How to React to and Report Online Fraud

Whether you’re a victim or a witness, there are a number of sources you can submit online threat information to in order to make the Internet a safer place.

We spend a lot of time discussing the types of threats that exist online and offering advice on how to avoid becoming the victim of online fraud. Today, I want to briefly discuss the best ways to react to online threats after you become aware of them, because there are a number of organizations offering services out there that are seeking to make the Internet a safer place. All these organizations need, in some circumstances, is information from you.



Phishing is a type of social engineering scam where an attacker attempts to dupe his victims into handing over potentially valuable information. One of the most popular types of phishing attacks comes via email. The attacker crafts an email that would appear to come from a source that is trusted by the recipient. The email may purport to come from a prominent bank, warning about a potential security incident, and presenting a link where the user can perform a password reset.

Whether you’re a victim or a witness, there are a number of sources you can submit online threat information to in order to make the Internet a safer place.

That link would then lead to a page made to look like a Web property of the bank in question. The user, having followed that link, would then be compelled to enter his of her username and password in order to access his or her account and create a new password. Of course, what is really happening is that the attacker is tricking that user into disclosing his or her online banking credentials (this is why banks warn against following such links in unsolicited emails and encourage that customers navigate directly to banking websites before logging in).

So, if you ever become aware of a Phishing attack – whether it’s targeting payment info, social networking credentials or anything else – what should you do? You actually have a lot of options, but, broadly speaking, you should follow these five steps:

  2. Definitely forward the phishing email and link along to the company being imitated;
  3. In some cases, you may want to contact law enforcement
  4. It’s also a decent idea to inform a government consumer protection agency or relevant tech firm;
  5. And definitely delete offending message once you’ve done all this.

Let’s say you encounter a PayPal-themed phishing campaign. You’ll want to contact PayPal’s dedicated fraud team. You can find their info simply by searching “PayPal Report Phishing” or “PayPal fraud” into your favorite search engine.

Reporting Fraud to PayPal

Once you’ve done that, you should follow whatever instructions they offer up. If it was a phishing email, you’ll want to forward the email along to PayPal, then delete it. After that, the service recommends running through your transaction history to make sure everything is accurate. Similar actions can be taken under any number of similar circumstances. Gmail has a phishing reporting feature built directly into its graphical user interface. Most banks and merchants will have a feature for reporting phishing attacks as well.

Depending on the severity of the situation, you may want to contact law enforcement, but we’ll explore that more in the next section.

The United States Computer Emergency Readiness Team (US-CERT) – the cyber-incident response division of the U.S. Department of Homeland Security – has a dedicated email address ( to which you are encouraged to send information about phishing attacks. Similarly, the Internal Revenue Service has its own thorough phishing and fraud page – filled with information about how citizens should react to tax-related scams. These are U.S.-specific agencies, but if you were to search a bit, then you could easily find similar organizations in other countries. Beyond government agencies, tech firms like Google and Microsoft have easy-to-use pages offering information about phishing and fraud and letting users submit links to phishing websites.

Billing Discrepancies

Every single time I make an online purchase, I think about what happens if I just never get what I ordered. Or what recourse is available to me if I am overcharged. Of course, the proper course of action to follow in reaction to such an incident is going to vary, depending on who you are buying from and what kind of payment method you are using. That said, in general, the following three, broad steps are a good starting point for dealing with disputed or fraudulent transactions.

  1. Contact the organization where the charges are coming from;
  2. If that doesn’t solve the problem, contact your bank;
  3. In certain cases, you may need to contact law enforcement.

If you’re ever overcharged for something you bought, charged for goods or services you did not purchase, or charged for something you bought but which you never received, then you will want to begin by reaching out to the offending merchant. In the case of what appears to be a fraudulent charge where there is no legitimate merchant involved, you may want to reach out immediately to your bank or credit card provider to explain the disputed transaction.

If the company that issued the charge is a is seemingly well-established merchant – like eBay or Amazon – then there is likely some sort of disputed transactions page or resolution center. Any reputable, online seller of goods and services should offer some way for customers and other users to dispute transactions, though I’m sure in some cases you will have to do a bit of digging and maybe even call the company directly. If you are honest and patient, you should be able to resolve these disputes with most responsible merchants. In these cases, you may not even need to contact your bank or credit card provider.

However, if it becomes clear that you are never going to receive whatever it is you ordered, you feel as if you have waited longer than appropriate, or something downright fraudulent is going on, then you should go ahead and reach out to your bank. Whatever bank holds your money, or whatever brand of credit card you use, that bank or credit card company is going to have a system for reporting fraudulent charges. Do an Internet search, navigate around your bank or credit card company’s website, or even pick up the phone and call the customer service department there.

In addition to that, on sites like eBay and Amazon, where individuals can sell goods directly to customers, you may find yourself victimized by a fraudulent seller that is not directly employed by the broader marketplace. In that case, you’ll need to follow their specific instructions for handling fraudulent sellers, which Amazon and eBay definitely have in place.

If it appears that outright fraudulent charges are being charged to your accounts (as in someone has ascertained your credit card number or eBay login credentials and is racking up charges), then you may need to contact law enforcement. You can find links to the proper, regional authorities (in the U.S. at least) here. Again, if you’re outside the U.S., run a search for “consumer fraud reporting,” and I’m sure you will find what you are looking for.

Report Consumer Fraud is a great resource to visit if you find yourself in this type of situation. The website will walk you through everything from how to deal with Social Security Number theft, to reacting to malware infections, to reporting a sketchy merchant to the major credit bureaus.

Malware Infection

First and foremost, you should always run security software. A strong anti-virus product is going to make it considerably harder for your machine to become infected with malware.

However, let’s say your machine has become infected with information-stealing malware. Again, broadly:

  1. Remedy the infection;
  2. Assess the degree of exposure;
  3. Change passwords; get new cards.

If you didn’t have AV software, then you should buy a good solution, install it, update it, and run a scan. A good anti-malware product will detect and remove the malicious software – even if it was on your machine before you installed the AV.

Now you need to do the best job you possibly can of determining exactly when you became infected. It may also help to determine the source of the infection, which, if it is a website, you can report it to Google or US-CERT or Microsoft or the FBI or any number of other sources you can find by running a simple Internet search.

After that, you need to figure out what information was likely exposed. Were you logging into email or banking or other online accounts while your machine was infected with malware? If so, you should consider any account you logged into compromised, and change your passwords accordingly. In addition to that, you should keep a close eye on account activity. Depending on what information is accessible through your online banking site, you may need to contact your bank and take further steps. In the case of email or other accounts, you may need to access your settings to make sure no critical settings, like recovery email addresses or features like forwarding rules, have been added or manipulated.

Online threats are in no way limited to the simple three discussed here, but the steps laid out in these three scenarios offer guidelines that I think can be applied to other types of threats as well. Please let us know in the comments if there are any other scenarios that you’d like us to consider.