1. What is an online scam?
An online scam is any deceptive scheme carried out over the internet — email, social media, messaging apps, marketplaces, dating sites, or fake websites — designed to trick a victim into handing over money, credentials, personal data, or cryptocurrency. Scams range from one-off phishing emails to long-running relationship and investment frauds that can drain a victim's savings over months.
What makes online fraud particularly difficult to investigate is that the evidence is fragile. A scam website can be taken offline within hours. A messaging account can be deleted. A wire transfer receipt can be misplaced. By the time a victim contacts authorities, the most important proof is often already gone. That is why preserving digital evidence early — before you confront the scammer or change anything — is the single highest-impact action you can take.
Reporting matters even when recovery seems unlikely. Aggregated reports are how agencies like the FTC and IC3 identify patterns, shut down infrastructure, and warn the public. Your phishing report may be the data point that links an isolated complaint to an organized operation.
2. Common scam types
Knowing what category your situation falls into helps you choose the right reporting channel and the right kind of scam evidence to collect.
Fake stores
Counterfeit e-commerce sites mimic real brands, advertise impossibly low prices, accept payment, and either ship nothing or ship a worthless knock-off. Save the product page, the checkout URL, your order confirmation, payment receipts, and any tracking numbers. The domain WHOIS record and the payment processor used are critical for an online fraud report.
Phishing emails
Phishing messages impersonate trusted senders — banks, shipping companies, government agencies, employers — to trick you into clicking a link, entering credentials, or downloading malware. Preserve the full email source (headers included), the sender address, the linked URL, and any landing pages. Do not click the link a second time just to take a screenshot; reopen it in a sandbox if you must, or screenshot from the email client.
Romance scams
A scammer builds an emotional relationship over weeks or months, then engineers a crisis that requires money — a hospital bill, a stuck inheritance, a customs fee. Save the full chat history, every profile photo (these are often stolen and reused), phone numbers, payment instructions, and the platform where you met. Romance fraud is one of the most under-reported categories because of the shame involved; reporting is still essential.
Investment scams
"Guaranteed returns" in crypto, forex, or pre-IPO shares are the classic lure. Save every page of the trading dashboard (the numbers are usually fake), all deposit and withdrawal records, wallet addresses, the company name, the people you spoke with, and any contracts. Investment fraud often crosses borders, so both local police and securities regulators may need a copy.
Impersonation
The scammer pretends to be someone with authority — IRS, police, your bank's fraud department, a CEO requesting a wire transfer, or a family member in trouble. Save the caller ID, voicemails, SMS messages, and any spoofed email headers. Note the exact phrases used; many impersonation operations follow a script that authorities can recognize.
3. How to preserve evidence
The goal is a clean, dated record that another person — an investigator, a bank fraud team, a court — can follow without needing your memory to fill in gaps. Work through this checklist before you change passwords, block the scammer, or close any accounts.
Save URLs
Copy the complete URL of every relevant page, including query strings. Save it as plain text — do not just bookmark it, because bookmarks disappear with the browser profile. If the site is still live, also save the HTML source (right-click → View Page Source → save as) and run a WHOIS lookup so you have the registrar and registration date.
Take screenshots
Capture the entire browser window, including the address bar and the system clock. Full-page screenshots are better than cropped ones — investigators want to see context. Take screenshots at each step of the interaction (initial offer, checkout, payment confirmation, follow-up messages). If the site changes or disappears later, your screenshots become the primary scam evidence.
Save emails
Export emails with their full headers. In Gmail, use "Show original" and save the .eml file; in Outlook, save as .msg. Headers contain the actual sending server, which is what authorities use to trace origin — a forwarded email loses this. Save attachments separately and never open suspicious ones on your main device.
Save phone numbers
Record every phone number used to contact you — incoming calls, SMS, WhatsApp, Telegram, Signal. Note the country code and the platform. Take screenshots of caller ID and SMS threads, and export chat histories from messaging apps when the platform allows it.
Document dates and times
Every piece of evidence needs a timestamp. Note the date and time of the first contact, every payment, every conversation, and the moment you realized it was a scam. Use your local time zone and be explicit about it. A timeline is often what makes a report actionable.
4. How ScamTrace IQ helps
ScamTrace IQ is purpose-built for the workflow above. It is not an investigation service and it does not make legal determinations — it is a structured place to collect, hash, and hand off your evidence.
Evidence vault
A dedicated case per incident, with typed slots for URLs, screenshots, contacts, emails, phone numbers, and free-form notes. Every file is hashed (SHA-256) on upload so you can prove later that nothing was modified.
PDF reports
One-click export of a case as a clean, paginated PDF — the format most consumer-protection agencies and bank fraud teams prefer. The PDF includes the timeline, all text evidence, and thumbnails of every screenshot.
ZIP evidence packages
For investigators who want the raw files, export the entire case as a ZIP — original screenshots, saved emails, attached documents, and a manifest with the SHA-256 hash of every file.
Domain intelligence
Linked domains across your cases are surfaced automatically, along with WHOIS and registration signals. If the same domain shows up in three different reports you have filed, you will see it.
Audit logs
Every action on a case — created, edited, exported — is logged with a timestamp and the acting account. This chain of custody is what gives downstream readers (your bank, a regulator, a lawyer) confidence in the file.
5. Who should you report to?
Most victims should file with more than one body. Local police handle the personal report; a national consumer agency handles the pattern; your bank handles the money; a sector regulator handles the industry. ScamTrace IQ exports the same evidence in both PDF and ZIP, so you can hand it to each without re-collecting anything.
Local police
File a report at your local precinct, especially if you have lost money, been threatened, or had your identity stolen. Ask for a written case number — you will need it for your bank and your insurer. Bring the printed PDF; some departments do not accept evidence on a personal USB drive.
Consumer protection agencies
In the United States, the FTC (reportfraud.ftc.gov) collects general scam reports and the FBI's IC3 (ic3.gov) handles internet crime. In the UK, Action Fraud is the equivalent; in the EU, each member state has a national consumer authority. These agencies use aggregated reports to take down infrastructure, even when individual recovery is not possible.
Financial institutions
Contact your bank, card issuer, or payment platform immediately if money moved. Most providers have a fraud department with a separate hotline and short reversal windows — 24 to 72 hours for card transactions, longer for wires, very short for crypto. Submit the PDF report and quote your police case number.
Relevant government agencies
Match the agency to the scam type: securities regulators (SEC, FCA) for investment fraud; the IRS or HMRC for tax-impersonation scams; ICANN or the registrar's abuse contact for fake-store domains; the platform itself (eBay, Amazon, Meta, dating sites) for in-platform abuse.
6. Important disclaimer
ScamTrace IQ does not determine guilt or criminal conduct. It is an evidence organization platform only. Cases, notes, and tags within ScamTrace IQ reflect what the user entered — they are not accusations, verdicts, or findings of fact. Only law enforcement and the courts can make those determinations.
Nothing on this page is legal advice. If you are unsure how to proceed — particularly in cases involving large losses, cross-border transactions, identity theft, or threats — consult a qualified attorney in your jurisdiction.
Frequently asked questions
How do I report an online scam?+
Preserve evidence first (URLs, screenshots, emails, phone numbers, timestamps), organize it in a single file or case, then file with your local police, a national consumer agency like the FTC or IC3, your bank if money moved, and any sector regulator that applies. Submit the same evidence pack to each.
What counts as digital evidence?+
Anything that records the interaction: full URLs, page-source captures, full-page screenshots with the address bar visible, original emails with headers, SMS and chat exports, call logs, payment receipts, wallet addresses, and a written timeline of dates and times.
Should I confront the scammer before reporting?+
No. Confrontation usually causes the scammer to delete accounts, take down sites, and block you — which destroys the evidence you need. Preserve everything first, then report, then take protective action like changing passwords and blocking the contact.
How do I file a phishing report?+
Forward the phishing email with full headers to your email provider (reportphishing@apple.com, phishing-report@us-cert.gov for US-CERT, or report_phishing@apwg.org for the Anti-Phishing Working Group). Also file with the FTC at reportfraud.ftc.gov and notify the brand being impersonated.
Can I recover money lost to an online scam?+
Sometimes, and the odds are highest if you act within hours. Contact your bank or card issuer immediately and ask for a chargeback or wire recall. Crypto and gift-card payments are the hardest to reverse. Filing a police report and an online fraud report with a consumer agency is required by many banks before they will process a dispute.
Is ScamTrace IQ a law-enforcement tool?+
No. ScamTrace IQ is an evidence organization platform. It helps victims and their advisors collect, hash, and export evidence in formats that authorities accept. It does not investigate scams and does not determine guilt.
How long should I keep scam evidence?+
At least until every case (police, bank dispute, regulator complaint, insurance claim) is fully closed, and ideally several years afterward. Cross-border investigations and class-action settlements can surface years later, and your archived file may matter then.
What if the scammer is in another country?+
Report locally anyway. National agencies share data through INTERPOL, Europol, and bilateral channels, and many take-downs happen because multiple jurisdictions reported the same infrastructure. Include domain, hosting, and payment-processor information — those are often the points where foreign operations can be disrupted.
Do I need a lawyer to report a scam?+
Not for the initial report. You may want one if losses are significant, if your identity was stolen, if a business is involved, or if you receive threats. Nothing in this guide is legal advice — speak to an attorney in your jurisdiction for case-specific guidance.
What if I'm embarrassed to report?+
Reporting is what shuts these operations down. Romance and investment scams are deliberately designed to make victims feel foolish so they stay silent. Agencies handle these reports every day and treat them confidentially. Your report may be the one that protects the next person targeted.
Ready to organize your scam evidence?
Open a case, attach what you have, and export a clean PDF or ZIP for whichever authority needs it.