Report

Where to report phishing or an online scam?

The appropriate reporting channel depends on the country, the type of incident and whether money was lost or an account was compromised. Preserve evidence first, then use the official channels of the national CERT/CSIRT, bank, payment provider, consumer protection authority or law enforcement agency.

Preserve evidence first

Do not delete the message, payment history or suspicious shop account before saving evidence that may help your bank, national CSIRT, payment provider or law enforcement agency.

What to prepare before reporting

the full e-mail with technical headers or screenshots of the SMS conversation
the URL, shop domain, sender phone number or payment identifier
date and time of the event and a short description of what was clicked or paid
bank transfer, card, BLIK or payment confirmation and seller correspondence
the TraceScam result as supporting material, not as a public authority decision

If you paid money or an account was compromised

contact your bank or card provider immediately
change the password and enable MFA/2FA if you entered login credentials
report the case to the police or the appropriate law enforcement authority in your country
report the domain, e-mail or SMS to the relevant CERT/CSIRT or national cyber security centre

Reporting channels by country and region

This list is informational and does not replace official guidance. When submitting a report, use official government, bank, payment provider and national CERT/CSIRT websites.

Poland

CERT Polska / NASK

Suspicious domains, e-mails, SMS messages and fake shops can be reported through CERT Polska. Financial loss, unauthorized transactions or account takeover should also be reported to the bank and to the Police or prosecutor’s office.

Report to CERT Polska Polish Police

European Union

national CSIRT / police

In the European Union, incidents are usually reported to the national CERT/CSIRT, police or national cyber security centre. ENISA supports the CSIRTs Network, but end users should normally report through the official channel in their own country.

ENISA — CSIRTs Network CSIRTs Network

United States

FBI IC3 / FTC / CISA

In the United States, online fraud and cyber-enabled crime can be reported to FBI IC3. Consumer scams can also be reported to the FTC, and significant cyber incidents to CISA.

FBI IC3 — Internet Crime Complaint Center FTC — ReportFraud CISA — Report

United Kingdom

NCSC / Action Fraud

Suspicious e-mails and websites can be reported to the NCSC. If money was lost, an account was compromised or a crime is suspected, use the official fraud or cybercrime reporting channel for your part of the United Kingdom.

NCSC — report a scam email GOV.UK — avoid and report scams

Germany

BSI / consumer centre / police

In Germany, use BSI guidance, report suspicious messages to the relevant consumer protection channels and report financial loss to the police.

BSI — phishing guidance Verbraucherzentrale — Phishing-Radar

Other country

bank / provider / police / CSIRT

If your country is not listed, start with your bank or payment provider. Then look for the official national CERT/CSIRT and the official cybercrime or consumer protection reporting channel in your country.

Find a national CSIRT via ENISA/CSIRTs Network

Preserve evidence

Save the message, headers, link, domain, screenshots and payment confirmations.

Report technically

Report the domain, e-mail, SMS or fake shop to the relevant CERT/CSIRT or national cyber security centre.

Report the loss

If money was lost, an account was taken over or data was stolen, contact your bank and law enforcement.