Frequently Asked Question

Reporting Fraud
Last Updated about a month ago

Fraud affecting a UK business should be reported promptly both to the relevant public authorities and to the service providers who may be able to disrupt the abuse. For email-based fraud, domains, telephone numbers and payment details can often be acted on quickly if the report includes the right evidence.

Immediate actions

Before making reports, take these steps to preserve evidence and reduce ongoing risk:

  • Do not delete suspicious emails, voicemails, call logs, text messages or browser history.
  • Isolate affected mailboxes, devices or user accounts if compromise is suspected.
  • Change passwords for impacted accounts and enable multi-factor authentication where possible.
  • Check whether any payments were made and contact the bank immediately if funds have been transferred.
  • Warn internal staff not to engage further with the fraudster.
  • Preserve original message data, especially full email headers and any attachments.
  • Record the timeline of events, including dates, times, users affected, domains used, telephone numbers used and any financial loss.

Reporting company fraud in the UK

For most business fraud and cyber-enabled fraud in the UK, the primary reporting route is Action Fraud, which is the UK’s national reporting centre for fraud and cyber crime.

Report online

Use the official Action Fraud reporting service:

  • Website: https://www.actionfraud.police.uk/

Prepare to provide:

  • Company name and registered address
  • Main contact details
  • Dates and times of the incident
  • Description of what happened
  • Financial loss or attempted loss
  • Bank account details used by the fraudster, if known
  • Email addresses, domains, websites or telephone numbers involved
  • Copies of evidence and a clear chronology

Report by telephone

Action Fraud can also take reports by phone.

Use the official Action Fraud contact number published on their website. At the time of writing, the main reporting number is:

0300 123 2040

When reporting by telephone, have the following ready:

  • Company details
  • Incident summary in date order
  • The exact fraudulent email address, domain name or phone number used
  • Payment details, invoice details or bank transfer information
  • Names of affected staff or customers
  • Any crime reference from your bank or insurer, if already obtained

When to contact the police directly

Contact local police directly instead of waiting for an Action Fraud process where:

  • There is an immediate threat to life or safety
  • Staff are at physical risk
  • Fraud is ongoing at company premises
  • A suspect is present
  • Emergency action is required

Use:

999

For non-emergency police contact, use:

101

Reporting fraudulent emails

Fraudulent emails should usually be reported through three routes:

  1. Action Fraud
  2. The affected email provider or hosting provider
  3. The domain registry or registrar complaint route where appropriate

Evidence required for fraudulent email reports

The most important requirement is the full original email headers. A screenshot alone is usually not sufficient.

Collect:

  • Full headers from the original email
  • The body content of the message
  • Any attachments
  • The envelope sender and reply-to address, if visible
  • The sending IP address from the headers
  • The receiving date and time
  • The target recipient address
  • Any URLs contained in the message
  • Screenshots showing how the message appeared to the user
  • Evidence of resulting compromise or payment request, if applicable

How to preserve the message correctly

Where possible, export or save the original message in a native format rather than forwarding it manually.

Examples include:

  • Outlook message file: .msg
  • RFC822 email file: .eml

Forwarding an email normally can alter headers and reduce evidential value, so send the raw message only. Your ISP or MSP can assist with obtaining this. 

Reporting telephone fraud

Telephone-based fraud affecting a business may also be reported to Action Fraud where it forms part of fraud, impersonation or cyber-enabled crime.

Collect:

  • The calling number as displayed
  • Date and time of each call
  • Recording or voicemail, if available
  • Transcript or notes of what was said
  • Whether caller ID appears spoofed
  • Any number used for callback
  • Any linked emails, texts, websites or payment instructions
  • Billing records or PBX/call log records showing the call details

If a provider needs to investigate nuisance, spoofing or abuse of a number range, accurate call data records are far more useful than screenshots alone.

Evidence required for MSP escalation to ICANN, Nominet or related providers

The exact route depends on the type of domain.

  • .uk domains: generally handled through Nominet
  • Generic TLDs such as .com, .net, .org: usually handled by the registrar, registry, relevant hosting provider, or abuse contacts published in WHOIS/RDAP; ICANN is usually an escalation route about registrar compliance rather than a fast operational suspension tool

In practice, takedown or suspension requests succeed only where there is clear, well-packaged evidence.

Minimum evidence pack for domain abuse reports

Provide all of the following wherever available:

  • The exact domain name
  • Date and time first seen
  • Description of the fraudulent activity
  • How the domain is being used:
  • phishing
  • business email compromise
  • impersonation
  • malware delivery
  • fake invoice/payment diversion
  • clone website
  • Screenshots of the website or messages
  • Full email headers showing the domain in use
  • Full URLs involved
  • DNS records at the time of abuse, where available
  • WHOIS or RDAP output, where available
  • Web page source or hosted content capture, where relevant
  • Hosting IP address and ASN, if known
  • Evidence of brand impersonation or passing off
  • Evidence of victim impact:
  • attempted fraud
  • actual loss
  • credential harvesting
  • A short chronology
  • Confirmation of authority to report on behalf of the affected business

Additional evidence for email impersonation domains

Where the abusive domain is sending fraudulent email, include:

  • Header analysis showing:
  • From
  • Return-Path
  • Reply-To
  • Received chain
  • DKIM/SPF/DMARC results
  • Examples of all observed messages
  • The spoofed brand or staff identities used
  • Whether the message passed or failed authentication
  • Evidence of mailbox compromise if relevant
  • Any user reports showing recipient confusion

Additional evidence for fraudulent websites

Where the domain hosts a fake portal or payment page, include:

  • Full screenshots of the landing page and any login/payment pages
  • The exact URLs
  • HTML or page capture if possible
  • SSL certificate details if visible
  • Copies of cloned branding, logos or terms
  • Evidence of credential collection or redirection
  • Transaction details if payment was requested

Reporting .uk domain abuse to Nominet

Nominet is responsible for the .uk namespace. Reports are stronger when they are specific, evidenced and show actual abuse rather than suspicion alone.

Evidence typically required by Nominet or the registrar

  • The .uk domain name
  • Why the domain is abusive or fraudulent
  • Copies of the emails or website content
  • Full email headers where email is involved
  • Screenshots and URLs
  • Details of harm caused or intended
  • Proof of impersonation of a real company or brand
  • Police or Action Fraud reference where available
  • Confirmation that the report is made by:
  • the victim business
  • its MSP
  • an authorised representative

Useful supporting material

  • Trade mark details, if the fraud involves brand impersonation
  • Company registration details
  • A signed statement from the affected business
  • Correspondence showing that recipients were deceived
  • Technical evidence linking the domain to abusive infrastructure

Reporting abuse involving generic domains such as .com

ICANN does not usually suspend domains directly in response to individual fraud complaints in the way many people expect. The practical route is usually:

  1. Report to the registrar abuse contact
  2. Report to the hosting provider
  3. Report to the email provider involved
  4. Escalate to the registry if appropriate
  5. Use ICANN complaint channels where the registrar is non-responsive or non-compliant

Evidence needed for registrar or hosting abuse reports

  • Domain name and all related subdomains
  • Abuse category
  • Full technical evidence
  • Victim impact
  • Dates and times in UTC where possible
  • Links between the content, domain and fraud
  • Copies of all messages or website captures
  • Proof that the abuse is current and live

Evidence required for ICO reports relating to number suppression

Where the issue concerns unwanted marketing calls, misuse of personal data, or suppression/rectification of telephone contact data, the Information Commissioner’s Office may be relevant. The ICO is not a general emergency anti-fraud suspension body, but it can deal with data protection and PECR-related concerns such as nuisance marketing calls and misuse of contact information.

Typical evidence needed for an ICO complaint

  • The telephone number affected
  • The company or entity using the number, if known
  • Dates and times of calls or messages
  • Copies of texts, voicemails or call recordings
  • Call log exports from the phone system or carrier
  • Explanation of why the processing is unlawful or inaccurate
  • Evidence that the number belongs to the complainant or data subject
  • Copies of any requests already sent to the caller or data controller
  • Any opt-out, suppression or objection requests already made
  • Evidence that calls continued after objection or suppression request
  • Any privacy notice, lead form or consent wording relied upon by the caller
  • Any evidence of spoofing or misrepresentation

Where “number suppression” commonly applies

This can mean different things in practice, so evidence should match the scenario:

  • Unwanted marketing to a business or individual number
  • Provide call logs, recordings, dates, times and any opt-out requests.
  • Request to suppress a number from a caller’s marketing database
  • Provide the number, proof of authority, and copies of prior objection/suppression requests.
  • Incorrect publication or processing of a telephone number
  • Provide evidence of inaccuracy, harm caused, and the correction request already made.
  • Caller ID spoofing used in fraud
  • Provide carrier records, timestamps, affected numbers, and a description of the fraud. This may also need reporting to Action Fraud and the telecoms provider.

Recommended evidence checklist for MSP-submitted reports

For efficient escalation, assemble a single case file containing:

  • Incident summary
  • Named customer contact and authority to act
  • Action Fraud reference, if obtained
  • Police reference, if obtained
  • Loss amount or attempted loss amount
  • Full email headers in original format
  • Email message copies in .eml or .msg
  • Screenshots of emails, websites and call logs
  • Telephone numbers involved
  • Dates and times with timezone
  • Domains, subdomains and URLs involved
  • DNS and hosting lookup results
  • Copy of fraudulent web content, where applicable
  • Bank details used by the fraudster, if applicable
  • Impact statement from the customer
  • Any prior abuse reports already submitted

Practical format for an abuse evidence bundle

A simple folder structure helps keep reports consistent:

Case-Reference/
├── 01-summary.txt
├── 02-authority-to-act.pdf
├── 03-action-fraud-reference.txt
├── emails/
│   ├── suspicious-message-1.eml
│   ├── suspicious-message-1-headers.txt
│   └── screenshots/
├── website/
│   ├── urls.txt
│   ├── screenshots/
│   └── html-capture/
├── telephony/
│   ├── call-logs.csv
│   ├── voicemail/
│   └── screenshots/
└── technical/
    ├── dns.txt
    ├── rdap.txt
    └── hosting-notes.txt

Good practice when submitting reports

  • Use factual, neutral language.
  • State clearly whether the fraud was attempted or successful.
  • Avoid making allegations that cannot be evidenced.
  • Include exact timestamps.
  • Submit original technical artefacts, not only screenshots.
  • Keep copies of all reports and acknowledgement emails.
  • Update the evidence pack if the abuse changes or spreads.

Summary

If you are a GEN Customer, raise a ticket and we can gather all the evidence required for you, and prepare and submit it to the authorities. If you are not, contact your ISP/MSP/HelpDesk for assistance in collating it. You must collate the required evidence for any meaningful action to be taken. 



This website relies on temporary cookies to function, but no personal data is ever stored in the cookies.
OK
Powered by GEN UK CLEAN GREEN ENERGY

Loading ...