected to fraudulent domains crafted to mirror the legitimate site." Website visitors who "entered personal data found their information harvested for identity theft and financial fraud."
The fake websites included "look-alike URLs -- such as 'ic3-gov.com' and 'ic3gov.org' -- and reproduced authentic branding, including the FBI seal and IC3 banner."
The website reports that "IC3 analysts identified thefirst wave of these fraudulent sites on September 18, 2025, when multiple reports surfaced of visitors receiving deceptive emails purportedly confirming IC3 report submissions. Those messages contained links that led to cloned pages demanding extensive personally identifiable information (PII)."
The fake websites deployed "phishing and client-side scripting" which then "intercepted the legitimate form's submit event, rerouting user inputs to an exfiltration endpoint before allowing the browser to proceed or display a generic error."
The lesson here is while no one is above reach, it's all too easy for bad actors to impersonate any organization efficiently and effectively.