How to Report Cybercrime in New York

Cybercrime reporting in New York operates through a layered system of federal, state, and local channels, each with distinct jurisdictional authority and intake processes. The sector spans offenses from financial fraud and identity theft to ransomware attacks targeting critical infrastructure. Knowing which agency handles which category of offense — and what documentation is required at intake — determines whether a complaint translates into an active investigation. The regulatory context for New York cybersecurity further shapes how reporting obligations intersect with legal compliance frameworks.

Definition and scope

Cybercrime, as classified under New York Penal Law Article 156 (Offenses Involving Computers), encompasses unauthorized computer access, computer tampering, computer trespass, and unlawful duplication of computer-related material. Federal statutes — principally the Computer Fraud and Abuse Act (18 U.S.C. § 1030) — extend jurisdiction over offenses involving interstate or federal computer systems, financial institutions, or damage thresholds exceeding $5,000.

Scope and geographic coverage: This reference covers reporting pathways applicable within New York State, including New York City and all 62 counties. It addresses offenses subject to New York Penal Law, applicable federal statutes, and regulatory reporting obligations established by the New York Department of Financial Services (NYDFS) and the New York Attorney General's Office (OAG). Offenses that occurred entirely outside New York, or that fall exclusively under federal jurisdiction with no New York nexus, are not covered by this state-level reference. Cross-border cybercrime with multi-state victims may require parallel filings not addressed here.

Adjacent areas — including data breach notification requirements and NYDFS 23 NYCRR 500 compliance — are addressed in separate references such as New York Data Breach Notification Requirements and NYDFS Cybersecurity Regulation 23 NYCRR 500.

How it works

Cybercrime reporting in New York follows a structured multi-agency pathway. The appropriate channel depends on the offense type, the victim category (individual, business, or government entity), and the financial or operational impact.

Primary reporting channels:

  1. IC3 (Internet Crime Complaint Center): The FBI's IC3 is the federal intake point for internet-facilitated crime. Complaints filed at ic3.gov are reviewed by FBI analysts and routed to federal, state, or local law enforcement based on jurisdictional criteria. IC3 accepted 880,418 complaints in 2023, with reported losses exceeding $12.5 billion (FBI IC3 2023 Annual Report).

  2. New York State Police Cyber Analysis Unit: The New York State Police operates a dedicated cyber unit that investigates state-level offenses. Reports can be initiated through any State Police barracks or via the NYSP tip line.

  3. New York City Police Department (NYPD) Cybercrime Unit: Within the five boroughs, the NYPD Cybercrime Unit under the Detective Bureau handles local cyber-enabled offenses. Complaints are initiated at the precinct level before escalation.

  4. New York Attorney General's Internet Bureau: The OAG receives complaints involving consumer fraud, identity theft, and online scams affecting New York residents.

  5. NYDFS Cybersecurity Incident Reporting: Covered entities under 23 NYCRR 500 must report cybersecurity events to NYDFS within 72 hours of determining that a reportable incident has occurred.

  6. CISA (Cybersecurity and Infrastructure Security Agency): For attacks on critical infrastructure, CISA provides a federal reporting portal and coordinates response across sector-specific agencies.

Documentation requirements at intake typically include: timestamps of the incident, IP addresses or URLs involved, copies of fraudulent communications, financial transaction records, and any malware samples or log files preserved by the reporting party.

Common scenarios

Different cybercrime categories map to distinct reporting pathways and investigative bodies.

Business email compromise (BEC) and wire fraud: Losses are reported to IC3 immediately. When aggregate fraud exceeds $100,000, the FBI's financial fraud kill chain process can be activated within 72 hours to attempt fund recovery. The OAG Internet Bureau also accepts BEC complaints involving New York-based victims.

Ransomware attacks: Organizations subject to NYDFS 23 NYCRR 500 must notify NYDFS within 72 hours. All entities are encouraged to report to CISA and IC3. The New York Ransomware Risks and Response reference covers operational response protocols in detail.

Identity theft: New York residents file with the OAG, the Federal Trade Commission at IdentityTheft.gov, and local law enforcement for police report documentation. The New York Identity Theft Cybersecurity reference addresses the full scope of state protections.

Unauthorized access to financial accounts: Reports go to the relevant financial institution (triggering internal incident response), IC3, and — where the institution is NYDFS-regulated — a parallel notification to NYDFS. The New York Financial Sector Cybersecurity reference covers sector-specific obligations.

Phishing and online fraud targeting individuals: Reports are directed to the FTC at reportfraud.ftc.gov, IC3, and the OAG Internet Bureau.

Attacks on government systems: Municipal and state agency incidents are escalated to the New York State Office of Information Technology Services (ITS) and CISA. The New York Government Agency Cybersecurity and New York Municipal Cybersecurity references address public-sector obligations.

Decision boundaries

Selecting the correct reporting channel requires distinguishing between complaint categories that carry different legal outcomes.

Individual victim vs. regulated entity: Individual victims report primarily through consumer channels (IC3, OAG, FTC). Regulated entities — financial institutions, health systems, covered entities under New York's SHIELD Act — carry mandatory reporting obligations with statutory deadlines that exist independently of whether a criminal complaint is filed. Failure to report under 23 NYCRR 500 can result in civil penalties assessed by NYDFS, as documented in New York OAG Cybersecurity Enforcement actions.

Criminal report vs. regulatory notification: These are not interchangeable. A criminal complaint to IC3 or NYPD does not satisfy a regulatory notification requirement to NYDFS or HHS. Both tracks must be pursued in parallel when applicable.

State jurisdiction vs. federal jurisdiction: Offenses confined to intrastate systems with no federal nexus fall under New York Penal Law and are handled by NYSP or local agencies. Offenses crossing state lines, involving federally insured institutions, or causing damage above the CFAA's $5,000 threshold fall within federal jurisdiction handled by the FBI. Jurisdictional overlap is common; filing with IC3 does not preclude filing with state agencies, and dual filings are standard practice.

Time-sensitive vs. standard reports: BEC wire fraud and active ransomware incidents require immediate contact with law enforcement and IC3 to maximize recovery options. Retrospective fraud complaints follow standard intake queues. Entities navigating incident response timelines should cross-reference New York Cybersecurity Incident Response for structured response frameworks.

For a comprehensive overview of the New York cybersecurity landscape, the New York Security Authority home reference provides the foundational context within which these reporting structures operate.

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Key Dimensions and Scopes of NewYork Cybersecurity Regulations & Safety NewYork Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ NewYork Cybersecurity: Frequently Asked Questions