No one is safe form these attacks.
NurPhoto via Getty Images
Republished on September 24 with more details on these malicious websites and the wider threat from AI-fueled website impersonation.
The FBI has issued multiple warnings over the last year, as fake websites steal millions of dollars from citizens. These have included holiday discount websites, charity websites after emergencies and disasters, even fake document converters. But the FBI’s latest warning is a surprise. No one is safe from attack — not even the bureau itself.
“Threat actors are spoofing the FBI Internet Crime Complaint Center (IC3) government website,” the bureau warned on September 19. The www.ic3.gov website is included in all the bureau’s warnings as attacks and scams surge across the U.S. It’s a reporting and information tool. But now it’s being faked for “possible malicious activity.”
Once threat actors trick you into using the wrong website, they can initiate a range of scams — soliciting payment, stealing login credentials, even pushing malicious software downloads. Stolen data can include a person’s “name, home address, phone number, email address, and banking information.” It’s a honeypot.
The irony here is that “members of the public could unknowingly visit spoofed websites while attempting to find FBI IC3’s website to submit an IC3 report,” the FBI says.
The bureau’s guidance is simple:
- “Type www.ic3.gov directly into the address bar located at the top of your Internet browser, rather than using a search engine.
- If using a search engine, avoid any ‘sponsored’ results as these are usually paid imitators looking to deter traffic from the legitimate IC3 website.
- Verify that the URL of the IC3 website ends in [.]gov and is correctly entered as www.ic3.gov.
- Avoid clicking on any link whose URL differs from the legitimate IC3 site to mitigate risk of fraud.
- Never click on links that may include suspicious artifacts or graphics, such as unprofessional or low-quality graphics used to imitate a legitimate website.
- Never share sensitive information if you are unsure of the website’s legitimacy.”
The FBI also stresses it “will never ask for payment to recover lost funds, nor will IC3 refer someone to a company requesting payment for recovering funds.” This follows multiple warnings as attackers impersonating federal, state and local law enforcement have demanded payment to avoid arrest or for outstanding fines.
This advisory follows prior warnings where attacks have used social media lures to trick users into visiting fake IC3 websites “to assist in recovering funds.” The bureau confirms that “IC3 does not maintain any social media presence.”
The FBI asks internet users to “report any interactions with websites or individuals impersonating IC3.” To do so, it says, just visit IC3 at www.ic3.gov. Clearly, you’ll need to be very sure you are using the right website before you do so.
Meanwhile, more details on the spoofing of the FBI’s IC3 website have now come to light, courtesy of Cybersecurity News, “Beginning in mid-September 2025, victims attempting to access IC3’s official portal were redirected to fraudulent domains crafted to mirror the legitimate site.” Website visitors who “entered personal data found their information harvested for identity theft and financial fraud.”
The fake websites included “look-alike URLs — such as ‘ic3-gov.com’ and ‘ic3gov.org’ — and reproduced authentic branding, including the FBI seal and IC3 banner.”
The website reports that “IC3 analysts identified the first wave of these fraudulent sites on September 18, 2025, when multiple reports surfaced of visitors receiving deceptive emails purportedly confirming IC3 report submissions. Those messages contained links that led to cloned pages demanding extensive personally identifiable information (PII).”
The fake websites deployed “phishing and client-side scripting” which then “intercepted the legitimate form’s submit event, rerouting user inputs to an exfiltration endpoint before allowing the browser to proceed or display a generic error.”
As MalwareBytes warns, “criminals recognize that victims seeking help are often vulnerable to secondary attacks. After all, they already got caught out once, and are likely already at an emotional disadvantage. So they often succeed in attracting those victims to fake portals like these, with a view to scamming them again. A distracted or distraught victim can often hand over their sensitive data for a second time, including names, addresses, phone numbers, email addresses, and banking information.”
It’s soo easy to impersonate a website, and so it’s little surprise that even the FBI has been duped. As PC Mag has just reported, “online scammers are always looking for a payday, and it’s incredibly easy to whip up fake settlement claim emails and websites designed to steal your private data, like your email address, social security number, or banking information.” Exactly what was done with the FBI’s website.
PC Mag took on the task of creating a fake settlement website, but the process is the same. And through the use of generally available, AI tools, all the imagery, website layout and even copy style can be too precise to notice any differences.
“It took me less than five minutes to create the fake websites using Google’s Gemini chatbot. I don’t mean that the chatbot just generated the images, either. Gemini generated code for two websites in less time than it would take me to give away my personal information on an AI-generated phishing website.” Put more imply, PC Mag says, “if I can do it, a scammer can do it too.
And it seems nothing is off the table. Per Cyber Press, even “fake speedtest websites,” with security analysts identifying “a sophisticated campaign of Windows utilities posing as Internet speed tests, PDF processors, and AI search interfaces that clandestinely install a portable Node.js runtime alongside an encrypted JavaScript payload.”
We have even seen fake news websites designed to perpetuate fraud. CTM360 found “over 17,000 baiting news sites that mimic legitimate news sites like CNN, the BBC and CNBC. These baiting news sites are used by scammers to spread and promote investment fraud at scale.”” This works through “fake news stories that link public figures and financial institutions to fabricated investment schemes.”
The lesson here is while no one is above reach, it’s all too easy for bad actors to impersonate any organization efficiently and effectively.