In the latest article covering the government’s cybersecurity breaches survey, SC UK is looking at Chapter Six: Cybercrime. Specifically, this examines cybercrime and the fraud that occurs as a result of breaches and attacks.  

It explores the threat landscape for UK organisations, establishing a subset of the number of cyber breaches or attacks that could be defined as crimes under the Computer Misuse Act 1990 and the Home Office Counting Rules. 

What is cybercrime? 

According to the government’s definition, cybercrime involves gaining unauthorised access or causing damage to computers, networks, data or other digital devices — or the information held on them. 

As such, the survey starts by pointing out that some cybersecurity breaches and attacks do not constitute cybercrimes. For example, attempted attacks that haven’t penetrated an organisation’s cyber defences don’t count, and online impersonation would also be beyond the scope of the Computer Misuse Act. 

The survey covers multiple forms of cybercrime, including ransomware attacks where a financial ransom was demanded; hacking; denial of service attacks; computer viruses or malware; and targeted phishing. It also examines breaches or attacks that have led to cyber-facilitated fraud. 

The prevalence of cybercrimes 

Cybercrime isn’t a rare occurrence, according to the survey. The government estimates that 20 percent of businesses and 14 percent of charities have been the victim of at least one cybercrime in the last 12 months — that’s around 283,000 businesses and 29,000 registered charities. 

The stats show how cyber-attacks themselves do not always result in actual cybercrime. Of the 43 percent of businesses and 30 percent of charities identifying breaches or attacks, just under half (46 percent of businesses and 48 percent of charities) ended up being victims of cybercrime. 

Meanwhile, the prevalence of ransomware among businesses has significantly increased between 2024 and 2025, the results show. The estimated percentage of all businesses who experienced a ransomware crime in the last 12 months increased from less than 0.5 percent in 2024 to 1 percent in 2025 — which equates to an estimated 19,000 businesses in 2025. 

The larger the business, the more likely they were to experience cybercrime, with 18 percent of micro businesses, 25 percent of small businesses, 43 percent of medium businesses and 52 percent of large businesses becoming a victim.  

The figures suggest that many firms are avoiding major incidents, which may reflect improvements in baseline controls, user awareness and broader cyber hygiene, says Jordan Schroeder, managing CISO at Barrier Networks. 

The “clear correlation” between organisation size and likelihood of cybercrime “aligns with what we see on the ground,” Schroeder says. “Larger businesses tend to be more targeted, but also more prepared.” 

Smaller organisations should take note of this and consider proportionate controls that match their risk profile, he advises. “Even simple steps such as enabling multi-factor authentication, robust patch management and conducting basic training can meaningfully reduce exposure,” Schroeder says. 

The increase in ransomware incidents highlights how financially-motivated adversaries are specifically targeting “larger, more lucrative organisations”, says Richard LaTulip, a field chief information security officer at Recorded Future. While the overall cybercrime rate remains steady, the rise of ransomware signals a shift towards “high-value, high-impact attacks”, he says. 

The nature of cybercrime 

Unsurprisingly, phishing was by far the most common type of cybercrime experienced, cited by 93 percent of businesses and 95 percent of charities. 

Phishing is popular with adversaries because social engineering is such an effective tactic for gaining initial access, says LaTulip. “Attackers see the manipulation of people as the easiest pathway into secure networks. There is a recognition that human error and poor cyber hygiene significantly contribute to risk, which makes awareness and education initiatives vital.” 

The government said that phishing is deemed the “most disruptive type of attack”, adding that findings from the qualitative interviews “highlight that organisations can spend significant time dealing with large volumes of phishing attacks and investigating them”. 

This can even happen when no crime has occurred, or the attempt was unsuccessful, it said. 

Hacking was the second most common type of cybercrime, experienced by eight percent of businesses and 17 percent of charities.  

Ransomware cybercrime was experienced by seven percent of businesses, but was rare among charities. The other cybercrimes — such as viruses, spyware or malware and denial of service — were rare among businesses and charities, the survey found. 

The scale of cybercrimes 

Some organisations end up being the victims of cybercrime multiple times. Of those who were a victim, businesses experienced an average of 30 cybercrimes of any kind, whereas for charities the figure was 16.  

For both business and charities, the median was four cybercrimes.  

Overall, it is estimated that UK businesses have experienced approximately 8.58 million cybercrimes of all types including 680,000 non-phishing cybercrimes in the last 12 months. UK charities have experienced approximately 453,000 cybercrimes during the period. 

Cyber-facilitated fraud 

Fraud is also on the rise, according to the survey. A total of three percent of all businesses and one percent of charities have been a victim of fraud that resulted from a breach or attack in the last 12 months.  

Among the three percent of businesses that experienced cyber-facilitated fraud, around six in ten (63 percent) said this happened just once in the last 12 months. The average number of cyber-facilitated frauds experienced by these businesses was two per business. 

Among the three percent of businesses that fell victim to cyber-facilitated fraud, 54 percent said this resulted from a phishing attack.  

The range of cyber-facilitated fraud costs experienced was wider than for cybercrime, ranging from less than £100 to more than £100,000, the survey found. 

The cost of cybercrime 

There’s no doubt that cybercrime is expensive. The average self-reported cost per business associated with cybercrime experienced in the last 12 months was a mean average of £990. 

Self-reported expenses associated with cyber-facilitated fraud were higher than for cybercrime, with an estimated mean average cost of £5,900 per business. 

The figures make sobering reading. Yet things could be even worse — the reported average costs of cybercrime could be understated, says Schroeder. “What’s not visible are the organisations that suffered such severe disruption that they no longer exist. This missing data matters because the most serious outcomes are often underreported or unrepeatable.” 

Kate O'Flaherty Cybersecurity and privacy journalist