Unpacking Cyber Crime: In-depth Analysis and Case Studies

  • By Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3

In an era characterized by unprecedented digital connectivity, our reliance on the Internet and other digital technologies has grown exponentially. However, this dependence has also opened gates to a nefarious world of crimes committed in cyberspace, known as cyber crimes. Ranging from the theft of an individual’s personal data to crippling nations’ infrastructures, these digital felonies have evolved to become one of the most sophisticated challenges to law enforcement agencies and national security. This in-depth exploration of cybercrime provides an illumination into its diverse forms, historical progression, notorious instances, societal impact, and viable prevention strategies. This discourse aims to furnish the reader with a lucid understanding of the complex web interweaved by cybercriminals, the extensive damage they perpetrate, and, most importantly, how to arm and protect ourselves in this ongoing battle in the digital world.

Types of Cyber Crime

Unmasking the multifaceted threat of cybercrime in our digital society.

As the digital era takes firm root, transcending almost all facets of our daily lives, it unveils an ever-evolving landscape of vulnerability to various types of cyber crimes. Understanding the nuanced complexities of these threats is indispensable in guiding our collective response to safeguard the inviolability of our virtual dwellings.

Imperative for discussion is the specter of identity theft, which involves the unlawful acquisition and utilization of another individual’s personal information for illegitimate financial gains. Cybercriminals exploit various avenues, such as phishing schemes and data breaches, to execute this violation, leading to disastrous personal and financial consequences for the victim.

Malware , a portmanteau of malicious software, lingers as another notable threat. Ruthlessly subtle, this category of cybercrime extends to ransomware , which locks users out of their systems or data, holding it hostage until a ransom is paid. Spyware follows closely, covertly monitoring and transmitting the user’s activities to a third party. Both breed a pervasive sense of violation and create vast economic downstream effects.

Cyberstalking and cyberbullying, while demarcated less by economic impacts, remain potent narcotics in the cocktail of cybersecurity threats. These crimes are characterized by intentional intimidation, harassment, or threat to another individual, utilizing digital mediums. The psychological trauma imparted by these infringements reflects the wider societal repercussions that transcend the digital sphere.

Notably, the list would be incomplete without recognizing cyber-terrorism and cyber-warfare. These acts, striking at the intersection of technology and geopolitical maneuvering, involve the use of Internet-based attacks in terrorist activities and warfare, often targeting critical infrastructures and national security or causing a state of panic and fear.

The rapidly evolving universe of financial technology is not untouched by cybercrime. Crypto-jacking emerges as a salient threat where hackers hijack a computer’s resources to mine for cryptocurrency without the owner’s knowledge or consent— a subtle and yet potent symbol of how technology’s greatest strengths can morph into its most haunting vulnerabilities.

Lastly, the advent of Deepfakes and AI-generated content birthed a new realm of cybercrime. These acts involve the use of artificial intelligence to create or alter video, audio, or image content to depict scenes or convey messages that were never captured or intended, potentially causing severe personal, political, and societal unrest.

In navigating through the labyrinth of cybercrime, it becomes clear that our informational infrastructure functions as a double-edged sword. Heightened awareness and understanding of the multiple types of cyber crimes, corrective measures, and prevention strategies are critical to ensure the security of our accelerated journey into the digital age. As we teeter on the brink of this new epoch, let it be fortified by knowledge, caution, and, above all, a shared responsibility toward a safe and secure online world.

Illustration depicting various forms of cybercrime, including hacking, identity theft, and cyber terrorism

Historical Perspective of Cyber Crime

The evolutionary trajectories of cybercriminal strategies: a deeper dive.

While initial aspects of cybercrime, including identity theft, malware, cyberstalking, and cyber-terrorism, remain relevant, the ingenious adaptability of cybercriminals continues to morph these original paradigms into more complex constructs. Deepfakes and AI-generated content, crypto-jacking, and even cyber warfare itself continue to evolve. More recently, however, these forms of cybercrime are being joined, and in some cases superseded, by other more sophisticated threats.

Spear phishing, a targeted version of phishing, has emerged as one of the most insidious cybercrimes. Cybercriminals no longer toss out a wide net in the hopes of ensnaring an unsuspecting fish but have now shifted to crafting precise, personalized lures to hook specific individuals or organizations. This modality, premised on thorough research and social engineering , typifies today’s cunning adversary, who forgoes brute force for psychological manipulation.

Next in this progression of cybercrime sophistication is the advent of Advanced Persistent Threat s (APTs). Unlike the blitzkrieg assault-style adopted by most traditional cyberattack s, APTs are slow and methodical infiltrations designed to remain undetected for prolonged periods. By leveraging backdoor techniques and a patient, stealthy approach, these threat actors compromise systems to exfiltrate data or create systemic disruption in a silent, protracted manner.

Further underscoring the evolutionary trends, cybercriminals now employ Botnets, networks of compromised devices commanded by a central operator. The damages that can be inflicted range from devastating Distributed Denial-of-Service attacks to enormous volumes of spam mail. Cybercriminals disregard the sanctity of individual autonomy and readily surrender to the collective might of these enslaved devices.

Reflecting a leap from dexterity to craftiness, supply chain attack s represent another ingenious cybercriminal innovation. These comprise a systemic, strategic violation entailing the compromise of trusted software or hardware suppliers. By infiltrating these sources, cybercriminals can lurk undetected, poised to pounce on end-users who implicitly trust their providers and, by extension, become unsuspecting victims.

Lastly, while already touched upon in the subject of deepfakes, weaponized AI and Machine Learning take the potential for harm to unprecedented heights. As these technologies advance, they become double-edged swords, providing enormous potential benefits but also harboring potential hazards. They can be manipulated to carry out highly sophisticated attacks that adapt, learn, and emulate human behaviors, making them harder to detect and counter.

In conclusion, the cybercriminal landscape remains perpetually fluid. It continues to evolve, harboring devastating potential and emphasizing the critical need for robust countermeasures and vigilance. As much as we are captivated by technology’s spell, we must also remain equally committed to fathoming its dark possibilities and approach this evolving challenge with the same unyielding determination.

Image illustrating the evolution of cybercriminal strategies

Depicting Major Cyber Crime Case Studies

When regarding the multifaceted arena of cybercrimes, a few notorious examples have made all the difference in shaping both legislative processes and public perception. These archetypical scenarios paint a stark picture of the danger posed by cybercriminals and the significant, often devastating, consequences for victims.

The infamous Yahoo data breach, which revealed itself from 2013 to 2014, can never be forgotten. It compromised approximately three billion user accounts, rendering it the most prodigious data compromise in history. Personal data, including names, email addresses, and passwords, fell into malevolent hands, leading to a leap in fraudulent activities globally. The ensuing turbulence resulted in the resignation of Yahoo’s CEO, loss of consumer trust, and a $50 million settlement.

Adobe Systems witnessed a devastating blow in October 2013—a data violation exposing approximately 38 million active user accounts. The compromised data included encrypted debit and credit card data paired with user login credentials, creating a substantial identity theft concern. Adobe had to face huge economic losses and significant reputation damage, which took years to recover from.

The Heartland Payment Systems breach in 2008 was another significant incident that stirred the digital world. Dating back to when companies scarcely understood the imminent threat of cybercrime, this attack led to a loss of over 130 million credit and debit card details. Heartland witnessed a significant financial loss of around $140 million in remediation.

In terms of affecting global infrastructure, the WannaCry ransomware attack in May 2017 was a stark example. The ransomware targeted computers running Microsoft Windows, encrypting data and demanding ransom in Bitcoin. Over 200,000 systems across 150 countries, including significant healthcare organizations, were taken hostage. The immense global disruption prompted a surge in infrastructure investment to improve cyber defense capabilities.

While most attacks impact a specific corporation or sector, the Mirai botnet attack of 2016 introduced a broader systemic threat. The malware transformed networked devices such as IP cameras, printers, and routers into a botnet to conduct distributed denial-of-service attacks. With millions of IoT devices compromised, the Mirai botnet was capable of unparalleled distributed destruction, showcasing how vulnerable global digital infrastructure can be.

Cyber espionage provides another multifaceted concern. An example was Operation Aurora in 2009, aiming to steal sensitive information from top companies, including Google and Adobe. This incident underscored the threat toward intellectual property and corporate competitive advantage, galvanizing a reevaluation of digital security measures in businesses across the world.

On the more sinister end of the spectrum, the Stuxnet worm attack showcased how cybercrime could transform into cyber warfare. In 2010, the Stuxnet worm damaged approximately one-fifth of Iran’s nuclear centrifuges, epitomizing how cyber-attacks can transgress the digital realm and enact substantial real-world damage.

Through these examples and more, it becomes perceptibly clear how multifarious the landscape of cybercrimes truly is. It underscores the imperative need for stringent cybersecurity measures, vigorous legislative action, and individual awareness of the perils that lurk in the depths of the digital world. As we further immerse ourselves in an overwhelmingly interconnected society, it is incumbent upon us to study and learn from these sobering lessons of history.

A visual representation of the dangerous landscape of cybercrimes, depicting various hacking symbols and locked padlocks.

Impact of Cyber Crime on Individuals and Society

Beyond the directly visible forms of cybercrime, such as identity theft, malware, cyberbullying, deepfakes, cyberterrorism, and crypto-jacking, there lies a plethora of repercussions affecting individual victims and wider societal structures. These implications come as a direct result of cybercrime, which infiltrates various sectors, from personal privacy to economic stability, manifesting differently across each strata of society.

When confronted with the repercussions of cybercrime, it is essential to explore the psychological impact on victims. According to research conducted by the American Psychological Association, individuals who have been victims of cyber crimes often suffer from feelings of violation, loss of trust, and feelings of powerlessness. These outcomes equip cybercriminals with a powerful psychological tool – fear, which they can deploy to extort more information or inflict further harm on their victims.

The financial implications of cybercrime are also critical. On an individual level, victims may incur substantial costs to recover from identity theft or ransomware attacks. On a larger scale, businesses are also impacted—with losses in the billions annually due to cyber theft of intellectual property and sensitive corporate information.

Cyber crimes also pose a severe threat to critical infrastructure. A targeted attack, like the Stuxnet worm or the Mirai botnet attack, can disrupt entire networks or systems. This endangerment of critical infrastructures exposes vulnerabilities in sectors such as energy, telecommunications, transportation, and healthcare, upon which our societies heavily rely.

Furthermore, cybercrime disrupts social order by exploiting our increasing reliance on digital platforms. The damage caused by malicious activities in cyberspace can instigate societal tension or even panic. For instance, the spread of false information through deepfakes or AI-generated content can destabilize communities, alter public opinion, and incite fear or chaos within the public domain.

Moreover, the infiltration of educational institutions and exploitation of data breaches, such as those experienced by Adobe Systems and Yahoo, incite concern for the security of personal and academic data, impacting trust in these institutions.

Finally, the global aspect of cyber crime complicates the enforcement of laws and the attribution of criminals. Differing legislation across jurisdictions, coupled with the abstract nature of cyberspace, often leads to perpetrators evading justice, which again amplifies public fear and mistrust.

The increasing sophistication of cyber criminal activities demands a comprehensive, multi-faceted approach to cybersecurity involving not only technological solutions but also legislative measures, international cooperation, and public awareness initiatives. Vigilance remains paramount – for both the individual and the broader social structures at risk.

In conclusion, while the repercussions of cybercrime are manifold and persistently evolving, the driving force behind combating this modern plague remains undeterred – a relentless commitment to understanding, outwitting, and ultimately neutralizing this digital threat. The continuous enhancement of cybersecurity measures, active legislative action on cybercrimes, and individual awareness of cybercrime risks are just several in the legion of dedicated efforts aimed to equip society with the tools necessary to tackle this complex issue.

An image depicting the consequences of cyber crime, showing a lock being broken, symbolizing the violation of security and privacy.

Prevention and Mitigation Strategies

Effectively addressing the potential risks and outcomes of cybercrimes necessitates a multi-pronged approach that leans heavily on collaboration, education, and the implementation of cutting-edge cybersecurity strategies. this measure rings especially pertinent against the backdrop of a progressively interconnected world, teetering on the precipice of the much-heralded fourth industrial revolution..

Collaborating across sectors and agencies is a vital strategy for tackling cybercrimes. Internationally, creating a shared understanding of cyber threats and fostering cooperation to deal with them can significantly bolster collective security measures. This includes forming partnerships with international police forces, such as INTERPOL and Europol, to expedite the identification, tracking, and prosecution of cybercriminals regardless of their geographical location.

An educated populace is arguably the first line of defense against cybercrime. The general public must be armed with the knowledge necessary to safeguard sensitive information and thwart the attempts of cybercriminals. Robust security awareness programs must be incorporated into our educational institutions, corporations, and public services, acquainting people with the modus operandi of cybercriminals and how best to respond. This includes increased awareness of the intricacies of social engineering attacks to mitigate risks like whaling and pretexting that have not been previously covered in this article.

Implementing progressive cybersecurity protocols plays a pivotal role in curbing cybercrimes. Organizations should strive for a dynamic, proactive approach as opposed to a static, reactive one. Frequent system audits, vulnerability assessments, and penetration testing can unveil potential security loopholes before cybercriminals can exploit them. A zero-trust architecture that presumes no user or process is intrinsically trustworthy, coupled with behavioral-based threat detection, could significantly bolster an organization’s defense.

Moreover, using encrypted communication channels and urging employees to regularly update their passwords and employ two-factor authentication systems can mitigate unauthorized access risks. Leveraging advanced technologies, like quantum cryptography, can offer foolproof data security, rendering any eavesdropping attempts futile.

Lastly, while strengthening legislative measures against cybercrimes, nations must also create an environment conducive to the reporting of such incidents. Victims often shy away from reporting due to fear of reputational damage or lack of faith in the justice system. Ensuring confidentiality and demonstrating stringent punishment against perpetrators could effectively deter the commission of these crimes.

As we tiptoe into an era dominated by Big Data, 5G, and Artificial Intelligence, our strategies against cybercrime must evolve at a concordant, if not more rapid, pace. A synergized effort spanning individuals, organizations, and countries, buttressed by relentless vigilance, is our best hope in the grand scheme of cybersecurity. Striking that balance between advancing technologically and maintaining cyber hygiene will be the perpetual litmus test for our digitized world.

Illustration of a person protecting a digital lock with a shield, symbolizing the defense against cybercrime risks and outcomes.

As we continue to tread through this digital age, understanding the insidious nature of cyber crimes not only informs but empowers us as individuals, organizations, and as a society. We have explored in detail the varied forms of these crimes, their evolution through the years, their devastating impacts exemplified through notable case studies, and the undeniably lasting mark they leave on individuals and societies alike. Furthermore, we have offered a glimpse into the strategies that can be employed to fortify our defenses against these invisible aggressors. The key lies in continual awareness, constant vigilance, and strategic preparedness so that we may navigate this intricate digital universe safely. As we move forward, remember the fight against cybercrime isn’t just for those in the corridors of power but for every Internet user who plays a vital role in this digital ecosystem.

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3

Donald Korinchak, MBA, PMP, CISSP, CASP, ITILv3

  • Share full article


Supported by

Cyberattack Paralyzes the Largest U.S. Health Care Payment System

The hacking shut down the nation’s biggest health care payment system, causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices.

A portrait of Molly Fulton, who sits in the waiting room of one of the urgent care centers she runs. She wears a blazer over a black blouse with her hands folded in her lap.

By Reed Abelson and Julie Creswell

An urgent care chain in Ohio may be forced to stop paying rent and other bills to cover salaries. In Florida, a cancer center is racing to find money for chemotherapy drugs to avoid delaying critical treatments for its patients. And in Pennsylvania, a primary care doctor is slashing expenses and pooling all of her cash — including her personal bank stash — in the hopes of staying afloat for the next two months.

Listen to this article with reporter commentary

Open this article in the New York Times Audio app on iOS.

These are just a few examples of the severe cash squeeze facing medical care providers — from large hospital networks to the smallest of clinics — in the aftermath of a cyberattack two weeks ago that paralyzed the largest U.S. billing and payment system in the country. The attack forced the shutdown of parts of the electronic system operated by Change Healthcare, a sizable unit of UnitedHealth Group, leaving hundreds, if not thousands, of providers without the ability to obtain insurance approval for services ranging from a drug prescription to a mastectomy — or to be paid for those services.

In recent days, the chaotic nature of this sprawling breakdown in daily, often invisible transactions led top lawmakers, powerful hospital industry executives and patient groups to pressure the U.S. government for relief. On Tuesday, the Health and Human Services Department announced that it would take steps to try to alleviate the financial pressures on some of those affected: Hospitals and doctors who receive Medicare reimbursements would mainly benefit from the new measures.

U.S. health officials said they would allow providers to apply to Medicare for accelerated payments, similar to the advanced funding made available during the pandemic, to tide them over. They also urged health insurers to waive or relax the much-criticized rules imposing prior authorization that have become impediments to receiving care. And they recommended that insurers offering private Medicare plans also supply advanced funding.

H.H.S. said it was trying to coordinate efforts to avoid disruptions, but it remained unclear whether these initial government efforts would bridge the gaps left by the still-offline mega-operations of Change Healthcare, which acts as a digital clearinghouse linking doctors, hospitals and pharmacies to insurers. It handles as many as one of every three patient records in the country.

The hospital industry was critical of the response, describing the measures as inadequate.

Beyond the news of the damage caused by another health care cyberattack, the shutdown of parts of Change Healthcare cast renewed attention on the consolidation of medical companies, doctors’ groups and other entities under UnitedHealth Group. The acquisition of Change by United in a $13 billion deal in 2022 was initially challenged by federal prosecutors but went through after the government lost its case.

So far, United has not provided any timetable for reconnecting this critical network. “Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” United said in an update on its website .

But on March 1, a bitcoin address connected to the alleged hackers, a group known as AlphV or BlackCat, received a $22 million transaction that some security firms say was probably a ransom payment made by United to the group, according to a news article in Wired . United declined to comment, as did the security firm that initially spotted the payment.

Still, the prolonged effects of the attack have once again exposed the vast interconnected webs of electronic health information and the vulnerability of patient data. Change handles some 15 billion transactions a year.

The shutdown of some of Change’s operations has severed its digital role connecting providers with insurers in submitting bills and receiving payments. That has delayed tens of millions of dollars in insurance payments to providers. Pharmacies were initially unable to fill many patients’ medications because they could not verify their insurance, and providers have amassed large sums of unpaid claims in the two weeks since the cyberattack occurred.

“It absolutely highlights the fragility of our health care system,” said Ryan S. Higgins, a lawyer for McDermott Will & Emery who advises health care organizations on cybersecurity. The same entity that was said to be responsible for the cyberattack on Colonial Pipeline, a pipeline from Texas to New York that carried 45 percent of the East Coast’s fuel supplies, in 2021 is thought to be behind the Change assault. “They have historically targeted critical infrastructure,” he said.

In the initial days after the attack on Feb. 21, pharmacies were the first to struggle with filling prescriptions when they could not verify a person’s insurance coverage. In some cases, patients could not get medicine or vaccinations unless they paid in cash. But they have apparently resolved these snags by turning to other companies or developing workarounds.

“Almost two weeks in now, the operational crisis is done and is pretty much over,” said Patrick Berryman, a senior vice president for the National Community Pharmacists Association.

But with the shutdown growing longer, doctors, hospitals and other providers are wrestling with paying expenses because the steady revenue streams from private insurers, Medicare and Medicaid are simply not flowing in.

Arlington Urgent Care, a chain of five urgent care centers around Columbus, Ohio, has about $650,000 in unpaid insurance reimbursements. Worried about cash, the chain’s owners are weighing how to pay bills — including rent and other expenses. They’ve taken lines of credit from banks and used their personal savings to set aside enough money to pay employees for about two months, said Molly Fulton, the chief operating officer.

“This is worse than when Covid hit because even though we didn’t get paid for a while then either, at least we knew there was going to be a fix,” Ms. Fulton said. “Here, there is just no end in sight. I have no idea when Change is going to come back up.”

The hospital industry has labeled the infiltration of Change “the most significant cyberattack on the U.S. health care system in American history,” and urged the federal government and United to provide emergency funding. The American Hospital Association, a trade group, has been sharply critical of United’s efforts so far and the latest initiative that offered a loan program.

“It falls far short of plugging the gaping holes in funding,” Richard J. Pollack, the trade group’s president, said on Monday in a letter to Dirk McMahon, the president of United.

“We need real solutions — not programs that sound good when they are announced but are fundamentally inadequate when you read the fine print,” Mr. Pollack said.

The loan program has not been well received out in the country.

Diana Holmes, a therapist in Attleboro, Mass., received an offer from Optum to lend her $20 a week when she says she has been unable to submit roughly $4,000 in claims for her work since Feb. 21. “It’s not like we have reserves,” she said.

She says there has been virtually no communication from Change or the main insurer for her patients, Blue Cross of Massachusetts. “It’s just been maddening,” she said. She has been forced to find a new payment clearinghouse with an upfront fee and a year’s contract. “You’ve had to pivot quickly with no information,” she said.

Blue Cross said it was working with providers to find different workarounds.

Florida Cancer Specialists and Research Institute in Gainesville resorted to new contracts with two competing clearinghouses because it spends $300 million a month on chemotherapy and other drugs for patients whose treatments cannot be delayed.

“We don’t have that sort of money sitting around in a bank,” said Dr. Lucio Gordan, the institute’s president. “We’re not sure how we’re going to retrieve or collect the double expenses we’re going to have by having multiple clearinghouses.”

Dr. Christine Meyer, who owns and operates a primary care practice with 20 clinicians in Exton, Pa., west of Philadelphia, has piled “hundreds and hundreds” of pages of Medicare claims in a FedEx box and sent them to the agency. Dr. Meyer said she was weighing how to conserve cash by cutting expenses, such as possibly reducing the supply of vaccines the clinic has on hand. She said if she pulled together all of her cash and her line of credit, her practice could survive for about two and a half months.

Through Optum’s temporary funding assistance program, Dr. Meyer said she received a loan of $4,000, compared with the roughly half-million dollars she typically submits through Change. “That is less than 1 percent of my monthly claims and, adding insult to injury, the notice came with this big red font that said, you have to pay all of this back when this is resolved,” Dr. Meyer said. “It is all a joke.”

The hospital industry has been pushing Medicare officials and lawmakers to address the situation by freeing up cash to hospitals. Senator Chuck Schumer, Democrat of New York and the chamber’s majority leader, wrote a letter on Friday, urging federal health officials to make accelerated payments available. “The longer this disruption persists, the more difficult it will be for hospitals to continue to provide comprehensive health care services to patients,” he said.

In a statement, Senator Schumer said he was pleased by the H.H.S. announcement because it “will get cash flowing to providers as our health care system continues to reel from this cyberattack.” He added, “The work cannot stop until all affected providers have sufficient financial stability to weather this storm and continue serving their patients.”

Audio produced by Jack D’Isidoro .

Reed Abelson covers the business of health care, focusing on how financial incentives are affecting the delivery of care, from the costs to consumers to the profits to providers. More about Reed Abelson

Julie Creswell is a business reporter covering the food industry for The TImes, writing about all aspects of food, including farming, food inflation, supply-chain disruptions and climate change. More about Julie Creswell

VicPol Corporate

  • Cybercrime case studies

On this page:

Online grooming, online scams, malware and intimate image abuse.

Online child grooming is befriending a child, and sometimes the family, to make the child more open to sexual abuse. A person who is found guilty of grooming in Victoria is liable to 10 years imprisonment.

Case study: David – through the eyes of the parent

What happened.

David is a working dad with three children: Daniel and Matilda (7) and Angie (14). Angie has just commenced her second year of high school. Angie begged David for a smartphone. David finally relents and gives Angie his old smartphone. As a condition for receiving the phone, Angie must share her passcode and must leave the phone to charge overnight in the kitchen.

Angie spends a lot of time on her phone. David will often ask Angie what she is doing on the phone. He tries to monitor her use and keeps track of the phone bill. David has to start working long nights on a special project for work. David is not able to monitor Angie’s phone use as closely. Soon, Angie begins to keep her phone in the room overnight.

As the months go by, David notices Angie’s behaviour changes. She becomes withdrawn and irritable. Her school work starts to suffer.

David receives a call from the school principal – the principal needs an urgent meeting with David. The principal tells David that a parent of one of Angie’s friends told the principal that Angie is in contact with a man online who sends Angie inappropriate messages. David talks to Angie and learns that she met this man on a messaging app and they message constantly.

How was David affected?

David is horrified and feels like he has failed Angie. He feels he has neglected his duty as a parent.

David is devastated that Angie did not tell him what was happening.

David feels powerless to keep his child safe. David starts to suffer from anxiety, affecting his work and relationships.

Romance and dating scams involve scammers taking advantage of people looking for romantic partners, often via dating websites, apps or social media, by pretending to be prospective companions. They play on emotional triggers to extract money, gifts or personal details.

Romance baiting encourages victims to take advantage of a fake investment opportunity.

Case study: Amara – a retired widow

Amara received and accepted a friend request from Ferenc, a Hungarian serviceman on peacekeeping duties in Afghanistan. Ferenc and Amara grew closer together. Ferenc shared pictures with her and told Amara he had lost his wife to cancer. This was similar to Amara’s own experience – her elderly husband died of cancer two years ago.

Ferenc said he was being posted to Cyprus but that his time in the military was nearly finished. Ferenc told Amara he wanted to set up a jewellery store when he retired.

Ferenc told Amara he was coming to see her but had some trouble with his bank card not working in Cyprus and could not get funds to pay for an export tax on his gemstones. Taking out a loan, Amara transferred Ferenc $15,000 to cover the tax bill. Shortly after, Ferenc told Amara that he had been detained by local authorities in Malaysia on the way to Australia. He needed $20,000 to pay his legal and court fees.

Amara contacted the Malaysian police – they had no knowledge of Ferenc. When Amara told Ferenc she could not send the additional money, he responded with very angry messages, and then ceased contact altogether.

How was Amara affected?

Amara was left confused and hurt. She feels betrayed and cheated. She knows in her head that this was a scam, but in her heart still feels that Ferenc might be out there and she has let him down.

Amara had to re-enter the workforce to service the loan she took. She is also at risk of having her identity stolen because she shared a lot of personal information with the scammer calling himself Ferenc.

Ransomware is a form of extortion using malicious software (malware) that prevents users from accessing their system or personal files and demands ransom payment in order to regain access.

Case study: Jin and Bella – small business owners

Jin and Bella run a family owned accounting firm that provides outsourced bookkeeping and accounts functions for small businesses across Victoria.

The business operates through an online platform—client companies log in through a website portal and can take care of several bookkeeping needs for their businesses, such as tracking their expenses, processing receipts and calculating deductions.

Jin and Bella’s business computers were infected with ransomware via a suspect email just before tax time. This ransomware locked down the business’ platform so that clients were unable use the portal. The cybercriminals demanded $100,000 in Bitcoin, a cryptocurrency, to restore the network. Jin and Bella refused to pay. The cybercriminals threatened to publish the private information of Jin and Bella’s clients. Jin and Bella did not know what to do. They did not have the money to pay the ransomware. Eventually, Jin and Bella contacted Victoria Police to report the crime.

The majority of Jin and Bella’s clients were unable to submit their tax returns on time. Clients were extremely dissatisfied with the service.

The Australian Cyber Security Centre advises against paying ransoms. Payment of the ransom may increase an individual or organisation’s vulnerability to future ransomware incidents. In addition, there is no guarantee that payment will undo the damage.

How were Jin, Bella and their clients affected?

The reputation of Jin and Bella’s business suffered and as a result, they lost clients. Jin and Bella experienced considerable stress and anxiety from the attack.

The Australian Cyber Security Centre External Link has observed cybercriminals successfully using ransomware to disrupt operations and cause reputational damage to Australian organisations across a range of sectors:

  • State and Territory governments
  • Education and research organisations

The Australian Cyber Security Centre External Link reported a 15% increase in ransomware cybercrime reports in the 2020–21 financial year. 21

Image-based sexual abuse is the creation, distribution or threatened distribution of intimate, nude or sexual image or videos, without the consent of the person pictured. This includes images or videos that have been digitally altered using specialised software.

You can also report image-based abuse to the eSafety Commissioner External Link .

Deepfakes use artificial intelligence software to learn from large numbers of images or recordings of a person to create an extremely realistic but false depiction of them doing or saying something that they did not actually do or say. 24

Case study: Aisha – a teacher

Aisha is a teacher who unknowingly had malware called a Remote Access Trojan (RAT) downloaded onto her smart phone.

Using the RAT, a cybercriminal accessed her email and text messages, and forwarded some private, intimate pictures to colleagues and family members in her contacts.

The cybercriminal also posted these images, as well as some digitally altered “deepfakes”, to several adult websites. Some of these images were found by students at Aisha’s school.

Aisha did not make a report to Victoria Police, but tried to track down the websites where the images were posted to demand that they were taken down. She suspects that her ex-boyfriend – who has a history of control and emotionally abusive behaviour – was behind the attack, but she did not have any way to prove this.

How was Aisha affected?

Aisha has been devastated by these events— both privately and professionally.

Although her school ultimately understood that she was a victim, the damage to her reputation was irreversible. This, coupled with the anxiety that her students had seen these personal and deepfake images of her, led to her giving up her teaching position at the school. This was her primary source of income.

18 Australian Competition & Consumer Commission, 12 February 2021, Romance Baiting Scams on the Rise, External Link

19 Australian Competition & Consumer Commission, 12 February 2021, Romance Baiting Scams on the Rise, External Link

20 Australian Competition & Consumer Commission, 12 February 2021, Romance Baiting Scams on the Rise, External Link

21 Australian Cyber Security Centre, 2021, ACSC Annual Cyber Threat Report: 1 July 2020 to 30 June 2021

22 Office of the eSafety Commissioner, October 2017, Image-Based Abuse, National Survey: Summary Report (October 2017)… External Link

23 Office of the eSafety Commissioner, October 2017, Image-Based Abuse, National Survey: Summary Report (October 2017)… External Link

24 eSafety Commissioner, Deepfake trends and challenges — position statement, External Link

Reviewed 29 March 2023

  • Victoria Police Cybercrime Strategy 2022-2027 - Print only version pdf 2.93 MB
  • Print full document

Cybercrime Strategy 2022–2027

  • What is cybercrime?
  • Our mission
  • Cybercrime is a global problem that affects Victoria
  • A problem accelerated by the COVID-19 pandemic
  • The harm and cost to our community
  • Our strategic priorities
  • Strategic priority: Prevent
  • Strategic priority: Report
  • Strategic priority: Support
  • Strategic priority: Investigate
  • Strategic priority: Disrupt
  • Critical enablers
  • Collaborating for better outcomes
  • A call to action

Related links

  • Cybercrime, reporting and online safety

Share this page

  • Twitter , opens a new window
  • Facebook , opens a new window
  • LinkedIn , opens a new window

U.S. flag

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

  • Publications
  • Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

  • Advanced Search
  • Journal List
  • Int J Popul Data Sci
  • v.7(1); 2022

Logo of ijpds

Making the most of cybercrime and fraud crime report data: a case study of UK Action Fraud

Sara giro correia.

1 Swansea University


Researchers and public authorities are increasingly exploring the potential of administrative data to generate new insights. This includes recent work leveraging the opportunities of the crime report data collected by the UK’s national reporting centre Action Fraud (AF). However, the quality of these data and its implications for data users have not been systematically analysed.

This paper outlines challenges and opportunities of using AF data in cybercrime and fraud victimisation research and practice and makes recommendations to improve the quality of this dataset.

The author has undertaken two studies using samples of AF data pertaining to crime reports within the Welsh police forces, between 2014 and 2020. Quality diagnostic checks, reflections and methodological decisions were considered across each study. These were reviewed, key themes were identified and discussed with data users and a broader group of researchers to finalise the recommendations presented.

The strengths and limitations of AF data are discussed and grouped into themes, closely aligned with four quality dimensions widely used by statistical authorities. This includes an assessment of 1) the impact of under-reporting and 2) the purpose and rules of crime recording, on the relevance of the data to its users; 3) the accuracy and reliability of the data; 4) the consistency of recording and its impact on coherence and comparability ; and 5) the accessibility and timeliness of the data.


Recommendations are made to improve AF data to generate better quality insights across the dimensions of relevance , accuracy & reliability , coherence & comparability and the accessibility & timeliness of this dataset. Additionally, a data catalogue would enable frontline officers and researchers to make the most of this dataset, harnessing it to produce key insights for crime prevention, investigation, and victim support.

Researchers and public authorities are increasingly exploring the potential of administrative data to generate insights and inform policy and practice. At the same time, fraud and computer misuse (e.g., hacking, or ransomware attacks) constitute a large proportion of crimes experienced by victims, with some evidence suggesting this was aggravated during the COVID pandemic. Based on the Telephone Crime Survey for England and Wales (TCSEW), it is estimated that there were 4.6 million incidents of fraud and 1.7 million incidents of computer misuse (CM) in the year ending March 2021, adding up to 53% of the total UK crime estimate [ 1 ]. Furthermore, compared to the pre-pandemic period, while the number of incidents of other crime decreased by 19%, fraud and computer misuse (F&CM) increased by 24% and 85% respectively [ 1 ]. 1 In addition, there was a 28% increase in reports of fraud and a 16% increase in CM reported via the UK’s national reporting centre Action Fraud (AF), in the year ending March 2021 [ 1 ]. This aligns with work by Kemp and colleagues suggesting increased reporting of certain cybercrime and fraud categories during the COVID pandemic [ 2 ]. On the other hand, a US-based survey study found no major change in cyber victimisation, suggesting the greater change in this period may concern reporting behaviour [ 3 ]. This is significant as one of the challenges of both measuring and responding to F&CM crimes, remains their relative under-reporting [ 4 ].

Nonetheless, in contrast to the localised reporting of other crime types, AF collects reports from across the UK. 2 As such, AF data is a key resource, used by police crime analysts to generate national, regional, and force-level trend analysis, to undertake threat assessments, inform crime prevention campaigns and other activities, as well as being a key basis for investigative and local victim-support responses. Additionally, researchers have leveraged AF data, to better understand reported trends, as well as their implications for policy and practice [ 2 , 7 – 10 ]. In particular, this data has an enormous potential for researchers as it provides granular detail on each report and, as the author’s previous work demonstrates, allows for the analysis of small geographies and repeat victimisation [ 8 , 11 ]. However, before conclusions are drawn on substantive matters, it is key to develop a thorough understanding of how data sources were collected, evaluate their quality in relation to wider research aims and prepare them for statistical analysis. This requires the development of ‘detectors’ and ‘metrics’ to detect quality issues and ‘auditing data sources for quality’ [ 12 ]. However, the quality challenges, and opportunities associated with using AF data, have not been systematically analysed. As such, this paper addresses the strengths and weaknesses of AF data in facilitating a victim-focused response, particularly with respect to the less developed ‘Protect’ strand of policing, which aims to increase protection for those who are at risk of (further) victimisation. This is especially timely in the UK, given the government’s recent commitments to deliver “an improved national fraud and cybercrime reporting system”, and alongside it, to “expand the National Economic Crime Victim Care Unit [NECVCU]” [ 13 ]. 3

Building on previous work [ 4 , 15 ], and work from related fields [ 16 , e.g.], this paper audits the quality of AF data with respect to two samples collected between 2014 and 2020 and examines how its quality impacts on analytical outputs, across four quality dimensions [ 17 ]. The first of these is relevance , or the extent to which the insights produced meet the needs of users, including law enforcement and researchers. The limitations of using police recorded crime (PRC) as a source of statistical crime data are well documented [ 18 – 20 ] and in line with previous scholarship, this paper firstly considers the quality implications of under-reporting, the original purpose of data collection and the rules which shape the collection of AF data. Secondly, the paper examines whether these data produce accurate and reliable results. In other words, the extent to which the data collected by AF accurately portrays the reality of the crime/victimisation experience it is intended to record and does so reliably over time. Thirdly, it turns to the impact of data quality on coherence and comparability , i.e., whether it produces insights which are internally consistent, consistent over time and comparable between regions and police force areas. Finally, the paper turns to the timeliness and clarity of data insights generated from the AF dataset. Recommendations are made to improve the quality of the dataset across each of these quality dimensions.

The author undertook two studies using samples of AF data, pertaining to crime reports within Wales, relating to recording periods between 2014 and 2020 ( Table 1 ). From the perspective of evaluating the quality of AF data, the two periods are significant as the data in the second study were collected after several improvements were made to the AF recording system. As such, improvements in data quality were expected between the two studies.

Firstly, each of the studies were summarised and the results of quality diagnostic checks, reflections on limitations and methodological decisions around mitigations were collected. Secondly, the researcher identified the key quality themes across these studies. Thirdly, the early results were shared with practitioners and researchers, who were invited to comment on the findings and recommendations. In addition, the results were shared with representatives from the data provider. This allowed for cross-validation of the findings, as well as of the feasibility of the recommendations made. Finally, data from victimisation surveys were used as comparators where relevant to the analysis. Each of the studies will now be described in turn.

Study 1: Vulnerability & repeat victimisation in wales

This study drew on a sample of crime reports (n = 17,049), made to AF by victims based within the four police forces in Wales, between 1 st October 2014, and 30 th September 2016. A mixed-methods approach was used, encompassing descriptive and bivariate statistics, generalised linear models, deterministic and probabilistic data linkage, as well as qualitative thematic analysis. Key results generated by this study included the unsustainability of an online/offline distinction, patterns of repeat victimisation and an original framework for understanding vulnerability in the context of F&CM victimisation, to better target a victim response [ 8 ].

Study 2: COVID and the impact of fraud & computer misuse in wales exploratory study

This brief study focused on analysing F&CM reporting patterns and victim impact, between 1 st February 1 st and 30 th June 2020 (n = 11,934). The analysis was carried out on site, to generate exploratory analytical outputs for the Regional Organised Crime Unit and identify emerging trends and areas for future research, during the COVID pandemic. Descriptive statistics were produced, including those included in this paper.

Results and discussion


Instead of capturing all crime experienced by victims, PRC captures only those crimes which are both reported to and recorded by the police. The data is therefore limited by under-reporting and shaped by the rules and purpose of recording [ 18 – 20 ]. Under-reporting has a considerable impact on what can be known from recorded crime as F&CM are comparatively under-reported. As shown in Table 2 , recent Crime Survey for England and Wales (CSEW) data indicates that at best, 2% of computer crimes and 8% of fraud experienced by individuals were reported to the police via AF in the year ending September 2019 [ 21 ]. In comparison, approximately 53% of all theft was reported to the police in the same period. While not directly comparable due to COVID19-related changes in methodology, the Telephone-operated CSEW (TCSEW) suggests a similar ratio with that 9% of fraud and 2% of CM reported in the year ending March 2021 [ 1 ]. 4 In parallel, under-reporting is also a known issue with respect to corporate victims [ 22 , 23 ].

*F&CM were not included in CSEW estimates.

**The 2016 estimates were published as experimental statistics. In 2017 these were published as Official Statistics, but since March 2018 received accreditation as ‘National Statistics’.

***Excludes Greater Manchester Police as following the implementation of a new IT system in July 2019, the force was unable to supply ONS with data for the quarter July to September 2019.

Inevitably, the extent of under-reporting demonstrated above, has an impact on the quality of statistical and operational outputs produced using AF data, with respect to the relevance dimension of quality i.e., the extent to which the insights produced meet the needs of users [ 28 ]. Whether the users of AF data are crime analysts within law enforcement, officers, or researchers in or beyond academia, they must consider whether the questions they have, can be answered using data which relates only incidents reported and given a crime label. As such, questions about the overall extent of victimisation in society are often best answered by victimisation surveys. However, there are also known limitations when using victimisation surveys to understand crime at low geographies, or to measure repeat victimisation [ 29 , 30 ]. As far back as 2006, the Fraud Review identified the potential for “data matching” being used to identify repeat offenders, prevent repeat offences and address “vulnerability”, particularly within the public sector, although it fell short of identifying the need to identify repeat victims [ 31 ]. In a more recent report however, Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS, formerly HMIC) identified “the ineffectual use of intelligence products (such as monthly victim lists) given to forces by the National Fraud Intelligence Bureau” [ 32 ].

At the same time, it is well established that the ‘seriousness’ of the crime [ 33 , 34 ] and police/response perceptions [ 33 , 35 , 36 ] are key factors in reporting behaviour. In fact, the relative lack of seriousness of the crime and/or a cost-benefit rationale were given as a prominent reason for not reporting to Action Fraud by 8% of CSEW experimental statistics respondents in 2017 [ 37 ]. As such, one would expect to be able to identify within Action Fraud data significant harms and impacts on the victims who did report, which should enable the selection of key factors in adequately prioritising and responding to victims’ needs. However, the most common reasons were never having heard of AF (66%) and assuming fraud was reported by another authority (10%) [ 37 , Table 2 ]. 5 As such, awareness of AF remains a key issue to be addressed. Nonetheless, subject to a good understanding of the recording rules and quality issues, AF provides a valuable source of data for analysts and researchers on higher-impact and (repeat) victimisation at local level.

Purpose & rules of recording

Previous work has highlighted that the purpose and the rules that shape administrative data collection, and crime recording in particular, have profound quality implications [ 18 , 38 , 39 ]. The purpose and rules of crime recording are set out in the National Crime Recording Standard (NCRS) and the Home Office Counting Rules (HOCR). The NCRS was originally developed by the Association of Chief Police Officers (ACPO) and rolled out from 2002, after a review of crime recording practices by Her Majesty’s Inspectorate of Constabulary (HMIC) found large variations in recording rates across forces (between 55 and 82%) [ 40 ]. It has the twin aims of promoting consistency of recording across all forces and to take a victim-focussed approach to crime recording. The latter means that recording is based on the victim’s account of a crime occurring, rather than the police satisfying themselves that a crime had indeed taken place. While police should keep auditable incident reports for all reports, a crime will be recorded if: “(a) the circumstances of the victim’s report amount to a crime defined by law (the police will determine this, based on their knowledge of the law and counting rules); and (b) there is no credible evidence to the contrary immediately available” [ 41 , para. 2.2]. Alongside the NCRS, the HOCR stipulate what type and how many offences should be recorded by police in specific circumstances. In addition, the ‘vision’ for crime recording across the NCRS and the HOCR is to achieve “the best crime recording system in the world: one that is consistently applied; delivers accurate statistics that are trusted by the public and puts the needs of victims at its core.” This is followed by a breakdown of purposes which include enabling crime investigation (the ‘Pursue’ strand of policing), but also meeting victims’ needs (more aligned with the ‘Protect’ strand). Pursue is focused on investigating, prosecuting, and disrupting fraud and CM, while Protect aims to protect victims and against fraud and CM, including those at risk of repeat victimisation. However, the accurate and consistent ‘counting’ of crime is not always compatible with meeting victims’ needs, a key tension which, it is argued, exists within the NCRS/HOCR. Firstly, this is demonstrated by examining the data that is collected by AF, shared with local forces and the outcomes which are then returned on crime reports. In addition, this can also be seen through the application of the principal crime rule, as well as the “one crime per victim” and the “no victim – no crime” principles to F&CM recording.

Data collected, shared and returned

As shown in Figure 1 , not all incidents reported to the police via AF are recorded as crimes. As with all crime types, when a report is made to AF, either via the contact centre or the online form, it is possible that the situation does not meet the threshold of a crime and is therefore not given a crime label/number i.e., crimed . 6 This is unsurprising as the police deal with a significant number of non-crime incidents, as high as “83% of all Command and Control calls” [ 42 ]. AF data is then added to the National Fraud Intelligence Bureau (NFIB) ‘Known Fraud’ database. At this point, there is a distinction between what may be described as the ‘Pursue’ and ‘Protect’ strands of the police response. An algorithm scores cases according to whether they have sufficient leads for investigation, for further manual review by NFIB Crime Reviewers, who assemble case bundles which are then ‘disseminated’ to local forces for further ‘Pursue’ enforcement action. The extent to which the data disseminated for ‘Pursue’ activity meets users’ needs, is an area for further research.

An external file that holds a picture, illustration, etc.
Object name is ijpds-07-1721-g001.jpg

The Victim Journey in Numbers, England and Wales, year ending March 2015 [ 43 , 44 ]

Protect, on the other hand has, to date, been the responsibility of local forces and as such, all reports made within their respective jurisdictions are separately sent to local forces on a weekly basis, for the purposes of identifying and responding to victims’ needs. One exception to this has been the previously mentioned NECVCU, based at City of London Police, which currently services London, the West Midlands and the Greater Manchester areas, but hopes to expand nationally. However, no national-level data is available to paint a picture of the extent of the victim support provided in relation to F&CM. Furthermore, an examination of the sub-selection of AF data which is sent to local police forces for ‘Protect’ action, as sampled in the author’s studies, demonstrates that the recording system is oriented towards traditional ‘Pursue’, rather than the victim focused ‘Protect’ strand of activity.

At the time of Study 1, several variables of relevance to ‘Protect’ activity were collected by AF, but not shared with local forces ( Table 3 ). These variables included type of victim (e.g., individual or organisation), victims’ gender, vulnerability indicators (whether vulnerable to financial loss, regularly targeted and/or repeatedly victimised) and a variable on the impact of the crime on the victim’s finances, health, and wellbeing. Finally, information on whether the offender was known or unknown to the victim was not collected. By the time of Study 2 however, most of these issues had been addressed with several new ‘victim impact assessment’ variables collected and shared with local forces, including vulnerability and impact indicators. In addition, a series of questions were asked to determine the victim’s guardianship attitudes and awareness of risk, resulting in a final Public Interventions Model (PIM) assessment score. 7 Despite these improvements however, more is needed to ensure that the data collected is optimised to enable local forces to identify vulnerable and repeat victims. This includes ensuring that all variables relevant to a vulnerability and repeat victimisation analysis are shared, but also that the data collected accurately represents what the aspects they were intended to measure, that analysts and researchers understand what vulnerability and impact scores mean and how they should be used. As such, the need for question testing, data validation procedures and the development of a data catalogue are discussed below.

Furthermore, the samples in both studies demonstrate that the outcome data that is systematically recorded by or returned to NFIB by local forces relates primarily to ‘Pursue’ type activity. In Study 1, only 1.25% of all cases returned an outcome of ‘Prevention’ or ‘Victim Care’ [ 4 ]. The outcome data in Study 2 was not directly comparable, but it showed that only 0.03% of cases returned ‘Protect’ or ‘Victim Care’ outcomes. However, these statistics do not reflect the victim response across the Welsh forces. In Dyfed/Powys for example, every F&CM victim is contacted by their local force to offer support. Rather, these figures illustrate how AF data are not adequate to provide a picture of Protect activity.

The principal crime rule

The principle crime rule is common across many countries and it states that in cases where there is a “sequence of crimes in an incident, or a complex crime, [which] contains more than one type of crime”, then “the most serious crime” should be counted [ 41 , Section F]. Generally, violent crimes take precedence over property crimes including F&CM. Furthermore, where a series of property crimes are reported together, the most serious crime is recorded. This is the crime carrying the maximum sentence on conviction or, where the maximum sentences are equivalent, the greatest sentence most likely to be prescribed on conviction. To support the decision of what constitutes the principle, specific guidance is provided on the counting rules for F&CM [ 45 ]. Given the relatively higher severity of fraud over most CM offences, this principle tends to favour the recording of fraud over computer misuse, when both are present. While this is aligned with HOCR, quantitative analysis or AF data will therefore under-estimate levels of CM reporting. To correct for the impact of the principal crime rule, data on whether fraud was enabled by a CM offence could be provided to local forces.

One crime per victim

The one crime per victim principle helps to establish who the victim(s) of the crime are and, in order to minimise double counting, establishes that only one crime will be recorded for each specific, indented or identifiable victim. In some circumstances however, minimising double-counting will result in the data collected not being optimised to identify and respond to the needs of victims. This is aggravated in the case of F&CM as there can be multiple victims and, to avoid double-counting, in some situations an individual’s report will be recorded as a ‘Crime Related Incident’ (CRI) rather than a crime, or not at all. In those circumstances, it is unclear whether victim vulnerability is assessed, or their support needs considered.

A victim is defined as “the subject against whom the crime was committed”; for offences against the person this is the specific intended victim (SIV), whereas for property crime this is “the person who had custody/control or proprietary rights in the property at the time the crime was committed” [ 46 ]. However, in its F&CM guidance, many fraud subtypes, as well as the category of Computer Virus, Malware and Spyware are subject to the SIV principle, generally intended for crimes against the person. That is because while ‘the victim’ in relation to these crime types may be better conceptualised as a ‘hybrid’ of individuals, corporations and digital systems [ 47 ], the rules are designed to avoid the double recording of the same crime. As such, where victims report an instance of cheque, plastic card or online bank account fraud, they will be asked to contact their financial institution in the first place and this will not be recorded as CRI or a crime [ 45 ]. Furthermore, if an individual is infected by a virus which is affecting machines on a global scale, a CRI will be recorded. These rules are intended to minimise double-counting of crimes which might be reported by multiple victims. 8 Notwithstanding this rule, previous research has shown that F&CM can have impacts beyond financial loss including on victims’ health and wellbeing [ 48 ], which they may require support with. In addition, support and advice may be required to avoid repeat victimisation. In fact, the accurate measurement of repeat victimisation may also be affected by the one-crime-per-victim principle.

Where a victim receives a fraudulent cold call, phishing email or letter, or a malicious attachment, but they do not engage with the offenders, they are not considered a SIV, and a CRI will be recorded. However, if the victim acts on any of the information given by the offenders or they are repeatedly targeted, they become the SIV – even if no money/property is lost. As such, in some cases where only one fraud has been recorded, the victim has already been repeatedly targeted. Furthermore, for many categories of advance-fee frauds, where the same victim is contacted multiple times by the same fraudsters and on each occasion the victim is defrauded in the same way (i.e., the same NFIB category applies) then one crime is meant to be recorded when the victim reports these instances together, even where they span years of interaction. However, in such circumstances, arguably the report represents multiple instances of victimisation. In contrast, where an individual is repeatedly targeted by hackers, generally one crime will be recorded for each device and/or account hacked. As such, repeat victims of Hacking will be more easily identified than repeat victims of Advance-fee fraud. As noted, where the SIV principle is not met, a crime related incident (CRI) will be recorded instead of a crime that counts . However, as noted above, CRIs are not passed to the police forces within whose jurisdiction the victim falls. At the same time, the new ‘repeat victim’ variable ( Table 3 ) is now automatically populated by the system and will therefore be highly skewed by these recording rules. As such, using crime records to study and develop operational responses to repeat victimisation, will be limited by the ways in which report data are collected and processed.

“No Victim – No Crime” principle

Section 3.5 of the NCRS elaborates further on the principle of “victim focused recording” and introduces the “No Victim – No Crime” principle. This principle stipulates that if no victim of crime can be immediately identified, “the matter must be recorded as a crime related incident until such time as the victim is located or comes forward to provide an account” (41, para. 3.5i). However, the “recording without victim confirmation” guidance provides two exceptions to the concept of ‘no victim - no crime’ i) the police believe recording to be appropriate and necessary ii) reports by parents, carers and Professional ‘Third’ Parties (doctors, nurses, social workers and teachers) where recording must occur regardless of whether the victim has given their permission for the reporting individual to speak to the police and irrespective of whether the victim subsequently confirms that a crime has been committed. Recording without victim confirmation is key to capturing the experiences vulnerable victims of F&CM. Without this principle, no crime would be recorded where vulnerable individuals are identified by third parties (e.g., family members, social services, Trading Standards, or the Citizens Advice), but do not believe themselves to be victims. As previous research has noted, this has been observed in relation to especially vulnerable fraud victims [ 48 ]. However, the recording system currently allows for a wide range of “proxy” reports e.g., where a police officer has taken the report at the station and has now entered the information through the AF online portal. As such, it is not possible for local forces to easily identify where recording took place “without victim confirmation” and utilise this as a vulnerability indicator.

Accuracy and reliability of records

This section examines whether AF data is collected accurately and reliably i.e., accuracy is maintained over time. Accuracy has two sides, one relates to the extent to which the data was collected in accordance with recording rules; the other concerns the extent to which the data collected produces accurate representations of reality, irrespective of these rules. In addition, it should be noted that sources of error related to the accuracy of crime recording affect not only AF data or the UK, but any data which constitutes PRC [ 49 , 50 ]. With respect to the first, the accuracy of F&CM crime records has doubtlessly improved since the introduction of AF, as a centralised recording system reduces error and increases consistency (see next section). Despite improvements however, Studies 1 and 2 still demonstrated issues of accuracy and reliability, including the presence of duplicate records, outliers and implausible values, recording error and missing values. The last two are considered in greater detail below.

Recording Error and ‘Other’ Fraud

A key source of uncertainty which will affect the accuracy and reliability of AF data is recording error. Despite the above-mentioned advantages of centralised recording, errors may result from both the quality of the information provided by victims directly, as well as the quality of the recording made by others on their behalf. For example, when a victim reports F&CM, the crime is categorised according to the NFIB crime codes, part of the HOCR. However, it is possible that some reports are mis-recorded, especially given the complexity of the recording rules. At the time of writing, there are 48 NFIB fraud categories relevant to individual and business victims, including the NFIB90 category of ‘Other’ fraud, plus eight unique computer misuse categories [ 51 ]. Given the large number of categories, it is unsurprising that this analysis revealed that the correct crime category was not always recorded. Mis-categorisation may be aggravated by recent concerns over the training and empathy levels of some AF call centre staff [ 52 , e.g.]. Furthermore, when a victim reports directly to AF via the online tool, there is an assumption that they understand and interpret the form as intended. However, unlike survey designs, the questionnaire used to collect AF data has not been subject to cognitive tests and developed accordingly to minimise response error.

Alongside the above, academic, or operational analysis of AF data requires that crime categories be grouped and merged to achieve statistical power, as many have too few cases. Results should also be relatable to previous literature and thus contribute to an evidence base to inform criminal justice policy and practice. However, there is little guidance to crime analysts within police forces or researchers working with AF data, on how best to aggregate and use NFIB categories in research. In the process of the above studies, a working typology including 9 fraud categories and 2 categories of CM [ 4 , 8 ] was developed as starting point ( Table 6 ). This typology is, to the extent that it was possible, compatible with existing typologies, particularly Levi & Burrows [ 18 ], Button, Lewis and Tapley [ 53 ], Wall [ 54 ] and Yar [ 55 ]. It also reflects the aggregation undertaken by the Office for National Statistics to produce official PRC statistics. At the same time, this typology is data-driven, as it was developed to maximise statistical power.

While the above exercise improved the usefulness of the data, a close analysis of crimes categorised as ‘NFIB90 - Other Fraud (Not covered elsewhere)’, was revealing in terms of the accuracy and reliability of the data. Overall, 15.40% of cases in Study 1 and 23.34% of cases in Study 2 were labelled as ‘NFIB90’ (14.82% and 23.50% respectively for individual reports only). This is a significant proportion of all crimes recorded, representing the second and first most commonly recorded categories in Studies 1 and 2 respectively. Furthermore, while this proportion tended to increase over the period cover in Study 1 ( Figure 2 ), it has remained consistently high over the period cover in Study 2 ( Figure 3 ).

An external file that holds a picture, illustration, etc.
Object name is ijpds-07-1721-g002.jpg

Proportion of NFIB90 crimes recorded in Study 1, per month

An external file that holds a picture, illustration, etc.
Object name is ijpds-07-1721-g003.jpg

Proportion of NFIB90 crimes recorded in Study 2, per month

Given the high levels of prevalence shown above, a closer look was taken at a sub-sample of individual NFIB90 reports in Study 1, to identify and examine any significant patterns. A sub-sample of 160 individual victims who reported 332 incidents between them, were selected for Thematic Analysis (TA). One important limitation of this analysis relates to the reliance on a relatively small sub-sample of incident descriptions (3% of n = 11,841). However, due to the access restrictions, the researcher had to manually verify that personal information was removed from each incident description, before they could be extracted for further analysis at the university and there was a limited time available for this task. At the same time, the use of a combination of random and purposive sampling was intended to maximise the utility of this sample. 9 Of the TA sub-sample, 33 crimes (approximately 10%) reported by 25 victims were classed as NFIB90 and the themes identified within these cases are represented in Figure 4 . While further research is necessary to better understand NFIB90, the results of this analysis are indicative.

An external file that holds a picture, illustration, etc.
Object name is ijpds-07-1721-g004.jpg

Tree diagram of ‘NFIB90’ records

The most significant theme to emerge was ‘Courier Fraud’ (36% of incidents coded). While this does not constitute an NFIB category, the AF website states that Courier fraud occurs when a fraudster contacts victims by telephone purporting to be a police officer or bank official [ 56 ]. The predominance of Courier Fraud suggests that adding a tag, if not a dedicated NFIB category to reflect this type of fraud, may contribute towards reducing the significance of the ‘catch-all’ NFIB90 category. While frequently changing NFIB categories would not be desirable in the interest of consistent crime reporting, a revamped recording system would ideally allow the flexibility to create and update crime tags, in order to monitor ongoing and emerging trends. Finally, several of the themes identified highlight that the volume of ‘NFIB90’ also includes mis-categorised cases. These include cases which, in line with HOCR, should have been categorised as ‘romance’, ‘online shopping’, ‘consumer’ and ‘credit card’ fraud. In addition, ‘telephone (tel) preference’ and ‘plane ticket’ themes might have been coded as advance fee and ticket fraud respectively. Finally, the cases coded under the theme of ‘phishing’ should not have been recorded as a crime.

Missing data

Missing data will have a considerable impact on academic research and operational analysis, as it can skew results directly or hinder bias and/or cross-sectional testing. As a rule of thumb, levels of missingness above 5% within a variable are a red flag, particularly if missingness is not random i.e., if significantly prominent among certain victim sub-groups. Furthermore, checking for this kind of bias requires high level of completion within demographic variables. Between Studies 1 and 2, the quality of AF data improved, as measured by the level of missingness within key variables in each sample ( Table 4 ). The proportion of missing values in the variables age, ethnicity, direct financial loss and the free-text description of the crime has decreased between the studies. In addition, as previously noted, several new ‘victim impact assessment’ variables are now shared with local forces. This assessment is given to individual victims on a voluntary basis, with only 25.74% of individual victims agreeing to take part, while 31.96% did not respond ( Table 4 ). This high level of missing data makes the interpretation of results uncertain.

*Victim Gender was not provided but in Sample 1 could be derived/coded based on other variables. Victim type was derived for sample 1 and directly available with sample 2.

**Lower Super Output Area (LSOA) is a geographical location derived based on victim postcode.

***derived based on the aggregation of several variables, but not directly comparable between Study 1 (which includes variables call, outcome and partner) and Study 2 (where it includes outcome and call).

In addition, among those who agreed to the assessment, the level of missing values within victim impact variables is also not encouraging ( Table 5 ). Alongside the levels of missing data, the lack of consistent coding of missing values also adds uncertainty to what can be known e.g., a missing value for direct financial loss may be indicative of no loss, or of a loss that is unknown at the time of reporting. Similarly, it is unclear how one should interpret missing values within the victim impact assessment variables in Table 5 . As such, the quality of AF data would be improved by ensuring that the recording system is designed to reduce levels of missingness. One way to do this is by making questions compulsory, while allowing individuals maximum choice e.g., a ‘Prefer not to say’ option for ethnicity or crime impact, rather than allowing blanks. In addition, clear rules need to be developed around when data should be coded as missing. For example, a “Yes/No/Not Known” triage question in relation to direct financial losses will help disambiguate whether a missing numeric value for direct financial loss indicates ‘no loss’ or ‘unknown loss’ at the time of recording.

Consistency of recording, coherence and comparability

This section considers whether AF data is capable of producing statistical insights that are internally consistent, consistent over time and comparable between regions and police force areas. The increase in the volumes of recorded fraud by approximately 70.5% between 2011 and 2013 [ 1 ] suggests an improvement in the consistency of recording across England and Wales with the introduction of AF. Additionally, the volumes of records in Study 1 (i.e., collected from local forces), matched those reported via official statistics. 10 With respect to internal consistency, the key source of uncertainty in relation to AF data is the previously mentioned recording error, aggravated by the multiple layers of interpretation (or hermeneutics) which records may be subjected to. Furthermore, coherence over time will be impacted by external events, as exemplified here by the analysis of the volume of reports over AF’s crisis in the summer of 2015 and the impact of COVID on fraud and CM recording. Finally, the comparability of fraud and CM recording figures across police force areas and regions could be improved by the development of a data catalogue to aid crime analysts and researchers in making the most of the data and thus generate insights relevant to policy and practice.

Multiple hermeneutics

The incident descriptions in the samples of Studies 1 and 2 captured the “voice” of several populations, a considerable source of uncertainty with respect to coherence and comparability, which adds to the complexity of working with this dataset. An AF record may be the result of the victim’s direct report via the website and therefore be written in the first person, in accordance their understanding of the reporting tool and the questions asked, representing one layer of interpretation. However, it may also be recorded by the call operator or a police officer, based on their interpretation of the victim’s report: two layers of interpretation. Furthermore, an operator may record a crime, based on the details taken by an officer, in turn based on their interpretation of the victim’s report: three layers of interpretation. Finally, the voice may be that of the AF operator, based on the account of a police officer, where the report was made by someone else, on behalf of the victim. In this situation, four layers of interpretation or hermeneutics are possible. These layers of interpretation constitute a considerable source of uncertainty with respect to the internal coherence of the data. While this is not so problematic with respect to the categorical and numeric variables collected by AF, it can affect the quality of the free-text description. In Study 1, for example, the average number of characters included in the incident description was 607, the median 492, but it varied from 5 to 2033 characters. However, the free text description of the incident is key to identifying new trends. As such, ensuring that it is a compulsory field, and that there is sufficient and accessible guidance on how to complete it is essential. Further, for reports taken by operators and police officers, it is reasonable to expect a minimum level of detail.

Impact of external events

The impact of external events on reporting is evident when the changes in the levels of reporting are considered against the backdrop of key events. In the case of Study 1, the volume of data collected by AF was deeply affected when Broadcasting Support Services (BSS), the not-for-profit organisation which then ran the AF call centre, suddenly went into administration in July 2015 after losing the tender contract for the continued provision of this service to IBM. This led to AF operating with a skeleton staff and is clearly reflected in the fall reports over that period, within the four Welsh police forces covered in Study 1, which then took a significant amount of time to recover ( Figure 5 ). Furthermore, while the period covered in Study 2 does not allow for a clear examination of the impact of the lockdown on volumes of F&CM recording, official statistics show that there was a +28% increase in reports of fraud and a +16% increase in CM reported via Action Fraud [ 1 ]. Throughout the pandemic, other data source such as the Telephone-Operated Crime Survey for England and Wales suggest that the increase in reporting is linked to an increase in the overall levels of F&CM being experienced by victims, as criminal took advantage of the COVID-19 crisis. In relation to Study 1 however, the drop in records relates to the availability of the AF service. As such, understanding the impact of external events on the data is essential context to the adequate interpretation of any insights produced using the AF dataset.

An external file that holds a picture, illustration, etc.
Object name is ijpds-07-1721-g005.jpg

Number of crimes recorded in Study 1, per month

Timeliness & accessibility

With respect to the timeliness and punctuality with which police forces and crime analysis have access to AF data, this has much improved between the two studies covered in this paper. At the time the data for Study 1 was collected, victim reports were shared with local forces on a monthly basis, which meant there was an inevitable delay between victim reports and a local Protect response, where available. Since then, this has improved considerably with victim information now shared with forces on a weekly basis. This has improved the timeliness of AF data with respect to the needs of Protect officers.

In addition, the accessibility of AF data to the wider research community has improved through the online publication of the NFIB Fraud and Cyber Crime Dashboard [ 6 ]. This interactive dashboard allows researchers to access several AF data variables and apply filters (e.g., by crime category, region, police force area), to explore the previous 12 months of AF records. Researchers have already been able to harvest this data through the portal and use it to make valuable contributions to the field [ 7 , 23 ]. At the same time, the variables made available are limited and the dashboard not optimised for data download. As such, researchers wishing to investigate aspects such as victim impact of repeat victimisation, might wish to explore alternative data access routes, including research collaborations and entering into Data Processing Agreements with NFIB at the national level, the Regional Organised Crime Units at regional level, and/or specific local police forces. 11

Closely linked to the above, users of AF data need access to sufficient supporting metadata and guidance about how the data was collected, to enable them to produce and present outputs in a clear, accessible, and impartial basis. Tables 4 and ​ and6 6 list the variables accessed for Studies 1 and 2, but this does not constitute the full spectrum of variables collected by AF. Furthermore, little information was available to describe variables and their classifications, when these were shared with the researcher in both Studies 1 and 2. The lack of a data catalogue is therefore a major limitation, which will hinder analysists and researchers ability to make the most of this dataset and producing insights relevant to research, policy and practice.


The above analysis has identified several challenges when using AF data in research and to inform victim-focused and intelligence-led responses. In particular, these data provide a better insight into reporting/recording, than crime patterns or victimisation risk. However, it has a huge potential with respect to identifying serious crimes, vulnerable and repeat victims, generating intelligence and monitoring whether CJS responses are adequate to meet victims’ needs. To achieve this, four key areas for improving the quality of AF data are detailed below.

Firstly, to improve the relevance of the outputs produced with AF data, the collection could be optimised to enable a ‘Protect’ response, e.g., improved impact and vulnerability indicators to identify and respond to victims’ support needs. In addition, to correct for the impact of the principal crime rule and improve intelligence, data on whether fraud was enabled by a CM offence could be provided to local forces. These improvements should not come at the detriment of collecting data to the ‘Pursue’ strand of the police response. However, there has long been a recognition that law enforcement will not be able to ‘arrest their way out’ of fraud and CM. As such, collecting the right data and sharing it with local forces, will allow CJS agencies and researchers to assess victim impact and vulnerability and to identify high incidence repeat victims. This will enable a victim response even where there are no leads for investigation and arrests to be pursued.

Secondly, the accuracy and reliability of the insights produced using AF data can be improved by ensuring that the levels of missing data are reduced, and data accuracy is monitored and tested. In particular, the categories of crime used should not over-rely on the catch-all ‘Other’ fraud category and improved training is necessary to reduce human error. At the same time, upstream data validation and harmonisation would encourage continuous improvement while maximising efficiency. Presently, there is limited information available to data users documenting whether and how AF data are validated, or the outcomes of any such validation. In line with previous research using PRC [ 57 , 58 , e.g.], extensive data cleaning was therefore required to make this data usable for analysis. The time and resource this involved would not be feasible for most crime analysts and could compromise the timeliness of statistical and/or operational outputs. However, with some level of data harmonization and validation introduced ‘upstream’, the potential of AF data may be fully realised. Drawing on administrative data quality literature [ 15 , 16 , 59 ], key accuracy validation checks for AF data are proposed, which could be conducted at regular intervals, before AF data is sent to the NFIB, or shared with local forces and other researchers ( Table 7 ).

Data harmonisation (e.g., the consistent coding of NA values) and data validation checks i.e., checks to monitor the quality of the data collected, would contribute towards ensuring AF data quality is continuously improved. For greater efficiency, such checks might be carried out ‘upstream’ from the data being shared with NFIB and onwards with local forces and other researchers. While non-exhaustive, the Table 7 draws on previous research to suggest a set of validation checks which would be relevant in relation to AF data.

Thirdly, the coherence and comparability of AF data can be improved through user research, recording audits and a vision which seeks to align operational and statistical quality. Were the recording tool to be re-developed in the future, user research should be undertaken to test the extent to which victims understand the online reporting tool, before it is deployed. This includes the data collected about the crime itself (e.g., the process of selecting the best-fitting crime category), but also the victim impact assessment variables. To make the most of AF data, the aim should be to, as far as possible, approximate operational data quality to statistical quality. In this respect, designing robust questionnaires has a long tradition in the social sciences and therefore the assistance of social scientists may prove valuable. From a technical perspective, user testing and human-centred design would be beneficial in future system development. Following this approach, accessibility and user satisfaction testing may be designed-into the tool itself, with metadata collected to continuously evaluate and improve the reporting tool – something which the current ‘static’ system does not permit. At the same time, regular audits of crime records and recording ‘in action’ will provide analysts and officers with the confidence they need that the data collected is accurate and reliable.

Finally, developing a data catalogue would enable frontline officers and researchers within academia and beyond, to harness the full potential of this dataset and produce insights needed for crime prevention, investigation, and meeting victims’ needs. Crime analysts and researchers need to be aware of the data quality issues noted throughout this paper and any future changes to data collection and processing which may impact the relevance, accuracy and reliability, or the consistency and comparability of analytical outputs produced using AF data. As such, this paper recommends the development of a data catalogue setting out the variables contained in AF data, their data classes (e.g., numeric, discrete categories, date, etc.), the range of acceptable values and any additional notes relevant to their use in producing research and operational insights (e.g., eligibility and/or recording rules). A mechanism to update the catalogue when changes to data collection and processing occur is also key.

A continued conversation within the research community and with data providers is needed to enable researchers to access and utilise the wealth of data collected in relation to cybercrime and fraud by police authorities. The analysis and recommendations made in this paper will help researchers be better prepared to develop adequate research designs that utilise fraud and computer misuse crime records to its full potential and better understand what data is available when applying for access to this dataset. The strengths and weaknesses of AF data must be fully understood, to realise its potential to help tackle substantive research areas and to aid police crime analysts working with AF data, as well as policy makers’ working towards improving the response to F&CM. This analysis will also aid frontline officers and crime analysts to make the most of this dataset, harnessing it to produce key insights for crime prevention and meeting victims’ needs. Finally, the insights presented here will be valuable to policy makers and practitioners involved in the development and design of crime recording systems in today’s data-driven world.


Some of the work presented here resulted from a Ph.D. studentship funded by the Economic and Social Research Council, in collaboration with the Southern Wales Regional Organised Crime Unit (known as ‘Tarian’, the Welsh word for ‘shield’). I would like to express my immense gratitude for the fantastic feedback received on earlier versions of this paper from colleagues, research partners, stakeholders and the anonymous reviewers.


1 The methodology of the Crime Survey for England and Wales (CSEW) was changed to account for COVID restrictions, and therefore the results of the replacement Telephone Crime Survey for England and Wales (TCSEW) are not directly comparable to previous years. As such, these are best estimates of the percentage change in number of incidents experienced by victims, between May 2020 to March 2021 TCSEW and year ending March 2019 CSEW, calculated by the Office for National Statistics, using comparable sub-sets of data [ 1 ].

2 As the National Lead Force for Fraud, City of London Police operate Action Fraud (AF), the only nationally run crime recording system, as well as the National Fraud Intelligence Bureau (NFIB). While AF collects data for the whole of the UK, City of London lead strategy primarily in England, Wales, and Northern Ireland (NI). Where frauds and cybercrimes are experienced by victims or committed in Scotland, they are usually reported and investigated by Police Scotland, although multiple authorities can have concurrent jurisdiction [ 5 ]. Furthermore, AF is not the only source of data on fraud in England, Wales, and NI. Other sources of police recorded crime on fraud include reports from the industry bodies UK Finance and Cifas. In addition, fraud is recorded by other bodies including Trading Standards and the Food Standards Agency. Finally, AF primarily records reports from individuals e.g., 91% of AF records between 1 Jan 2020 and 31 Dec 2020 came from individuals, according to the City of London’s online dashboard. While no comparable analysis was possible for Study 1, this figure is consistent with the data collected for Study 2 [ 6 ].

3 While the City of London police has clarified that AF will not be replaced [ 14 ], the service is currently being re-commissioned and, based on the author’s discussions with stakeholders, there is an interest in ensuring that data quality issues are addressed.

4 The calculations by the author are based on the number of offences recorded by AF and referred to NFIB, as proportion of the total number of crimes estimated in the [T]CSEW.

5 That said, interpreting these results is somewhat complicated given that even if a victim is not aware of AF, they may nonetheless call a local police station, at which point they would be referred to AF as the national reporting centre or an officer will record a crime with AF on the victims’ behalf. As such, never having heard of AF per se, should not represent a barrier to reporting F&CM to the police.

6 For an incident to be crimed it must be a ‘notifiable offence’, listed in the Notifiable Offence List (NOL) contained in the HOCR. Notifiable offences include all offences that could possibly be tried by jury plus a few additional closely related summary offences dealt with by magistrates and are listed in the Notifiable Offence List (NOL) contained in the HOCR.

7 This table was put together based on the data inspected by the author and discussions with stakeholders.

8 That said, it is still possible for an individual to report a fraud with losses that are subsequently refunded. As such, double counting of recorded crime may happen to some extent between the various sources feeding into the fraud recorded by the police. On the other hand, it is unclear which other organisation would be expected to report widely spread computer viruses, or how AF operators might decide which viruses are indeed sufficiently global in scale.

9 All reports made by victims who reported three or more incidents were purposively selected for TA (58 victims, 208 incidents). This was done because Study 1 focused on repeat victimisation. At the same time, a random selection of 22 repeat victims who reported two incidents (44 incidents), totalling 252 incidents reported by 80 repeat victims were also selected for TA. An equal number of reports from one-time victims (n = 80) were also randomly selected for TA to ensure a balanced sample of repeat and one-time victims.

10 A comparison with official statistics of crimes recorded by AF and referred to the NFIB was possible for the year ending September 2016. For this year, there was an exact match between the counts within the sample used in Study 1 and the official counts, as published by ONS, for Dyfed/Powys (n=1,525), Gwent (n=1,632) and South Wales (n=3,803). For North Wales the ONS published figure was n = 1,903 while the sampled figure was n=1,841 (a different of 3.3%). As the North Wales data was acquired separately (because it falls outside the jurisdiction of the Southern Wales ROCU), this may be due to an error in the processing of the data before it reached the author. However, this was considered a small error within the overall sample. On the whole therefore, the data on the ground reflects official counts.

11 In the context of the studies mentioned here, the data was accessed through a partnership with Southern Wales Regional Organised Crime Unit (ROCU).

Ethics statement

Ethical approval for the studies was provided by the Research Ethics and Governance Committee at HRC School of Law, Swansea University (Ref Correia 03/11/2016).

  • Norton Support
  • LifeLock Support
  • Norton Sign In
  • LifeLock Sign In
  • 2021 Norton Cyber Safety Insights Report

With the effects of the COVID-19 pandemic in the past year, learn how consumers were impacted by cybercrime and identity theft in the 2021 Norton™ Cyber Safety Insights Report, a yearly report surveying over 10,000 adults in 10 countries.

In this year’s report, discover:

  • The number of consumers impacted by cybercrime and identity theft in the past year
  • How the pandemic has influenced consumers online habits and safety
  • What consumers were doing to proactively protect their digital lives

2021 Norton Cyber Safety Insights Report Cybercrime Incidence and Impact

Paige Hanson

Chief of Cyber Safety Education, NortonLifeLock

  • Press Release
  • Cybercrime Incidence and Impact
  • Identity Theft Incidence and Impact
  • Consumers Are Taking Steps to Hide Their Online Footprint
  • Consumers Feel More Vulnerable to Cybercrime
  • How We Define Cybercrime
  • Methodology

Media Contacts

Contact the NortonLifeLock Public Relations Team

Back to Top

© 2019–2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.

Other names may be trademarks of their respective owners.

World map

  • Reference Manager
  • Simple TEXT file

People also looked at

Review article, phishing attacks: a recent comprehensive study and a new anatomy.

  • Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, United Kingdom

With the significant growth of internet usage, people increasingly share their personal information online. As a result, an enormous amount of personal information and financial transactions become vulnerable to cybercriminals. Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data. Since the first reported phishing attack in 1990, it has been evolved into a more sophisticated attack vector. At present, phishing is considered one of the most frequent examples of fraud activity on the Internet. Phishing attacks can lead to severe losses for their victims including sensitive information, identity theft, companies, and government secrets. This article aims to evaluate these attacks by identifying the current state of phishing and reviewing existing phishing techniques. Studies have classified phishing attacks according to fundamental phishing mechanisms and countermeasures discarding the importance of the end-to-end lifecycle of phishing. This article proposes a new detailed anatomy of phishing which involves attack phases, attacker’s types, vulnerabilities, threats, targets, attack mediums, and attacking techniques. Moreover, the proposed anatomy will help readers understand the process lifecycle of a phishing attack which in turn will increase the awareness of these phishing attacks and the techniques being used; also, it helps in developing a holistic anti-phishing system. Furthermore, some precautionary countermeasures are investigated, and new strategies are suggested.


The digital world is rapidly expanding and evolving, and likewise, as are cybercriminals who have relied on the illegal use of digital assets—especially personal information—for inflicting damage to individuals. One of the most threatening crimes of all internet users is that of ‘identity theft’ ( Ramanathan and Wechsler, 2012 ) which is defined as impersonating the person’s identity to steal and use their personal information (i.e., bank details, social security number, or credit card numbers, etc.) by an attacker for the individuals’ own gain not just for stealing money but also for committing other crimes ( Arachchilage and Love, 2014 ). Cyber criminals have also developed their methods for stealing their information, but social-engineering-based attacks remain their favorite approach. One of the social engineering crimes that allow the attacker to perform identity theft is called a phishing attack. Phishing has been one of the biggest concerns as many internet users fall victim to it. It is a social engineering attack wherein a phisher attempts to lure the users to obtain their sensitive information by illegally utilizing a public or trustworthy organization in an automated pattern so that the internet user trusts the message, and reveals the victim’s sensitive information to the attacker ( Jakobsson and Myers, 2006 ). In phishing attacks, phishers use social engineering techniques to redirect users to malicious websites after receiving an email and following an embedded link ( Gupta et al., 2015 ). Alternatively, attackers could exploit other mediums to execute their attacks such as Voice over IP (VoIP), Short Message Service (SMS) and, Instant Messaging (IM) ( Gupta et al., 2015 ). Phishers have also turned from sending mass-email messages, which target unspecified victims, into more selective phishing by sending their emails to specific victims, a technique called “spear-phishing.”

Cybercriminals usually exploit users with a lack of digital/cyber ethics or who are poorly trained in addition to technical vulnerabilities to reach their goals. Susceptibility to phishing varies between individuals according to their attributes and awareness level, therefore, in most attacks, phishers exploit human nature for hacking, instead of utilising sophisticated technologies. Even though the weakness in the information security chain is attributed to humans more than the technology, there is a lack of understanding about which ring in this chain is first penetrated. Studies found that certain personal characteristics make some persons more receptive to various lures ( Iuga et al., 2016 ; Ovelgönne et al., 2017 ; Crane, 2019 ). For example, individuals who usually obey authorities more than others are more likely to fall victim to a Business Email Compromise (BEC) that is pretending to be from a financial institution and requests immediate action by seeing it as a legitimate email ( Barracuda, 2020 ). Greediness is another human weakness that could be used by an attacker, for example, emails that offering either great discounts, free gift cards, and others ( Workman, 2008 ).

Various channels are used by the attacker to lure the victim through a scam or through an indirect manner to deliver a payload for gaining sensitive and personal information from the victim ( Ollmann, 2004 ). However, phishing attacks have already led to damaging losses and could affect the victim not only through a financial context but could also have other serious consequences such as loss of reputation, or compromise of national security ( Ollmann, 2004 ; Herley and Florêncio, 2008 ). Cybercrime damages have been expected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 according to Cybersecurity Ventures ( Morgan, 2019 ). Phishing attacks are the most common type of cybersecurity breaches as stated by the official statistics from the cybersecurity breaches survey 2020 in the United Kingdom ( GOV.UK, 2020 ). Although these attacks affect organizations and individuals alike, the loss for the organizations is significant, which includes the cost for recovery, the loss of reputation, fines from information laws/regulations, and reduced productivity ( Medvet et al., 2008 ).

Phishing is a field of study that merges social psychology, technical systems, security subjects, and politics. Phishing attacks are more prevalent: a recent study ( Proofpoint, 2020 ) found that nearly 90% of organizations faced targeted phishing attacks in 2019. From which 88% experienced spear-phishing attacks, 83% faced voice phishing (Vishing), 86% dealt with social media attacks, 84% reported SMS/text phishing (SMishing), and 81% reported malicious USB drops. The 2018 Proofpoint 1 annual report ( Proofpoint, 2019a ) has stated that phishing attacks jumped from 76% in 2017 to 83% in 2018, where all phishing types happened more frequently than in 2017. The number of phishing attacks identified in the second quarter of 2019 was notably higher than the number recorded in the previous three quarters. While in the first quarter of 2020, this number was higher than it was in the previous one according to a report from Anti-Phishing Working Group (APWG 2 ) ( APWG, 2018 ) which confirms that phishing attacks are on the rise. These findings have shown that phishing attacks have increased continuously in recent years and have become more sophisticated and have gained more attention from cyber researchers and developers to detect and mitigate their impact. This article aims to determine the severity of the phishing problem by providing detailed insights into the phishing phenomenon in terms of phishing definitions, current statistics, anatomy, and potential countermeasures.

The rest of the article is organized as follows. Phishing Definitions provides a number of phishing definitions as well as some real-world examples of phishing. The evolution and development of phishing attacks are discussed in Developing a Phishing Campaign . What Attributes Make Some People More Susceptible to Phishing Attacks Than Others explores the susceptibility to these attacks. The proposed phishing anatomy and types of phishing attacks are elaborated in Proposed Phishing Anatomy . In Countermeasures , various anti-phishing countermeasures are discussed. The conclusions of this study are drawn in Conclusion .

Phishing Definitions

Various definitions for the term “phishing” have been proposed and discussed by experts, researchers, and cybersecurity institutions. Although there is no established definition for the term “phishing” due to its continuous evolution, this term has been defined in numerous ways based on its use and context. The process of tricking the recipient to take the attacker’s desired action is considered the de facto definition of phishing attacks in general. Some definitions name websites as the only possible medium to conduct attacks. The study ( Merwe et al., 2005 , p. 1) defines phishing as “a fraudulent activity that involves the creation of a replica of an existing web page to fool a user into submitting personal, financial, or password data.” The above definition describes phishing as an attempt to scam the user into revealing sensitive information such as bank details and credit card numbers, by sending malicious links to the user that leads to the fake web establishment. Others name emails as the only attack vector. For instance, PishTank (2006) defines phishing as “a fraudulent attempt, usually made through email, to steal your personal information.” A description for phishing stated by ( Kirda and Kruegel, 2005 , p.1) defines phishing as “a form of online identity theft that aims to steal sensitive information such as online banking passwords and credit card information from users.” Some definitions highlight the usage of combined social and technical skills. For instance, APWG defines phishing as “a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials” ( APWG, 2018 , p. 1). Moreover, the definition from the United States Computer Emergency Readiness Team (US-CERT) states phishing as “a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity” ( CISA, 2018 ). A detailed definition has been presented in ( Jakobsson and Myers, 2006 , p. 1), which describes phishing as “a form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate users’ confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automated fashion. Such communications are most frequently done through emails that direct users to fraudulent websites that in turn collect the credentials in question.”

In order to understand the anatomy of the phishing attack, there is a necessity for a clear and detailed definition that underpins previous existent definitions. Since a phishing attack constitutes a mix of technical and social engineering tactics, a new definition (i.e., Anatomy) has been proposed in this article, which describes the complete process of a phishing attack. This provides a better understanding for the readers as it covers phishing attacks in depth from a range of perspectives. Various angles and this might help beginner readers or researchers in this field. To this end, we define phishing as a socio-technical attack, in which the attacker targets specific valuables by exploiting an existing vulnerability to pass a specific threat via a selected medium into the victim’s system, utilizing social engineering tricks or some other techniques to convince the victim into taking a specific action that causes various types of damages.

Figure 1 depicts the general process flow for a phishing attack that contains four phases; these phases are elaborated in Proposed Phishing Anatomy . However, as shown in Figure 1 , in most attacks, the phishing process is initiated by gathering information about the target. Then the phisher decides which attack method is to be used in the attack as initial steps within the planning phase. The second phase is the preparation phase, in which the phisher starts to search for vulnerabilities through which he could trap the victim. The phisher conducts his attack in the third phase and waits for a response from the victim. In turn, the attacker could collect the spoils in the valuables acquisition phase, which is the last step in the phishing process. To elaborate the above phishing process using an example, an attacker may send a fraudulent email to an internet user pretending to be from the victim’s bank, requesting the user to confirm the bank account details, or else the account may be suspended. The user may think this email is legitimate since it uses the same graphic elements, trademarks, and colors of their legitimate bank. Submitted information will then be directly transmitted to the phisher who will use it for different malicious purposes such as money withdrawal, blackmailing, or committing further frauds.

FIGURE 1 . General phishing attack process.

Real-World Phishing Examples

Some real-world examples of phishing attacks are discussed in this section to present the complexity of some recent phishing attacks. Figure 2 shows the screenshot of a suspicious phishing email that passed a University’s spam filters and reached the recipient mailbox. As shown in Figure 2 , the phisher uses the sense of importance or urgency in the subject through the word ‘important,’ so that the email can trigger a psychological reaction in the user to prompt them into clicking the button “View message.” The email contains a suspicious embedded button, indeed, when hovering over this embedded button, it does not match with Uniform Resource Locator (URL) in the status bar. Another clue in this example is that the sender's address is questionable and not known to the receiver. Clicking on the fake attachment button will result in either installation of a virus or worm onto the computer or handing over the user’s credentials by redirecting the victim onto a fake login page.

FIGURE 2 . Screenshot of a real suspicious phishing email received by the authors’ institution in February 2019.

More recently, phishers take advantage of the Coronavirus pandemic (COVID-19) to fool their prey. Many Coronavirus-themed scam messages sent by attackers exploited people’s fear of contracting COVID-19 and urgency to look for information related to Coronavirus (e.g., some of these attacks are related to Personal Protective Equipment (PPE) such as facemasks), the WHO stated that COVID-19 has created an Infodemic which is favorable for phishers ( Hewage, 2020 ). Cybercriminals also lured people to open attachments claiming that it contains information about people with Coronavirus within the local area.

Figure 3 shows an example of a phishing e-mail where the attacker claimed to be the recipient’s neighbor sending a message in which they pretended to be dying from the virus and threatening to infect the victim unless a ransom was paid ( Ksepersky, 2020 ).

FIGURE 3 . Screenshot of a coronavirus related phishing email ( Ksepersky, 2020 ).

Another example is the phishing attack spotted by a security researcher at Akamai organization in January 2019. The attack attempted to use Google Translate to mask suspicious URLs, prefacing them with the legit-looking “ ” address to dupe users into logging in ( Rhett, 2019 ). That attack followed with Phishing scams asking for Netflix payment detail for example, or embedded in promoted tweets that redirect users to genuine-looking PayPal login pages. Although the tricky/bogus page was very well designed in the latter case, the lack of a Hypertext Transfer Protocol Secure (HTTPS) lock and misspellings in the URL were key red flags (or giveaways) that this was actually a phishing attempt ( Keck, 2018 ). Figure 4A shows a screenshot of a phishing email received by the Federal Trade Commission (FTC). The email promotes the user to update his payment method by clicking on a link, pretending that Netflix is having a problem with the user's billing information ( FTC, 2018 ).

FIGURE 4 . Screenshot of the (A) Netflix scam email and (B) fraudulent text message (Apple) ( Keck, 2018 ; Rhett, 2019 )

Figure 4B shows a text message as another example of phishing that is difficult to spot as a fake text message ( Pompon et al., 2018 ). The text message shown appears to come from Apple asking the customer to update the victim’s account. A sense of urgency is used in the message as a lure to motivate the user to respond.

Developing a Phishing Campaign

Today, phishing is considered one of the most pressing cybersecurity threats for all internet users, regardless of their technical understanding and how cautious they are. These attacks are getting more sophisticated by the day and can cause severe losses to the victims. Although the attacker’s first motivation is stealing money, stolen sensitive data can be used for other malicious purposes such as infiltrating sensitive infrastructures for espionage purposes. Therefore, phishers keep on developing their techniques over time with the development of electronic media. The following sub-sections discuss phishing evolution and the latest statistics.

Historical Overview

Cybersecurity has been a major concern since the beginning of APRANET, which is considered to be the first wide-area packet-switching network with distributed control and one of the first networks to implement the TCP/IP protocol suite. The term “Phishing” which was also called carding or brand spoofing, was coined for the first time in 1996 when the hackers created randomized credit card numbers using an algorithm to steal users' passwords from America Online (AOL) ( Whitman and Mattord, 2012 ; Cui et al., 2017 ). Then phishers used instant messages or emails to reach users by posing as AOL employees to convince users to reveal their passwords. Attackers believed that requesting customers to update their account would be an effective way to disclose their sensitive information, thereafter, phishers started to target larger financial companies. The author in ( Ollmann, 2004 ) believes that the “ph” in phishing comes from the terminology “Phreaks” which was coined by John Draper, who was also known as Captain Crunch, and was used by early Internet criminals when they phreak telephone systems. Where the “f” in ‘fishing’ replaced with “ph” in “Phishing” as they both have the same meaning by phishing the passwords and sensitive information from the sea of internet users. Over time, phishers developed various and more advanced types of scams for launching their attack. Sometimes, the purpose of the attack is not limited to stealing sensitive information, but it could involve injecting viruses or downloading the malicious program into a victim's computer. Phishers make use of a trusted source (for instance a bank helpdesk) to deceive victims so that they disclose their sensitive information ( Ollmann, 2004 ).

Phishing attacks are rapidly evolving, and spoofing methods are continuously changing as a response to new corresponding countermeasures. Hackers take advantage of new tool-kits and technologies to exploit systems’ vulnerabilities and also use social engineering techniques to fool unsuspecting users. Therefore, phishing attacks continue to be one of the most successful cybercrime attacks.

The Latest Statistics of Phishing Attacks

Phishing attacks are becoming more common and they are significantly increasing in both sophistication and frequency. Lately, phishing attacks have appeared in various forms. Different channels and threats are exploited and used by the attackers to trap more victims. These channels could be social networks or VoIP, which could carry various types of threats such as malicious attachments, embedded links within an email, instant messages, scam calls, or other types. Criminals know that social engineering-based methods are effective and profitable; therefore, they keep focusing on social engineering attacks, as it is their favorite weapon, instead of concentrating on sophisticated techniques and toolkits. Phishing attacks have reached unprecedented levels especially with emerging technologies such as mobile and social media ( Marforio et al., 2015 ). For instance, from 2017 to 2020, phishing attacks have increased from 72 to 86% among businesses in the United Kingdom in which a large proportion of the attacks are originated from social media ( GOV.UK, 2020 ).

The APWG Phishing Activity Trends Report analyzes and measures the evolution, proliferation, and propagation of phishing attacks reported to the APWG. Figure 5 shows the growth in phishing attacks from 2015 to 2020 by quarters based on APWG annual reports ( APWG, 2020 ). As demonstrated in Figure 5 , in the third quarter of 2019, the number of phishing attacks rose to 266,387, which is the highest level in three years since late 2016. This was up 46% from the 182,465 for the second quarter, and almost double the 138,328 seen in the fourth quarter of 2018. The number of unique phishing e-mails reported to APWG in the same quarter was 118,260. Furthermore, it was found that the number of brands targeted by phishing campaigns was 1,283.

FIGURE 5 . The growth in phishing attacks 2015–2020 by quarters based on data collected from APWG annual reports.

Cybercriminals are always taking advantage of disasters and hot events for their own gains. With the beginning of the COVID-19 crisis, a variety of themed phishing and malware attacks have been launched by phishers against workers, healthcare facilities, and even the general public. A report from Microsoft ( Microsoft, 2020 ) showed that cyber-attacks related to COVID-19 had spiked to an unprecedented level in March, most of these scams are fake COVID-19 websites according to security company RiskIQ ( RISKIQ, 2020 ). However, the total number of phishing attacks observed by APWG in the first quarter of 2020 was 165,772, up from the 162,155 observed in the fourth quarter of 2019. The number of these unique phishing reports submitted to APWG during the first quarter of 2020 was 139,685, up from 132,553 in the fourth quarter of 2019, 122,359 in the third quarter of 2019, and 112,163 in the second quarter of 2019 ( APWG, 2020 ).

A study ( KeepnetLABS, 2018 ) confirmed that more than 91% of system breaches are caused by attacks initiated by email. Although cybercriminals use email as the main medium for leveraging their attacks, many organizations faced a high volume of different social engineering attacks in 2019 such as Social Media Attacks, Smishing Attacks, Vishing Attacks, USB-based Attacks (for example by hiding and delivering malware to smartphones via USB phone chargers and distributing malware-laden free USBs) ( Proofpoint, 2020 ). However, info-security professionals reported a higher frequency of all types of social engineering attacks year-on-year according to a report presented by Proofpoint. Spear phishing increased to 64% in 2018 from 53% in 2017, Vishing and/or SMishing increased to 49% from 45%, and USB attacks increased to 4% from 3%. The positive side shown in this study is that 59% of suspicious emails reported by end-users were classified as potential phishing, indicating that employees are being more security-aware, diligent, and thoughtful about the emails they receive ( Proofpoint, 2019a ). In all its forms, phishing can be one of the easiest cyber attacks to fall for. With the increasing levels of different phishing types, a survey was conducted by Proofpoint to identify the strengths and weaknesses of particular regions in terms of specific fundamental cybersecurity concepts. In this study, several questions were asked of 7,000 end-users about the identification of multiple terms like phishing, ransomware, SMishing, and Vishing across seven countries; the US, United Kingdom, France, Germany, Italy, Australia, and Japan. The response was different from country to country, where respondents from the United Kingdom recorded the highest knowledge with the term phishing at 70% and the same with the term ransomware at 60%. In contrast, the results showed that the United Kingdom recorded only 18% for each Vishing and SMishing ( Proofpoint, 2019a ), as shown in Table 1 .

TABLE 1 . Percentage of respondents understanding multiple cybersecurity terms from different countries.

On the other hand, a report by Wombat security reflects responses from more than 6,000 working adults about receiving fraudulent solicitation across six countries; the US, United Kingdom, Germany, France, Italy, and Australia ( Ksepersky, 2020 ). Respondents from the United Kingdom stated that they were recipients of fraudulent solicitations through the following sources: email 62%, phone call 27%, text message 16%, mailed letter 8%, social media 10%, and 17% confirmed that they been the victim of identity theft ( Ksepersky, 2020 ). However, the consequences of responding to phishing are serious and costly. For instance, the United Kingdom losses from financial fraud across payment cards, remote banking, and cheques totaled £768.8 million in 2016 ( Financial Fraud Action UK, 2017 ). Indeed, the losses resulting from phishing attacks are not limited to financial losses that might exceed millions of pounds, but also loss of customers and reputation. According to the 2020 state of phish report ( Proofpoint, 2020 ), damages from successful phishing attacks can range from lost productivity to cash outlay. The cost can include; lost hours from employees, remediation time for info security teams’ costs due to incident response, damage to reputation, lost intellectual property, direct monetary losses, compliance fines, lost customers, legal fees, etc.

There are many targets for phishing including end-user, business, financial services (i.e., banks, credit card companies, and PayPal), retail (i.e., eBay, Amazon) and, Internet Service Providers (, 2018 ). Affected organizations detected by Kaspersky Labs globally in the first quarter of 2020 are demonstrated in Figure 6 . As shown in the figure, online stores were at the top of the targeted list (18.12%) followed by global Internet portals (16.44%) and social networks in third place (13.07%) ( Ksepersky, 2020 ). While the most impersonated brands overall for the first quarter of 2020 were Apple, Netflix, Yahoo, WhatsApp, PayPal, Chase, Facebook, Microsoft eBay, and Amazon ( Checkpoint, 2020 ).

FIGURE 6 . Distribution of organizations affected by phishing attacks detected by Kaspersky in quarter one of 2020.

Phishing attacks can take a variety of forms to target people and steal sensitive information from them. Current data shows that phishing attacks are still effective, which indicates that the available existing countermeasures are not enough to detect and prevent these attacks especially on smart devices. The social engineering element of the phishing attack has been effective in bypassing the existing defenses to date. Therefore, it is essential to understand what makes people fall victim to phishing attacks. What Attributes Make Some People More Susceptible to Phishing Attacks Than Others discusses the human attributes that are exploited by the phishers.

What Attributes Make Some People More Susceptible to Phishing Attacks Than Others

Why do most existing defenses against phishing not work? What personal and contextual attributes make them more susceptible to phishing attacks than other users? Different studies have discussed those two questions and examined the factors affecting susceptibility to a phishing attack and the reasons behind why people get phished. Human nature is considered one of the most affecting factors in the process of phishing. Everyone is susceptible to phishing attacks because phishers play on an individual’s specific psychological/emotional triggers as well as technical vulnerabilities ( KeepnetLABS, 2018 ; Crane, 2019 ). For instance, individuals are likely to click on a link within an email when they see authority cues ( Furnell, 2007 ). In 2017, a report by PhishMe (2017) found that curiosity and urgency were the most common triggers that encourage people to respond to the attack, later these triggers were replaced by entertainment, social media, and reward/recognition as the top emotional motivators. However, in the context of a phishing attack, the psychological triggers often surpass people’s conscious decisions. For instance, when people are working under stress, they tend to make decisions without thinking of the possible consequences and options ( Lininger and Vines, 2005 ). Moreover, everyday stress can damage areas of the brain that weakens the control of their emotions ( Keinan, 1987 ). Several studies have addressed the association between susceptibility to phishing and demographic variables (e.g., age and gender) as an attempt to identify the reasons behind phishing success at different population groups. Although everyone is susceptible to phishing, studies showed that different age groups are more susceptible to certain lures than others are. For example, participants with an age range between 18 and 25 are more susceptible to phishing than other age groups ( Williams et al., 2018 ). The reason that younger adults are more likely to fall for phishing, is that younger adults are more trusting when it comes to online communication, and are also more likely to click on unsolicited e-mails ( Getsafeonline, 2017 ). Moreover, older participants are less susceptible because they tend to be less impulsive ( Arnsten et al., 2012 ). While some studies confirmed that women are more susceptible than men to phishing as they click on links in phishing emails and enter information into phishing websites more often than men do. The study published by Getsafeonline (2017) identifies a lack of technical know-how and experience among women than men as the main reason for this. In contrast, a survey conducted by antivirus company Avast found that men are more susceptible to smartphone malware attacks than women ( Ong, 2014 ). These findings confirmed the results from the study ( Hadlington, 2017 ) that found men are more susceptible to mobile phishing attacks than women. The main reason behind this according to Hadlington (2017) is that men are more comfortable and trusting when using mobile online services. The relationships between demographic characteristics of individualls and their ability to correctly detect a phishing attack have been studied in ( Iuga et al., 2016 ). The study showed that participants with high Personal Computer (PC) usage tend to identify phishing efforts more accurately and faster than other participants. Another study ( Hadlington, 2017 ) showed that internet addiction, attentional, and motor impulsivity were significant positive predictors for risky cybersecurity behaviors while a positive attitude toward cybersecurity in business was negatively related to risky cybersecurity behaviors. On the other hand, the trustworthiness of people in some web sites/platforms is one of the holes that the scammers or crackers exploit especially when it based on visual appearance that could fool the user ( Hadlington, 2017 ). For example, fraudsters take advantage of people’s trust in a website by replacing a letter from the legitimate site with a number such as instead of . Another study ( Yeboah-Boateng and Amanor, 2014 ) demonstrates that although college students are unlikely to disclose personal information as a response to an email, nonetheless they could easily be tricked by other tactics, making them alarmingly susceptible to email phishing attacks. The reason for that is most college students do not have a basis in ICT especially in terms of security. Although security terms like viruses, online scams and worms are known by some end-users, these users could have no knowledge about Phishing, SMishing, and Vishing and others ( Lin et al., 2012 ). However, study ( Yeboah-Boateng and Amanor, 2014 ) shows that younger students are more susceptible than older students, and students who worked full-time were less likely to fall for phishing.

The study reported in ( Diaz et al., 2020 ) examines user click rates and demographics among undergraduates by sending phishing attacks to 1,350 randomly selected students. Students from various disciplines were involved in the test, from engineering and mathematics to arts and social sciences. The study observed that student susceptibility was affected by a range of factors such as phishing awareness, time spent on the computer, cyber training, age, academic year, and college affiliation. The most surprising finding is that those who have greater phishing knowledge are more susceptible to phishing scams. The authors consider two speculations for these unexpected findings. First, user’s awareness about phishing might have been increased with the continuous falling for phishing scams. Second, users who fell for the phish might have less knowledge about phishing than they claim. Other findings from this study agreed with findings from other studies that is, older students were more able to detect a phishing email, and engineering and IT majors had some of the lowest click rates as shown in Figure 7 , which shows that some academic disciplines are more susceptible to phishing than others ( Bailey et al., 2008 ).

FIGURE 7 . The number of clicks on phishing emails by students in the College of Arts, Humanities, and Social Sciences (AHSS), the College of Engineering and Information Technology (EIT), and the College of Natural and Mathematical Sciences (NMS) at the University of Maryland, Baltimore County (UMBC) ( Diaz et al., 2020 ).

Psychological studies have also illustrated that the user’s ability to avoid phishing attacks affected by different factors such as browser security indicators and user's awareness of phishing. The author in ( Dhamija et al., 2006 ) conducted an experimental study using 22 participants to test the user’s ability to recognize phishing websites. The study shows that 90% of these participants became victims of phishing websites and 23% of them ignored security indexes such as the status and address bar. In 2015, another study was conducted for the same purpose, where a number of fake web pages was shown to the participants ( Alsharnouby et al., 2015 ). The results of this study showed that participants detected only 53% of phishing websites successfully. The authors also observed that the time spent on looking at browser elements affected the ability to detect phishing. Lack of knowledge or awareness and carelessness are common causes for making people fall for a phishing trap. Most people have unknowingly opened a suspicious attachment or clicked a fake link that could lead to different levels of compromise. Therefore, focusing on training and preparing users for dealing with such attacks are essential elements to minimize the impact of phishing attacks.

Given the above discussion, susceptibility to phishing varies according to different factors such as age, gender, education level, internet, and PC addiction, etc. Although for each person, there is a trigger that can be exploited by phishers, even people with high experience may fall prey to phishing due to the attack sophistication that makes it difficult to be recognized. Therefore, it is inequitable that the user has always been blamed for falling for these attacks, developers must improve the anti-phishing systems in a way that makes the attack invisible. Understanding the susceptibility of individuals to phishing attacks will help in better developing prevention and detection techniques and solutions.

Proposed Phishing Anatomy

Phishing process overview.

Generally, most of the phishing attacks start with an email ( Jagatic et al., 2007 ). The phishing mail could be sent randomly to potential users or it can be targeted to a specific group or individuals. Many other vectors can also be used to initiate the attack such as phone calls, instant messaging, or physical letters. However, phishing process steps have been discussed by many researchers due to the importance of understanding these steps in developing an anti-phishing solution. The author in the study ( Rouse, 2013 ) divides the phishing attack process into five phases which are planning, setup, attack, collection, and cash. A study ( Jakobsson and Myers, 2006 ) discusses the phishing process in detail and explained it as step-by-step phases. These phases include preparation for the attack, sending a malicious program using the selected vector, obtaining the user’s reaction to the attack, tricking a user to disclose their confidential information which will be transmitted to the phisher, and finally obtaining the targeted money. While the study ( Abad, 2005 ) describes a phishing attack in three phases: the early phase which includes initializing attack, creating the phishing email, and sending a phishing email to the victim. The second phase includes receiving an email by the victim and disclosing their information (in the case of the respondent) and the final phase in which the defrauding is successful. However, all phishing scams include three primary phases, the phisher requests sensitive valuables from the target, and the target gives away these valuables to a phisher, and phisher misuses these valuables for malicious purposes. These phases can be classified furthermore into its sub-processes according to phishing trends. Thus, a new anatomy for phishing attacks has been proposed in this article, which expands and integrates previous definitions to cover the full life cycle of a phishing attack. The proposed new anatomy, which consists of 4 phases, is shown in Figure 8 . This new anatomy provides a reference structure to look at phishing attacks in more detail and also to understand potential countermeasures to prevent them. The explanations for each phase and its components are presented as follows:

FIGURE 8 . The proposed anatomy of phishing was built upon the proposed phishing definition in this article, which concluded from our understanding of a phishing attack.

Figure 8 depicts the proposed anatomy of the phishing attack process, phases, and components drawn upon the proposed definition in this article. The proposed phishing anatomy explains in detail each phase of phishing phases including attackers and target types, examples about the information that could be collected by the attacker about the victim, and examples about attack methods. The anatomy, as shown in the figure, illustrates a set of vulnerabilities that the attacker can exploit and the mediums used to conduct the attack. Possible threats are also listed, as well as the data collection method for a further explanation and some examples about target responding types and types of spoils that the attacker could gain and how they can use the stolen valuables. This anatomy elaborates on phishing attacks in depth which helps people to better understand the complete phishing process (i.e., end to end Phishing life cycle) and boost awareness among readers. It also provides insights into potential solutions for phishing attacks we should focus on. Instead of always placing the user or human in an accusation ring as the only reason behind phishing success, developers must be focusing on solutions to mitigate the initiation of the attack by preventing the bait from reaching the user. For instance, to reach the target’s system, the threat has to pass through many layers of technology or defenses exploiting one or more vulnerabilities such as web and software vulnerabilities.

Planning Phase

This is the first stage of the attack, where a phisher makes a decision about the targets and starts gathering information about them (individuals or company). Phishers gather information about the victims to lure them based on psychological vulnerability. This information can be anything like name, e-mail addresses for individuals, or the customers of that company. Victims could also be selected randomly, by sending mass mailings or targeted by harvesting their information from social media, or any other source. Targets for phishing could be any user with a bank account and has a computer on the Internet. Phishers target businesses such as financial services, retail sectors such as eBay and Amazon, and internet service providers such as MSN/Hotmail, and Yahoo ( Ollmann, 2004 ; Ramzan and Wuest, 2007 ). This phase also includes devising attack methods such as building fake websites (sometimes phishers get a scam page that is already designed or used, designing malware, constructing phishing emails. The attacker can be categorized based on the attack motivation. There are four types of attackers as mentioned in studies ( Vishwanath, 2005 ; Okin, 2009 ; EDUCBA, 2017 ; APWG, 2020 ):

▪ Script kiddies: the term script kiddies represents an attacker with no technical background or knowledge about writing sophisticated programs or developing phishing tools but instead they use scripts developed by others in their phishing attack. Although the term comes from children that use available phishing kits to crack game codes by spreading malware using virus toolkits, it does not relate precisely to the actual age of the phisher. Script kiddies can get access to website administration privileges and commit a “Web cracking” attack. Moreover, they can use hacking tools to compromise remote computers so-called “botnet,” the single compromised computer called a “zombie computer.” These attackers are not limited to just sit back and enjoy phishing, they could cause serious damage such as stealing information or uploading Trojans or viruses. In February 2000, an attack launched by Canadian teen Mike Calce resulted in $1.7 million US Dollars (USD) damages from Distributed Denial of Service (DDoS) attacks on CNN, eBay, Dell, Yahoo, and Amazon ( Leyden, 2001 ).

▪ Serious Crackers: also known as Black Hats. These attackers can execute sophisticated attacks and develop worms and Trojans for their attack. They hijack people's accounts maliciously and steal credit card information, destroy important files, or sell compromised credentials for personal gains.

▪ Organized crime: this is the most organized and effective type of attacker and they can incur significant damage to victims. These people hire serious crackers for conducting phishing attacks. Moreover, they can thoroughly trash the victim's identity, and committing devastated frauds as they have the skills, tools, and manpower. An organized cybercrime group is a team of expert hackers who share their skills to build complex attacks and to launch phishing campaigns against individuals and organizations. These groups offer their work as ‘crime as a service’ and they can be hired by terrorist groups, organizations, or individuals.

▪ Terrorists: due to our dependency on the internet for most activities, terrorist groups can easily conduct acts of terror remotely which could have an adverse impact. These types of attacks are dangerous since they are not in fear of any aftermath, for instance going to jail. Terrorists could use the internet to the maximum effect to create fear and violence as it requires limited funds, resources, and efforts compared to, for example, buying bombs and weapons in a traditional attack. Often, terrorists use spear phishing to launch their attacks for different purposes such as inflicting damage, cyber espionage, gathering information, locating individuals, and other vandalism purposes. Cyber espionage has been used extensively by cyber terrorists to steal sensitive information on national security, commercial information, and trade secrets which can be used for terrorist activities. These types of crimes may target governments or organizations, or individuals.

Attack Preparation

After making a decision about the targets and gathering information about them, phishers start to set up the attack by scanning for the vulnerabilities to exploit. The following are some examples of vulnerabilities exploited by phishers. For example, the attacker might exploit buffer overflow vulnerability to take control of target applications, create a DoS attack, or compromise computers. Moreover, “zero-day” software vulnerabilities, which refer to newly discovered vulnerabilities in software programs or operating systems could be exploited directly before it is fixed ( Kayne, 2019 ). Another example is browser vulnerabilities, adding new features and updates to the browser might introduce new vulnerabilities to the browser software ( Ollmann, 2004 ). In 2005, attackers exploited a cross-domain vulnerability in Internet Explorer (IE) ( Symantic, 2019 ). The cross-domain used to separate content from different sources in Microsoft IE. Attackers exploited a flaw in the cross-domain that enables them to execute programs on a user's computer after running IE. According to US-CERT, hackers are actively exploiting this vulnerability. To carry out a phishing attack, attackers need a medium so that they can reach their target. Therefore, apart from planning the attack to exploit potential vulnerabilities, attackers choose the medium that will be used to deliver the threat to the victim and carry out the attack. These mediums could be the internet (social network, websites, emails, cloud computing, e-banking, mobile systems) or VoIP (phone call), or text messages. For example, one of the actively used mediums is Cloud Computing (CC). The CC has become one of the more promising technologies and has popularly replaced conventional computing technologies. Despite the considerable advantages produced by CC, the adoption of CC faces several controversial obstacles including privacy and security issues ( CVEdetails, 2005 ). Due to the fact that different customers could share the same recourses in the cloud, virtualization vulnerabilities may be exploited by a possible malicious customer to perform security attacks on other customers’ applications and data ( Zissis and Lekkas, 2012 ). For example, in September 2014, secret photos of some celebrities suddenly moved through the internet in one of the more terrible data breaches. The investigation revealed that the iCloud accounts of the celebrities were breached ( Lehman and Vajpayee, 2011 ). According to Proofpoint, in 2017, attackers used Microsoft SharePoint to infect hundreds of campaigns with malware through messages.

Attack Conducting Phase

This phase involves using attack techniques to deliver the threat to the victim as well as the victim’s interaction with the attack in terms of responding or not. After the victim's response, the system may be compromised by the attacker to collect user's information using techniques such as injecting client-side script into webpages ( Johnson, 2016 ). Phishers can compromise hosts without any technical knowledge by purchasing access from hackers ( Abad, 2005 ). A threat is a possible danger that that might exploit a vulnerability to compromise people’s security and privacy or cause possible harm to a computer system for malicious purposes. Threats could be malware, botnet, eavesdropping, unsolicited emails, and viral links. Several Phishing techniques are discussed in sub- Types and Techniques of Phishing Attacks .

Valuables Acquisition Phase

In this stage, the phisher collects information or valuables from victims and uses it illegally for purchasing, funding money without the user’s knowledge, or selling these credentials in the black market. Attackers target a wide range of valuables from their victims that range from money to people’s lives. For example, attacks on online medical systems may lead to loss of life. Victim’s data can be collected by phishers manually or through automated techniques ( Jakobsson et al., 2007 ).

The data collection can be conducted either during or after the victim’s interaction with the attacker. However, to collect data manually simple techniques are used wherein victims interact directly with the phisher depending on relationships within social networks or other human deception techniques ( Ollmann, 2004 ). Whereas in automated data collection, several techniques can be used such as fake web forms that are used in web spoofing ( Dhamija et al., 2006 ). Additionally, the victim’s public data such as the user’s profile in social networks can be used to collect the victim’s background information that is required to initialize social engineering attacks ( Wenyin et al., 2005 ). In VoIP attacks or phone attack techniques such as recorded messages are used to harvest user's data ( Huber et al., 2009 ).

Types and Techniques of Phishing Attacks

Phishers conduct their attack either by using psychological manipulation of individuals into disclosing personal information (i.e., deceptive attack as a form of social engineering) or using technical methods. Phishers, however, usually prefer deceptive attacks by exploiting human psychology rather than technical methods. Figure 9 illustrates the types of phishing and techniques used by phishers to conduct a phishing attack. Each type and technique is explained in subsequent sections and subsections.

FIGURE 9 . Phishing attack types and techniques drawing upon existing phishing attacks.

Deceptive Phishing

Deceptive phishing is the most common type of phishing attack in which the attacker uses social engineering techniques to deceive victims. In this type of phishing, a phisher uses either social engineering tricks by making up scenarios (i.e., false account update, security upgrade), or technical methods (i.e., using legitimate trademarks, images, and logos) to lure the victim and convince them of the legitimacy of the forged email ( Jakobsson and Myers, 2006 ). By believing these scenarios, the user will fall prey and follow the given link, which leads to disclose his personal information to the phisher.

Deceptive phishing is performed through phishing emails; fake websites; phone phishing (Scam Call and IM); social media; and via many other mediums. The most common social phishing types are discussed below;

Phishing e-Mail

The most common threat derived by an attacker is deceiving people via email communications and this remains the most popular phishing type to date. A Phishing email or Spoofed email is a forged email sent from an untrusted source to thousands of victims randomly. These fake emails are claiming to be from a person or financial institution that the recipient trusts in order to convince recipients to take actions that lead them to disclose their sensitive information. A more organized phishing email that targets a particular group or individuals within the same organization is called spear phishing. In the above type, the attacker may gather information related to the victim such as name and address so that it appears to be credible emails from a trusted source ( Wang et al., 2008 ), and this is linked to the planning phase of the phishing anatomy proposed in this article. A more sophisticated form of spear phishing is called whaling, which targets high-rank people such as CEOs and CFOs. Some examples of spear-phishing attack victims in early 2016 are the phishing email that hacked the Clinton campaign chairman John Podesta’s Gmail account ( Parmar, 2012 ). Clone phishing is another type of email phishing, where the attacker clones a legitimate and previously delivered email by spoofing the email address and using information related to the recipient such as addresses from the legitimate email with replaced links or malicious attachments ( Krawchenko, 2016 ). The basic scenario for this attack is illustrated previously in Figure 4 and can be described in the following steps.

1. The phisher sets up a fraudulent email containing a link or an attachment (planning phase).

2. The phisher executes the attack by sending a phishing email to the potential victim using an appropriate medium (attack conducting phase).

3. The link (if clicked) directs the user to a fraudulent website, or to download malware in case of clicking the attachment (interaction phase).

4. The malicious website prompts users to provide confidential information or credentials, which are then collected by the attacker and used for fraudulent activities. (Valuables acquisition phase).

Often, the phisher does not use the credentials directly; instead, they resell the obtained credentials or information on a secondary market ( Jakobsson and Myers, 2006 ), for instance, script kiddies might sell the credentials on the dark web.

Spoofed Website

This is also called phishing websites, in which phishers forge a website that appears to be genuine and looks similar to the legitimate website. An unsuspicious user is redirected to this website after clicking a link embedded within an email or through an advertisement (clickjacking) or any other way. If the user continues to interact with the spoofed website, sensitive information will be disclosed and harvested by the phisher ( CSIOnsite, 2012 ).

Phone Phishing (Vishing and SMishing)

This type of phishing is conducted through phone calls or text messages, in which the attacker pretends to be someone the victim knows or any other trusted source the victim deals with. A user may receive a convincing security alert message from a bank convincing the victim to contact a given phone number with the aim to get the victim to share passwords or PIN numbers or any other Personally Identifiable Information (PII). The victim may be duped into clicking on an embedded link in the text message. The phisher then could take the credentials entered by the victim and use them to log in to the victims' instant messaging service to phish other people from the victim’s contact list. A phisher could also make use of Caller IDentification (CID) 3 spoofing to dupe the victim that the call is from a trusted source or by leveraging from an internet protocol private branch exchange (IP PBX) 4 tools which are open-source and software-based that support VoIP ( Aburrous et al., 2008 ). A new report from Fraud Watch International about phishing attack trends for 2019 anticipated an increase in SMishing where the text messages content is only viewable on a mobile device ( FraudWatchInternational, 2019 ).

Social Media Attack (Soshing, Social Media Phishing)

Social media is the new favorite medium for cybercriminals to conduct their phishing attacks. The threats of social media can be account hijacking, impersonation attacks, scams, and malware distributing. However, detecting and mitigating these threats requires a longer time than detecting traditional methods as social media exists outside of the network perimeter. For example, the nation-state threat actors conducted an extensive series of social media attacks on Microsoft in 2014. Multiple Twitter accounts were affected by these attacks and passwords and emails for dozens of Microsoft employees were revealed ( Ramzan, 2010 ). According to Kaspersky Lab’s, the number of phishing attempts to visit fraudulent social network pages in the first quarter of 2018 was more than 3.7 million attempts, of which 60% were fake Facebook pages ( Raggo, 2016 ).

The new report from predictive email defense company Vade Secure about phishers’ favorites for quarter 1 and quarter 2 of 2019, stated that Soshing primarily on Facebook and Instagram saw a 74.7% increase that is the highest quarter-over- quarter growth of any industry ( VadeSecure, 2021 ).

Technical Subterfuge

Technical subterfuge is the act of tricking individuals into disclosing their sensitive information through technical subterfuge by downloading malicious code into the victim's system. Technical subterfuge can be classified into the following types:

Malware-Based Phishing

As the name suggests, this is a type of phishing attack which is conducted by running malicious software on a user’s machine. The malware is downloaded to the victim’s machine, either by one of the social engineering tricks or technically by exploiting vulnerabilities in the security system (e.g., browser vulnerabilities) ( Jakobsson and Myers, 2006 ). Panda malware is one of the successful malware programs discovered by Fox-IT Company in 2016. This malware targets Windows Operating Systems (OS). It spreads through phishing campaigns and its main attack vectors include web injects, screenshots of user activity (up to 100 per mouse click), logging of keyboard input, Clipboard pastes (to grab passwords and paste them into form fields), and exploits to the Virtual Network Computing (VNC) desktop sharing system. In 2018, Panda malware expanded its targets to include cryptocurrency exchanges and social media sites ( F5Networks, 2018 ). There are many forms of Malware-based phishing attacks; some of them are discussed below:

Key Loggers and Screen Loggers

Loggers are the type of malware used by phishers and installed either through Trojan horse email attachments or through direct download to the user’s personal computer. This software monitors data and records user keystrokes and then sends it to the phisher. Phisher uses the key loggers to capture sensitive information related to victims, such as names, addresses, passwords, and other confidential data. Key loggers can also be used for non-phishing purposes such as to monitor a child's use of the internet. Key loggers can also be implemented in many other ways such as detecting URL changes and logs information as Browser Helper Object (BHO) that enables the attacker to take control of the features of all IE’s, monitoring keyboard and mouse input as a device driver and, monitoring users input and displays as a screen logger ( Jakobsson and Myers, 2006 ).

Viruses and Worms

A virus is a type of malware, which is a piece of code spreading in another application or program by making copies of itself in a self-automated manner ( Jakobsson and Myers, 2006 ; F5Networks, 2018 ). Worms are similar to viruses but they differ in the execution manner, as worms are executed by exploiting the operating systems vulnerability without the need to modify another program. Viruses transfer from one computer to another with the document that they are attached to, while worms transfer through the infected host file. Both viruses and worms can cause data and software damaging or Denial-of-Service (DoS) conditions ( F5Networks, 2018 ).

Spying software is a malicious code designed to track the websites visited by users in order to steal sensitive information and conduct a phishing attack. Spyware can be delivered through an email and, once it is installed on the computer, take control over the device and either change its settings or gather information such as passwords and credit card numbers or banking records which can be used for identity theft ( Jakobsson and Myers, 2006 ).

Adware is also known as advertising-supported software ( Jakobsson and Myers, 2006 ). Adware is a type of malware that shows the user an endless pop-up window with ads that could harm the performance of the device. Adware can be annoying but most of it is safe. Some of the adware could be used for malicious purposes such as tracking the internet sites the user visits or even recording the user's keystrokes ( cisco, 2018 ).

Ransomware is a type of malware that encrypts the user's data after they run an executable program on the device. In this type of attack, the decryption key is held until the user pays a ransom (cisco, 2018). Ransomware is responsible for tens of millions of dollars in extortion annually. Worse still, this is hard to detect with developing new variants, facilitating the evasion of many antivirus and intrusion detection systems ( Latto, 2020 ). Ransomware is usually delivered to the victim's device through phishing emails. According to a report ( PhishMe, 2016 ), 93% of all phishing emails contained encryption ransomware. Phishing, as a social engineering attack, convinces victims into executing actions without knowing about the malicious program.

A rootkit is a collection of programs, typically malicious, that enables access to a computer or computer network. These toolsets are used by intruders to hide their actions from system administrators by modifying the code of system calls and changing the functionality ( Belcic, 2020 ). The term “rootkit” has negative connotations through its association with malware, and it is used by the attacker to alert existing system tools to escape detection. These kits enable individuals with little or no knowledge to launch phishing exploits. It contains coding, mass emailing software (possibly with thousands of email addresses included), web development software, and graphic design tools. An example of rootkits is the Kernel kit. Kernel-Level Rootkits are created by replacing portions of the core operating system or adding new code via Loadable Kernel Modules in (Linux) or device drivers (in Windows) ( Jakobsson and Myers, 2006 ).

Session Hijackers

In this type, the attacker monitors the user’s activities by embedding malicious software within a browser component or via network sniffing. The monitoring aims to hijack the session, so that the attacker performs an unauthorized action with the hijacked session such as financial transferring, without the user's permission ( Jakobsson and Myers, 2006 ).

Web Trojans

Web Trojans are malicious programs that collect user’s credentials by popping up in a hidden way over the login screen ( Jakobsson and Myers, 2006 ). When the user enters the credentials, these programs capture and transmit the stolen credentials directly to the attacker ( Jakobsson et al., 2007 ).

Hosts File Poisoning

This is a way to trick a user into going to the phisher’s site by poisoning (changing) the host’s file. When the user types a particular website address in the URL bar, the web address will be translated into a numeric (IP) address before visiting the site. The attacker, to take the user to a fake website for phishing purposes, will modify this file (e.g., DNS cache). This type of phishing is hard to detect even by smart and perceptive users ( Ollmann, 2004 ).

System Reconfiguration Attack

In this format of the phishing attack, the phisher manipulates the settings on a user’s computer for malicious activities so that the information on this PC will be compromised. System reconfigurations can be changed using different methods such as reconfiguring the operating system and modifying the user’s Domain Name System (DNS) server address. The wireless evil twin is an example of a system reconfiguration attack in which all user’s traffic is monitored via a malicious wireless Access Point (AP) ( Jakobsson and Myers, 2006 ).

Data theft is an unauthorized accessing and stealing of confidential information for a business or individuals. Data theft can be performed by a phishing email that leads to the download of a malicious code to the user's computer which in turn steals confidential information stored in that computer directly ( Jakobsson and Myers, 2006 ). Stolen information such as passwords, social security numbers, credit card information, sensitive emails, and other personal data could be used directly by a phisher or indirectly by selling it for different purposes.

Domain Name System Based Phishing (Pharming)

Any form of phishing that interferes with the domain name system so that the user will be redirected to the malicious website by polluting the user's DNS cache with wrong information is called DNS-based phishing. Although the host’s file is not a part of the DNS, the host’s file poisoning is another form of DNS based phishing. On the other hand, by compromising the DNS server, the genuine IP addresses will be modified which results in taking the user unwillingly to a fake location. The user can fall prey to pharming even when clicking on a legitimate link because the website’s domain name system (DNS) could be hijacked by cybercriminals ( Jakobsson and Myers, 2006 ).

Content Injection Phishing

Content-Injection Phishing refers to inserting false content into a legitimate site. This malicious content could misdirect the user into fake websites, leading users into disclosing their sensitive information to the hacker or it can lead to downloading malware into the user's device ( Jakobsson and Myers, 2006 ). The malicious content could be injected into a legitimate site in three primary ways:

1. Hacker exploits a security vulnerability and compromises a web server.

2. Hacker exploits a Cross-Site Scripting (XSS) vulnerability that is a programming flaw that enables attackers to insert client-side scripts into web pages, which will be viewed by the visitors to the targeted site.

3. Hacker exploits Structured Query Language (SQL) injection vulnerability, which allows hackers to steal information from the website’s database by executing database commands on a remote server.

Man-In-The-Middle Phishing

The Man In The Middle attack (MITM) is a form of phishing, in which the phishers insert communications between two parties (i.e. the user and the legitimate website) and tries to obtain the information from both parties by intercepting the victim’s communications ( Ollmann, 2004 ). Such that the message is going to the attacker instead of going directly to the legitimate recipients. For a MITM, the attacker records the information and misuse it later. The MITM attack conducts by redirecting the user to a malicious server through several techniques such as Address Resolution Protocol (ARP) poisoning, DNS spoofing, Trojan key loggers, and URL Obfuscation ( Jakobsson and Myers, 2006 ).

Search Engine Phishing

In this phishing technique, the phisher creates malicious websites with attractive offers and use Search Engine Optimization (SEO) tactics to have them indexed legitimately such that it appears to the user when searching for products or services. This is also known as black hat SEO ( Jakobsson and Myers, 2006 ).

URL and HTML Obfuscation Attacks

In most of the phishing attacks, phishers aim to convince a user to click on a given link that connects the victim to a malicious phishing server instead of the destination server. This is the most popular technique used by today's phishers. This type of attack is performed by obfuscating the real link (URL) that the user intends to connect (an attempt from the attacker to make their web address look like the legitimate one). Bad Domain Names and Host Name Obfuscation are common methods used by attackers to fake an address ( Ollmann, 2004 ).


A range of solutions are being discussed and proposed by the researchers to overcome the problems of phishing, but still, there is no single solution that can be trusted or capable of mitigating these attacks ( Hong, 2012 ; Boddy, 2018 ; Chanti and Chithralekha, 2020 ). The proposed phishing countermeasures in the literature can be categorized into three major defense strategies. The first line of defense is human-based solutions by educating end-users to recognize phishing and avoid taking the bait. The second line of defense is technical solutions that involve preventing the attack at early stages such as at the vulnerability level to prevent the threat from materializing at the user's device, which means decreasing the human exposure, and detecting the attack once it is launched through the network level or at the end-user device. This also includes applying specific techniques to track down the source of the attack (for example these could include identification of new domains registered that are closely matched with well-known domain names). The third line of defense is the use of law enforcement as a deterrent control. These approaches can be combined to create much stronger anti-phishing solutions. The above solutions are discussed in detail below.

Human Education (Improving User Awareness About Phishing)

Human education is by far an effective countermeasure to avoid and prevent phishing attacks. Awareness and human training are the first defense approach in the proposed methodology for fighting against phishing even though it does not assume complete protection ( Hong, 2012 ). End-user education reduces user's susceptibility to phishing attacks and compliments other technical solutions. According to the analysis carried out in ( Bailey et al., 2008 ), 95% of phishing attacks are caused due to human errors; nonetheless, existing phishing detection training is not enough for combating current sophisticated attacks. In the study presented by Khonji et al. (2013) , security experts contradict the effectiveness and usability of user education. Furthermore, some security experts claim that user education is not effective as security is not the main goal for users and users do not have a motivation to educate themselves about phishing ( Scaife et al., 2016 ), while others confirm that user education could be effective if designed properly ( Evers, 2006 ; Whitman and Mattord, 2012 ). Moreover, user training has been mentioned by many researchers as an effective way to protect users when they are using online services ( Dodge et al., 2007 ; Salem et al., 2010 ; Chanti and Chithralekha, 2020 ). To detect and avoid phishing emails, a combined training approach was proposed by authors in the study ( Salem et al., 2010 ). The proposed solution uses a combination of tools and human learning, wherein a security awareness program is introduced to the user as a first step. The second step is using an intelligent system that detects the attacks at the email level. After that, the emails are classified by a fuzzy logic-based expert system. The main critic of this method is that the study chooses only limited characteristics of the emails as distinguishing features ( Kumaraguru et al., 2010 ; CybintCyberSolutions, 2018 ). Moreover, the majority of phishing training programs focus on how to recognize and avoid phishing emails and websites while other threatening phishing types receive less attention such as voice phishing and malware or adware phishing. The authors in ( Salem et al., 2010 ) found that the most used solutions in educating people are not useful if they ignore the notifications/warnings about fake websites. Training users should involve three major directions: the first one is awareness training through holding seminars or online courses for both employees within organizations or individuals. The second one is using mock phishing attacks to attack people to test users’ vulnerability and allow them to assess their own knowledge about phishing. However, only 38% of global organizations claim they are prepared to handle a sophisticated cyber-attack ( Kumaraguru et al., 2010 ). Wombat Security’s State of the Phish™ Report 2018 showed that approximately two-fifths of American companies use computer-based online awareness training and simulated phishing attacks as educating tools on a monthly basis, while just 15% of United Kingdom firms do so ( CybintCyberSolutions, 2018 ). The third direction is educating people by developing games to teach people about phishing. The game developer should take into consideration different aspects before designing the game such as audience age and gender, because people's susceptibility to phishing is varying. Authors in the study ( Sheng et al., 2007 ) developed a game to train users so that they can identify phishing attacks called Anti-Phishing Phil that teaches about phishing web pages, and then tests users about the efficiency and effectiveness of the game. The results from the study showed that the game participants improve their ability to identify phishing by 61% indicating that interactive games might turn out to be a joyful way of educating people. Although, user’s education and training can be very effective to mitigate security threats, phishing is becoming more complex and cybercriminals can fool even the security experts by creating convincing spear phishing emails via social media. Therefore, individual users and employees must have at least basic knowledge about dealing with suspicious emails and report it to IT staff and specific authorities. In addition, phishers change their strategies continuously, which makes it harder for organizations, especially small/medium enterprises to afford the cost of their employee education. With millions of people logging on to their social media accounts every day, social media phishing is phishers' favorite medium to deceive their victims. For example, phishers are taking advantage of the pervasiveness of Facebook to set up creative phishing attacks utilizing the Facebook Login feature that enables the phisher to compromise all the user's accounts with the same credentials (VadeSecure). Some countermeasures are taken by Social networks to reduce suspicious activities on social media such as Two-Factor authentication for logging in, that is required by Facebook, and machine-learning techniques used by Snapchat to detect and prevent suspicious links sent within the app ( Corrata, 2018 ). However, countermeasures to control Soshing and phone phishing attacks might include:

• Install anti-virus, anti-spam software as a first action and keep it up to date to detect and prevent any unauthorized access.

• Educate yourself about recent information on phishing, the latest trends, and countermeasures.

• Never click on hyperlinks attached to a suspicious email, post, tweet, direct message.

• Never trust social media, do not give any sensitive information over the phone or non-trusted account. Do not accept friend requests from people you do not know.

• Use a unique password for each account.

Training and educating users is an effective anti-phishing countermeasure and has already shown promising initial results. The main downside of this solution is that it demands high costs ( Dodge et al., 2007 ). Moreover, this solution requires basic knowledge in computer security among trained users.

Technical Solutions

The proposed technical solutions for detecting and blocking phishing attacks can be divided into two major approaches: non-content based solutions and content-based solutions ( Le et al., 2006 ; Bin et al., 2010 ; Boddy, 2018 ). Both approaches are briefly described in this section. Non-content based methods include blacklists and whitelists that classify the fake emails or webpages based on the information that is not part of the email or the webpage such as URL and domain name features ( Dodge et al., 2007 ; Ma et al., 2009 ; Bin et al., 2010 ; Salem et al., 2010 ). Stopping the phishing sites using blacklist and whitelist approaches, wherein a list of known URLs and sites is maintained, the website under scrutiny is checked against such a list in order to be classified as a phishing or legitimate site. The downside of this approach is that it will not identify all phishing websites. Because once a phishing site is taken down, the phisher can easily register a new domain ( Miyamoto et al., 2009 ). Content-based methods classify the page or the email relying on the information within its content such as texts, images, and also HTML, java scripts, and Cascading Style Sheets (CSS) codes ( Zhang et al., 2007 ; Maurer and Herzner, 2012 ). Content-based solutions involve Machine Learning (ML), heuristics, visual similarity, and image processing methods ( Miyamoto et al., 2009 ; Chanti and Chithralekha, 2020 ). and finally, multifaceted methods, which apply a combination of the previous approaches to detect and prevent phishing attacks ( Afroz and Greenstadt, 2009 ). For email filtering, ML techniques are commonly used for example in 2007, the first email phishing filter was developed by authors in ( Fette et al., 2007 ). This technique uses a set of features such as URLs that use different domain names. Spam filtering techniques ( Cormack et al., 2011 ) and statistical classifiers ( Bergholz et al., 2010 ) are also used to identify a phishing email. Authentication and verification technologies are also used in spam email filtering as an alternative to heuristics methods. For example, the Sender Policy Framework (SPF) verifies whether a sender is valid when accepting mail from a remote mail server or email client ( Deshmukh and raddha Popat, 2017 ).

The technical solutions for Anti-phishing are available at different levels of the delivery chain such as mail servers and clients, Internet Service Providers (ISPs), and web browser tools. Drawing from the proposed anatomy for phishing attacks in Proposed Phishing Anatomy , authors categorize technical solutions into the following approaches:

1. Techniques to detect the attack after it has been launched. Such as by scanning the web to find fake websites. For example, content-based phishing detection approaches are heavily deployed on the Internet. The features from the website elements such as Image, URL, and text content are analyzed using Rule-based approaches and Machine Learning that examine the presence of special characters (@), IP addresses instead of the domain name, prefix/suffix, HTTPS in domain part and other features ( Jeeva and Rajsingh, 2016 ). Fuzzy Logic (FL) has also been used as an anti-phishing model to help classify websites into legitimate or ‘phishy’ as this model deals with intervals rather than specific numeric values ( Aburrous et al., 2008 ).

2. Techniques to prevent the attack from reaching the user's system. Phishing prevention is an important step to defend against phishing by blocking a user from seeing and dealing with the attack. In email phishing, anti-spam software tools can block suspicious emails. Phishers usually send a genuine look-alike email that dupes the user to open an attachment or click on a link. Some of these emails pass the spam filter because phishers use misspelled words. Therefore, techniques that detect fake emails by checking the spelling and grammar correction are increasingly used, so that it can prevent the email from reaching the user's mailbox. Authors in the study ( Fette et al., 2007 ) have developed a new classification algorithm based on the Random Forest algorithm after exploring email phishing utilizing the C4.5 decision tree generator algorithm. The developed method is called "Phishing Identification by Learning on Features of Email Received" (PILFER), which can classify phishing email depending on various features such as IP based URLs, the number of links in the HTML part(s) of an email, the number of domains, the number of dots, nonmatching URLs, and availability of JavaScripts. The developed method showed high accuracy in detecting phishing emails ( Afroz and Greenstadt, 2009 ).

3. Corrective techniques that can take down the compromised website, by requesting the website's Internet Service Provider (ISP) to shut down the fake website in order to prevent more users from falling victims to phishing ( Moore and Clayton, 2007 ; Chanti and Chithralekha, 2020 ). ISPs are responsible for taking down fake websites. Removing the compromised and illegal websites is a complex process; many entities are involved in this process from private companies, self-regulatory bodies, government agencies, volunteer organizations, law enforcement, and service providers. Usually, illegal websites are taken down by Takedown Orders, which are issued by courts or in some jurisdictions by law enforcement. On the other hand, these can be voluntarily taken down by the providers themselves as a result of issued takedown notices ( Moore and Clayton, 2007 ; Hutchings et al., 2016 ). According to PHISHLABS ( PhishLabs, 2019 ) report, taking down phishing sites is helpful but it is not completely effective as these sites can still be alive for days stealing customers' credentials before detecting the attack.

4. Warning tools or security indicators that embedded into the web browser to inform the user after detecting the attack. For example, eBay Toolbar and Account Guard ( eBay Toolbar and Account Guard, 2009 ) protect customer’s eBay and PayPal passwords respectively by alerting the users about the authenticity of the sites that users try to type the password in. Numerous anti-phishing solutions rely mainly on warnings that are displayed on the security toolbar. In addition, some toolbars block suspicious sites to warn about it such as McAfee and Netscape. A study presented in ( Robichaux and Ganger, 2006 ) conducted a test to evaluate the performance of eight anti-phishing solutions, including Microsoft Internet Explorer 7, EarthLink, eBay, McAfee, GeoTrust, Google using Firefox, Netscape, and Netcraft. These tools are warning and blocking tools that allow legitimate sites while block and warn about known phishing sites. The study also found that Internet Explorer and Netcraft Toolbar showed the most effective results than other anti-phishing tools. However, security toolbars are still failing to avoid people falling victim to phishing despite these toolbars improving internet security in general ( Abu-Nimeh and Nair, 2008 ).

5. Authentication ( Moore and Clayton, 2007 ) and authorization ( Hutchings et al., 2016 ) techniques that provide protection from phishing by verifying the identity of the legitimate person. This prevents phishers from accessing a protected resource and conducting their attack. There are three types of authentication; single-factor authentication requires only username and password. The second type is two-factor authentication that requires additional information in addition to the username and password such as an OTP (One-Time Password) which is sent to the user’s email id or phone. The third type is multi-factor authentication using more than one form of identity (i.e., a combination of something you know, something you are, and something you have). Some widely used methods in the authorization process are API authorization and OAuth 2.0 that allow the previously generated API to access the system.

However, the progressive increase in phishing attacks shows that previous methods do not provide the required protection against most existing phishing attacks. Because no single solution or technology could prevent all phishing attacks. An effective anti-phishing solution should be based on a combination of technical solutions and increased user awareness ( Boddy, 2018 ).

Solutions Provided by Legislations as a Deterrent Control

A cyber-attack is considered a crime when an individual intentionally accesses personal information on a computer without permission, even if the individual does not steal information or damage the system ( Mince-Didier, 2020 ). Since the sole objective of almost all phishing attacks is to obtain sensitive information by knowingly intending to commit identity theft, and while there are currently no federal laws in the United States aimed specifically at phishing, therefore, phishing crimes are usually covered under identity theft laws. Phishing is considered a crime even if the victim does not actually fall for the phishing scam, the punishments depend on circumstances and usually include jail, fines, restitution, probation ( Nathan, 2020 ). Phishing attacks are causing different levels of damages to the victims such as financial and reputational losses. Therefore, law enforcement authorities should track down these attacks in order to punish the criminal as with real-world crimes. As a complement to technical solutions and human education, the support provided by applicable laws and regulations can play a vital role as a deterrent control. Increasingly authorities around the world have created several regulations in order to mitigate the increase of phishing attacks and their impact. The first anti-phishing laws were enacted by the United States, where the FTC in the US added the phishing attacks to the computer crime list in January 2004. A year later, the ‘‘Anti-Phishing Act’’ was introduced in the US Congress in March 2005 ( Mohammad et al., 2014 ). Meanwhile, in the United Kingdom, the law legislation is gradually conforming to address phishing and other forms of cyber-crime. In 2006, the United Kingdom government improved the Computer Misuse Act 1990 intending to bring it up to date with developments in computer crime and to increase penalties for breach enacted penalties of up to 10 years ( eBay Toolbar and Account Guard, 2009 ; PhishLabs, 2019 ). In this regard, a student in the United Kingdom who made hundreds of thousands of pounds blackmailing pornography website users was jailed in April 2019 for six years and five months. According to the National Crime Agency (NCA), this attacker was the most prolific cybercriminal to be sentenced in the United Kingdom ( Casciani, 2019 ). Moreover, the organizations bear part of the responsibility in protecting personal information as stated in the Data Protection Act 2018 and EU General Data Protection Regulation (GDPR). Phishing websites also can be taken down through Law enforcement agencies' conduct. In the United Kingdom, websites can be taken down by the National Crime Agency (NCA), which includes the National Cyber Crime Unit, and by the City of London Police, which includes the Police Intellectual Property Crime Unit (PIPCU) and the National Fraud Intelligence Bureau (NFIB) ( Hutchings et al., 2016 ).

However, anti-phishing law enforcement is still facing numerous challenges and limitations. Firstly, after perpetrating the phishing attack, the phisher can vanish in cyberspace making it difficult to prove the guilt attributed to the offender and to recover the damages caused by the attack, limiting the effectiveness of the law enforcement role. Secondly, even if the attacker’s identity is disclosed in the case of international attackers, it will be difficult to bring this attacker to justice because of the differences in countries' legislations (e.g., exchange treaties). Also, the attack could be conducted within a short time span, for instance, the average lifetime for a phishing web site is about 54 h as stated by the APWG, therefore, there must be a quick response from the government and the authorities to detect, control and identify the perpetrators of the attack ( Ollmann, 2004 ).

Phishing attacks remain one of the major threats to individuals and organizations to date. As highlighted in the article, this is mainly driven by human involvement in the phishing cycle. Often phishers exploit human vulnerabilities in addition to favoring technological conditions (i.e., technical vulnerabilities). It has been identified that age, gender, internet addiction, user stress, and many other attributes affect the susceptibility to phishing between people. In addition to traditional phishing channels (e.g., email and web), new types of phishing mediums such as voice and SMS phishing are on the increase. Furthermore, the use of social media-based phishing has increased in use in parallel with the growth of social media. Concomitantly, phishing has developed beyond obtaining sensitive information and financial crimes to cyber terrorism, hacktivism, damaging reputations, espionage, and nation-state attacks. Research has been conducted to identify the motivations and techniques and countermeasures to these new crimes, however, there is no single solution for the phishing problem due to the heterogeneous nature of the attack vector. This article has investigated problems presented by phishing and proposed a new anatomy, which describes the complete life cycle of phishing attacks. This anatomy provides a wider outlook for phishing attacks and provides an accurate definition covering end-to-end exclusion and realization of the attack.

Although human education is the most effective defense for phishing, it is difficult to remove the threat completely due to the sophistication of the attacks and social engineering elements. Although, continual security awareness training is the key to avoid phishing attacks and to reduce its impact, developing efficient anti-phishing techniques that prevent users from being exposed to the attack is an essential step in mitigating these attacks. To this end, this article discussed the importance of developing anti-phishing techniques that detect/block the attack. Furthermore, the importance of techniques to determine the source of the attack could provide a stronger anti-phishing solution as discussed in this article.

Furthermore, this article identified the importance of law enforcement as a deterrent mechanism. Further investigations and research are necessary as discussed below.

1. Further research is necessary to study and investigate susceptibility to phishing among users, which would assist in designing stronger and self-learning anti-phishing security systems.

2. Research on social media-based phishing, Voice Phishing, and SMS Phishing is sparse and these emerging threats are predicted to be significantly increased over the next years.

3. Laws and legislations that apply for phishing are still at their infant stage, in fact, there are no specific phishing laws in many countries. Most of the phishing attacks are covered under traditional criminal laws such as identity theft and computer crimes. Therefore, drafting of specific laws for phishing is an important step in mitigating these attacks in a time where these crimes are becoming more common.

4. Determining the source of the attack before the end of the phishing lifecycle and enforcing law legislation on the offender could help in restricting phishing attacks drastically and would benefit from further research.

It can be observed that the mediums used for phishing attacks have changed from traditional emails to social media-based phishing. There is a clear lag between sophisticated phishing attacks and existing countermeasures. The emerging countermeasures should be multidimensional to tackle both human and technical elements of the attack. This article provides valuable information about current phishing attacks and countermeasures whilst the proposed anatomy provides a clear taxonomy to understand the complete life cycle of phishing.

Author Contributions

This work is by our PhD student ZA supported by her Supervisory Team.

Conflict of Interest

The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

AOL America Online

APWG Anti Phishing Working Group Advanced

APRANET Advanced Research Projects Agency Network.

ARP address resolution protocol.

BHO Browser Helper Object

BEC business email compromise

COVID-19 Coronavirus disease 2019

CSS cascading style sheets

DDoS distributed denial of service

DNS Domain Name System

DoS Denial of Service

FTC Federal Trade Commission

FL Fuzzy Logic

HTTPS Hypertext Transfer Protocol Secure

IE Internet Explorer

ICT Information and Communications Technology

IM Instant Message

IT Information Technology

IP Internet Protocol

MITM Man-in-the-Middle

NCA National Crime Agency

NFIB National Fraud Intelligence Bureau

PIPCU Police Intellectual Property Crime Unit

OS Operating Systems

PBX Private Branch Exchange

SMishing Text Message Phishing

SPF Sender Policy Framework

SMTP Simple Mail Transfer Protocol

SMS Short Message Service

Soshing Social Media Phishing

SQL structured query language

URL Uniform Resource Locator

UK United Kingdom

US United States

USB Universal Serial Bus

US-CERT United States Computer Emergency Readiness Team.

Vishing Voice Phishing

VNC Virtual Network Computing

VoIP Voice over Internet Protocol

XSS Cross-Site Scripting

1 Proofpoint is “a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions”( Proofpoint, 2019b ).

2 APWG Is “the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities” ( APWG, 2020 ).

3 CalleR ID is “a telephone facility that displays a caller’s phone number on the recipient's phone device before the call is answered” ( Techpedia, 2021 ).

4 An IPPBX is “a telephone switching system within an enterprise that switches calls between VoIP users on local lines while allowing all users to share a certain number of external phone lines” ( Margaret, 2008 ).

Abad, C. (2005). The economy of phishing: a survey of the operations of the phishing market. First Monday 10, 1–11. doi:10.5210/fm.v10i9.1272

CrossRef Full Text | Google Scholar

Abu-Nimeh, S., and Nair, S. (2008). “Bypassing security toolbars and phishing filters via dns poisoning,” in IEEE GLOBECOM 2008–2008 IEEE global telecommunications conference , New Orleans, LA , November 30–December 2, 2008 ( IEEE) , 1–6. doi:10.1109/GLOCOM.2008.ECP.386

Aburrous, M., Hossain, M. A., Thabatah, F., and Dahal, K. (2008). “Intelligent phishing website detection system using fuzzy techniques,” in 2008 3rd international conference on information and communication technologies: from theory to applications (New York, NY: IEEE , 1–6. doi:10.1109/ICTTA.2008.4530019

Afroz, S., and Greenstadt, R. (2009). “Phishzoo: an automated web phishing detection approach based on profiling and fuzzy matching,” in Proceeding 5th IEEE international conference semantic computing (ICSC) , 1–11.

Google Scholar

Alsharnouby, M., Alaca, F., and Chiasson, S. (2015). Why phishing still works: user strategies for combating phishing attacks. Int. J. Human-Computer Stud. 82, 69–82. doi:10.1016/j.ijhcs.2015.05.005

APWG (2018). Phishing activity trends report 3rd quarter 2018 . US. 1–11.

APWG (2020). APWG phishing attack trends reports. 2020 anti-phishing work. Group, Inc Available at: (Accessed September 20, 2020).

Arachchilage, N. A. G., and Love, S. (2014). Security awareness of computer users: a phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312. doi:10.1016/j.chb.2014.05.046

Arnsten, B. A., Mazure, C. M., and April, R. S. (2012). Everyday stress can shut down the brain’s chief command center. Sci. Am. 306, 1–6. Available at: (Accessed October 15, 2019).

Bailey, J. L., Mitchell, R. B., and Jensen, B. k. (2008). “Analysis of student vulnerabilities to phishing,” in 14th americas conference on information systems, AMCIS 2008 , 75–84. Available at: .

Barracuda (2020). Business email compromise (BEC). Available at: (Accessed November 15, 2020).

Belcic, I. (2020). Rootkits defined: what they do, how they work, and how to remove them. Available at: (Accessed November 7, 2020).

Bergholz, A., De Beer, J., Glahn, S., Moens, M.-F., Paaß, G., and Strobel, S. (2010). New filtering approaches for phishing email. JCS 18, 7–35. doi:10.3233/JCS-2010-0371

Bin, S., Qiaoyan, W., and Xiaoying, L. (2010). “A DNS based anti-phishing approach.” in 2010 second international conference on networks security, wireless communications and trusted computing , Wuhan, China , April 24–25, 2010 . ( IEEE ), 262–265. doi:10.1109/NSWCTC.2010.196

Boddy, M. (2018). Phishing 2.0: the new evolution in cybercrime. Comput. Fraud Secur. 2018, 8–10. doi:10.1016/S1361-3723(18)30108-8

Casciani, D. (2019). Zain Qaiser: student jailed for blackmailing porn users worldwide. Available at: (Accessed April 9, 2019).

Chanti, S., and Chithralekha, T. (2020). Classification of anti-phishing solutions. SN Comput. Sci. 1, 11. doi:10.1007/s42979-019-0011-2

Checkpoint (2020). Check point research’s Q1 2020 brand phishing report. Available at: (Accessed August 6, 2020).

cisco (2018). What is the difference: viruses, worms, Trojans, and bots? Available at: (Accessed January 20, 2020).

CISA (2018). What is phishing. Available at: (Accessed June 10, 2019).

Cormack, G. V., Smucker, M. D., and Clarke, C. L. A. (2011). Efficient and effective spam filtering and re-ranking for large web datasets. Inf. Retrieval 14, 441–465. doi:10.1007/s10791-011-9162-z

Corrata (2018). The rising threat of social media phishing attacks. Available at: (Accessed October 29, 2019).

Crane, C. (2019). The dirty dozen: the 12 most costly phishing attack examples. Available at:∼:text=At some level%2C everyone is susceptible to phishing,outright trick you into performing a particular task (Accessed August 2, 2020).

CSI Onsite (2012). Phishing. Available at: (Accessed May 8, 2019).

Cui, Q., Jourdan, G.-V., Bochmann, G. V., Couturier, R., and Onut, I.-V. (2017). Tracking phishing attacks over time. Proc. 26th Int. Conf. World Wide Web - WWW ’17 , Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee . 667–676. doi:10.1145/3038912.3052654

CVEdetails (2005). Vulnerability in microsoft internet explorer. Available at: (Accessed August 20, 2019).

Cybint Cyber Solutions (2018). 13 alarming cyber security facts and stats. Available at: (Accessed July 20, 2019).

Deshmukh, M., and raddha Popat, S. (2017). Different techniques for detection of phishing attack. Int. J. Eng. Sci. Comput. 7, 10201–10204. Available at: .

Dhamija, R., Tygar, J. D., and Hearst, M. (2006). “Why phishing works,” in Proceedings of the SIGCHI conference on human factors in computing systems - CHI ’06 , Montréal Québec, Canada , (New York, NY: ACM Press ), 581. doi:10.1145/1124772.1124861

Diaz, A., Sherman, A. T., and Joshi, A. (2020). Phishing in an academic community: a study of user susceptibility and behavior. Cryptologia 44, 53–67. doi:10.1080/01611194.2019.1623343

Dodge, R. C., Carver, C., and Ferguson, A. J. (2007). Phishing for user security awareness. Comput. Security 26, 73–80. doi:10.1016/j.cose.2006.10.009

eBay Toolbar and Account Guard (2009). Available at: (Accessed August 7, 2020).

EDUCBA (2017). Hackers vs crackers: easy to understand exclusive difference. Available at: (Accessed July 17, 2019).

Evers, J. (2006). Security expert: user education is pointless. Available at: (Accessed June 25, 2019).

F5Networks (2018). Panda malware broadens targets to cryptocurrency exchanges and social media. Available at: (Accessed April 23, 2019).

Fette, I., Sadeh, N., and Tomasic, A. (2007). “Learning to detect phishing emails,” in Proceedings of the 16th international conference on world wide web - WWW ’07 , Banff Alberta, Canada , (New York, NY: ACM Press) , 649–656. doi:10.1145/1242572.1242660

Financial Fraud Action UK (2017). Fraud the facts 2017: the definitive overview of payment industry fraud. London. Available at: .

Fraud Watch International (2019). Phishing attack trends for 2019. Available at: (Accessed October 29, 2019).

FTC (2018). Netflix scam email. Available at: (Accessed May 8, 2019).

Furnell, S. (2007). An assessment of website password practices). Comput. Secur. 26, 445–451. doi:10.1016/j.cose.2007.09.001

Getsafeonline (2017). Caught on the net. Available at: (Accessed August 1, 2020).

GOV.UK (2020). Cyber security breaches survey 2020. Available at: (Accessed August 6, 2020).

Gupta, P., Srinivasan, B., Balasubramaniyan, V., and Ahamad, M. (2015). “Phoneypot: data-driven understanding of telephony threats,” in Proceedings 2015 network and distributed system security symposium , (Reston, VA: Internet Society ), 8–11. doi:10.14722/ndss.2015.23176

Hadlington, L. (2017). Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon 3, e00346-18. doi:10.1016/j.heliyon.2017.e00346

Herley, C., and Florêncio, D. (2008). “A profitless endeavor,” in New security paradigms workshop (NSPW ’08) , New Hampshire, United States , October 25–28, 2021 , 1–12. doi:10.1145/1595676.1595686

Hewage, C. (2020). Coronavirus pandemic has unleashed a wave of cyber attacks – here’s how to protect yourself. Conversat . Available at: (Accessed November 16, 2020).

Hong, J. (2012). The state of phishing attacks. Commun. ACM 55, 74–81. doi:10.1145/2063176.2063197

Huber, M., Kowalski, S., Nohlberg, M., and Tjoa, S. (2009). “Towards automating social engineering using social networking sites,” in 2009 international conference on computational science and engineering , Vancouver, BC , August 29–31, 2009 ( IEEE , 117–124. doi:10.1109/CSE.2009.205

Hutchings, A., Clayton, R., and Anderson, R. (2016). “Taking down websites to prevent crime,” in 2016 APWG symposium on electronic crime research (eCrime) ( IEEE ), 1–10. doi:10.1109/ECRIME.2016.7487947

Iuga, C., Nurse, J. R. C., and Erola, A. (2016). Baiting the hook: factors impacting susceptibility to phishing attacks. Hum. Cent. Comput. Inf. Sci. 6, 8. doi:10.1186/s13673-016-0065-2

Jagatic, T. N., Johnson, N. A., Jakobsson, M., and Menczer, F. (2007). Social phishing. Commun. ACM 50, 94–100. doi:10.1145/1290958.1290968

Jakobsson, M., and Myers, S. (2006). Phishing and countermeasures: understanding the increasing problems of electronic identity theft . New Jersey: John Wiley and Sons .

Jakobsson, M., Tsow, A., Shah, A., Blevis, E., and Lim, Y. K. (2007). “What instills trust? A qualitative study of phishing,” in Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics) , (Berlin, Heidelberg: Springer ), 356–361. doi:10.1007/978-3-540-77366-5_32

Jeeva, S. C., and Rajsingh, E. B. (2016). Intelligent phishing url detection using association rule mining. Hum. Cent. Comput. Inf. Sci. 6, 10. doi:10.1186/s13673-016-0064-3

Johnson, A. (2016). Almost 600 accounts breached in “celebgate” nude photo hack, FBI says. Available at: (Accessed: February 17, 2020).

Kayne, R. (2019). What are script kiddies? Wisegeek. Available at: V V February 19, 2020).

Keck, C. (2018). FTC warns of sketchy Netflix phishing scam asking for payment details. Available at: (Accessed April 23, 2019).

Keepnet LABS (2018). Statistical analysis of 126,000 phishing simulations carried out in 128 companies around the world. USA, France. Available at: .

Keinan, G. (1987). Decision making under stress: scanning of alternatives under controllable and uncontrollable threats. J. Personal. Soc. Psychol. 52, 639–644. doi:10.1037/0022-3514.52.3.639

Khonji, M., Iraqi, Y., and Jones, A. (2013). Phishing detection: a literature survey. IEEE Commun. Surv. Tutorials 15, 2091–2121. doi:10.1109/SURV.2013.032213.00009

Kirda, E., and Kruegel, C. (2005). Protecting users against phishing attacks with AntiPhish. Proc. - Int. Comput. Softw. Appl. Conf. 1, 517–524. doi:10.1109/COMPSAC.2005.126

Krawchenko, K. (2016). The phishing email that hacked the account of John Podesta. CBSNEWS Available at: (Accessed April 13, 2019).

Ksepersky (2020). Spam and phishing in Q1 2020. Available at: (Accessed July 27, 2020).

Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., and Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Trans. Internet Technol. 10, 1–31. doi:10.1145/1754393.1754396

Latto, N. (2020). What is adware and how can you prevent it? Avast. Available at: (Accessed May 8, 2020).

Le, D., Fu, X., and Hogrefe, D. (2006). A review of mobility support paradigms for the internet. IEEE Commun. Surv. Tutorials 8, 38–51. doi:10.1109/COMST.2006.323441

Lehman, T. J., and Vajpayee, S. (2011). “We’ve looked at clouds from both sides now,” in 2011 annual SRII global conference , San Jose, CA , March 20–April 2, 2011 , ( IEEE , 342–348. doi:10.1109/SRII.2011.46

Leyden, J. (2001). Virus toolkits are s’kiddie menace. Regist . Available at: (Accessed June 15, 2019).

Lin, J., Sadeh, N., Amini, S., Lindqvist, J., Hong, J. I., and Zhang, J. (2012). “Expectation and purpose,” in Proceedings of the 2012 ACM conference on ubiquitous computing - UbiComp ’12 (New York, New York, USA: ACM Press ), 1625. doi:10.1145/2370216.2370290

Lininger, R., and Vines, D. R. (2005). Phishing: cutting the identity theft line. Print book . Indiana: Wiley Publishing, Inc .

Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. (2009). “Identifying suspicious URLs.” in Proceedings of the 26th annual international conference on machine learning - ICML ’09 (New York, NY: ACM Press ), 1–8. doi:10.1145/1553374.1553462

Marforio, C., Masti, R. J., Soriente, C., Kostiainen, K., and Capkun, S. (2015). Personalized security indicators to detect application phishing attacks in mobile platforms. Available at: .

Margaret, R. I. P. (2008). PBX (private branch exchange). Available at: (Accessed June 19, 2019).

Maurer, M.-E., and Herzner, D. (2012). Using visual website similarity for phishing detection and reporting. 1625–1630. doi:10.1145/2212776.2223683

Medvet, E., Kirda, E., and Kruegel, C. (2008). “Visual-similarity-based phishing detection,” in Proceedings of the 4th international conference on Security and privacy in communication netowrks - SecureComm ’08 (New York, NY: ACM Press ), 1. doi:10.1145/1460877.1460905

Merwe, A. v. d., Marianne, L., and Marek, D. (2005). “Characteristics and responsibilities involved in a Phishing attack, in WISICT ’05: proceedings of the 4th international symposium on information and communication technologies . Trinity College Dublin , 249–254.

Microsoft (2020). Exploiting a crisis: how cybercriminals behaved during the outbreak. Available at: (Accessed August 1, 2020).

Mince-Didier, A. (2020). Hacking a computer or computer network. Available at: (Accessed August 7, 2020).

Miyamoto, D., Hazeyama, H., and Kadobayashi, Y. (2009). “An evaluation of machine learning-based methods for detection of phishing sites,” in international conference on neural information processing ICONIP 2008: advances in neuro-information processing lecture notes in computer science . Editors M. Köppen, N. Kasabov, and G. Coghill (Berlin, Heidelberg: Springer Berlin Heidelberg ), 539–546. doi:10.1007/978-3-642-02490-0_66

Mohammad, R. M., Thabtah, F., and McCluskey, L. (2014). Predicting phishing websites based on self-structuring neural network. Neural Comput. Applic 25, 443–458. doi:10.1007/s00521-013-1490-z

Moore, T., and Clayton, R. (2007). “Examining the impact of website take-down on phishing,” in Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit on - eCrime ’07 (New York, NY: ACM Press ), 1–13. doi:10.1145/1299015.1299016

Morgan, S. (2019). 2019 official annual cybercrime report. USA, UK, Canada. Available at: .

Nathan, G. (2020). What is phishing? + laws, charges & statute of limitations. Available at: (Accessed August 7, 2020).

Okin, S. (2009). From script kiddies to organised cybercrime. Available at: (Accessed August 12, 2019).

Ollmann, G. (2004). The phishing guide understanding & preventing phishing attacks abstract. USA. Available at: .

Ong, S. (2014). Avast survey shows men more susceptible to mobile malware. Available at: (Accessed November 5, 2020).

Ovelgönne, M., Dumitraş, T., Prakash, B. A., Subrahmanian, V. S., and Wang, B. (2017). Understanding the relationship between human behavior and susceptibility to cyber attacks. ACM Trans. Intell. Syst. Technol. 8, 1–25. doi:10.1080/00207284.1985.11491413

Parmar, B. (2012). Protecting against spear-phishing. Computer Fraud Security , 2012, 8–11. doi:10.1016/S1361-3723(12)70007-6

Phish Labs (2019). 2019 phishing trends and intelligence report the growing social engineering threat. Available at: PTI Report/2019 Phishing Trends and Intelligence Report.pdf .

PhishMe (2016). Q1 2016 malware review. Available at: WWW.PHISHME.COM .

PhishMe (2017). Human phishing defense enterprise phishing resiliency and defense report 2017 analysis of susceptibility, resiliency and defense against simulated and real phishing attacks. Available at: .

PishTank (2006). What is phishing. Available at: (Accessed June 19, 2019).

Pompon, A. R., Walkowski, D., and Boddy, S. (2018). Phishing and Fraud Report attacks peak during the holidays. US .

Proofpoint (2019a). State of the phish 2019 report. Sport Mark. Q. 14, 4. doi:10.1038/

Proofpoint (2019b). What is Proofpoint. Available at: (Accessed September 25, 2019).

Proofpoint (2020). 2020 state of the phish. Available at: .

Raggo, M. (2016). Anatomy of a social media attack. Available at: (Accessed March 14, 2019).

Ramanathan, V., and Wechsler, H. (2012). PhishGILLNET-phishing detection methodology using probabilistic latent semantic analysis, AdaBoost, and co-training. EURASIP J. Info. Secur. 2012, 1–22. doi:10.1186/1687-417X-2012-1

Ramzan, Z. (2010). “Phishing attacks and countermeasures,” in Handbook of Information and communication security (Berlin, Heidelberg: Springer Berlin Heidelberg ), 433–448. doi:10.1007/978-3-642-04117-4_23

Ramzan, Z., and Wuest, C. (2007). “Phishing Attacks: analyzing trends in 2006,” in Fourth conference on email and anti-Spam (Mountain View , ( California, United States ).

Rhett, J. (2019). Don’t fall for this new Google translate phishing attack. Available at: (Accessed April 23, 2019). doi:10.5040/9781350073272

RISKIQ (2020). Investigate | COVID-19 cybercrime weekly update. Available at: (Accessed August 1, 2020).

Robichaux, P., and Ganger, D. L. (2006). Gone phishing: evaluating anti-phishing tools for windows. Available at: .

Rouse, M. (2013). Phishing defintion. Available at: (Accessed April 10, 2019).

Salem, O., Hossain, A., and Kamala, M. (2010). “Awareness program and AI based tool to reduce risk of phishing attacks,” in 2010 10th IEEE international conference on computer and information technology (IEEE) , Bradford, United Kingdom , June 29–July 1, 2010, 2001 ( IEEE ), 1418–1423. doi:10.1109/CIT.2010.254

Scaife, N., Carter, H., Traynor, P., and Butler, K. R. B. (2016). “Crypto lock (and drop it): stopping ransomware attacks on user data,” in 2016 IEEE 36th international conference on distributed computing systems (ICDCS) ( IEEE , 303–312. doi:10.1109/ICDCS.2016.46

Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al. (2007). “Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish,” in Proceedings of the 3rd symposium on usable privacy and security - SOUPS ’07 (New York, NY: ACM Press ), 88–99. doi:10.1145/1280680.1280692

Symantic, (2019). Internet security threat report volume 24|February 2019 . USA.

Techpedia (2021). Caller ID. Available at: (Accessed June 19, 2019).

VadeSecure (2021). Phishers favorites 2019. Available at: (Accessed October 29, 2019).

Vishwanath, A. (2005). “Spear phishing: the tip of the spear used by cyber terrorists,” in deconstruction machines (United States: University of Minnesota Press ), 469–484. doi:10.4018/978-1-5225-0156-5.ch023

Wang, X., Zhang, R., Yang, X., Jiang, X., and Wijesekera, D. (2008). “Voice pharming attack and the trust of VoIP,” in Proceedings of the 4th international conference on security and privacy in communication networks, SecureComm’08 , 1–11. doi:10.1145/1460877.1460908

Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., and Deng, X. (2005). “Detection of phishing webpages based on visual similarity,” in 14th international world wide web conference, WWW2005 , Chiba, Japan , May 10–14, 2005 , 1060–1061. doi:10.1145/1062745.1062868

Whitman, M. E., and Mattord, H. J. (2012). Principles of information security. Course Technol. 1–617. doi:10.1016/B978-0-12-381972-7.00002-6

Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. Int. J. Human-Computer Stud. 120, 1–13. doi:10.1016/j.ijhcs.2018.06.004 (2018). Wombat security user risk report. USA. Available at: .

Workman, M. (2008). Wisecrackers: a theory-grounded investigation of phishing and pretext social engineering threats to information security. J. Am. Soc. Inf. Sci. 59 (4), 662–674. doi:10.1002/asi.20779

Yeboah-Boateng, E. O., and Amanor, P. M. (2014). Phishing , SMiShing & vishing: an assessment of threats against mobile devices. J. Emerg. Trends Comput. Inf. Sci. 5 (4), 297–307.

Zhang, Y., Hong, J. I., and Cranor, L. F. (2007). “Cantina,” in Proceedings of the 16th international conference on World Wide Web - WWW ’07 (New York, NY: ACM Press ), 639. doi:10.1145/1242572.1242659

Zissis, D., and Lekkas, D. (2012). Addressing cloud computing security issues. Future Generat. Comput. Syst. 28, 583–592. doi:10.1016/j.future.2010.12.006

Keywords: phishing anatomy, precautionary countermeasures, phishing targets, phishing attack mediums, phishing attacks, attack phases, phishing techniques

Citation: Alkhalil Z, Hewage C, Nawaf L and Khan I (2021) Phishing Attacks: A Recent Comprehensive Study and a New Anatomy. Front. Comput. Sci. 3:563060. doi: 10.3389/fcomp.2021.563060

Received: 17 May 2020; Accepted: 18 January 2021; Published: 09 March 2021.

Reviewed by:

Copyright © 2021 Alkhalil, Hewage, Nawaf and Khan. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

*Correspondence: Chaminda Hewage, [email protected]

This article is part of the Research Topic

2021 Editor's Pick: Computer Science

U.S. flag

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Small Business Cybersecurity Corner

Small business cybersecurity case study series.

Ransomware, phishing, and ATM skimming are just a few very common and very damaging cybersecurity threats that Small Businesses need to watch out for. The following Case Studies were created by the National Cyber Security Alliance , with a grant from NIST, and should prove useful in stimulating ongoing learning for all business owners and their employees.

  • Case 1: A Business Trip to South America Goes South Topic: ATM Skimming and Bank Fraud
  • Case 2: A Construction Company Gets Hammered by a Keylogger Topic: Keylogging, Malware and Bank Fraud
  • Case 3: Stolen Hospital Laptop Causes Heartburn Topic: Encryption and Business Security Standards
  • Case 4: Hotel CEO Finds Unwanted Guests in Email Account Topic: Social Engineering and Phishing
  • Case 5: A Dark Web of Issues for a Small Government Contractor Topic: Data Breach

Portal login

ASD Cyber Threat Report 2022-2023

This rating relates to the complexity of the advice and information provided on the page.

cyber crime case study report

Content written for


  • ASD's Cyber Threat Report 2022-2023 7.67MB .pdf
  • Fact Sheets - Businesses & Organisations - 2022-2023 190KB .pdf
  • Fact sheets - Critical Infrastructure - 2022-2023 172KB .pdf
  • Fact Sheets - Individuals - 2022-2023 173KB .pdf

I am pleased to present the Annual Cyber Threat Report 2022–23 developed by the Australian Signals Directorate (ASD).

As the Defence Strategic Review made clear, in the post-Second World War period Australia was protected by its geography and the limited ability of other nations in the region to project combat power. In the current strategic era, Australia’s geographic advantages have been eroded as more countries have enhanced their ability to project combat power across greater ranges, including through the rapid development of cyber capabilities. 

Australia’s region, the Indo-Pacific, is also now seeing growing competition on multiple levels – economic, military, strategic and diplomatic – framed by competing values and narratives. 

In this context, Australian governments, critical infrastructure, businesses and households continue to be the target of malicious cyber actors. This report illustrates that both state and non-state actors continue to show the intent and capability to compromise Australia’s networks. It also highlights the added complexity posed by emerging technologies such as artificial intelligence.

The report demonstrates the persistent threat that state cyber capabilities pose to Australia. This threat extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services. The report also confirms that the borderless and multi-billion dollar cybercrime industry continues to cause significant harm to Australia, with Australians remaining an attractive target for cybercriminal syndicates around the world.

Through case studies, the report demonstrates the persistence and tenacity of these cyber actors. It shows that these adversaries constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.

The threat environment characterised in this report underscores the importance of ASD’s work in defending Australia’s security and prosperity. It also reinforces the significance of the Australian Government’s investment in ASD’s cyber and intelligence capabilities under Project REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, Enablers).

It is clear we must maintain an enduring focus on cyber security in Australia. The Australian Government is committed to leading our nation’s efforts to bolster our cyber resilience. 

We also know that the best cyber defences are founded on genuine partnerships between and across the public and private sectors. The development of this report, which draws on insights from across the Commonwealth Government, our international partners, Australian industry and the community, is a testament to this collaboration.

This report presents a clear picture of the cyber threat landscape we face and is a vital part of Australia’s collective efforts to enhance our cyber resilience.

The Hon Richard Marles, MP Deputy Prime Minister and Minister for Defence

Richard Marles - Defence Minister standing in front of the Australian Flag

About ASD’s ACSC

ASD’s Australian Cyber Security Centre (ACSC) is the Australian Government’s technical authority on cyber security. The ACSC brings together capabilities to improve Australia’s national cyber resilience and its services include:

  • the Australian Cyber Security Hotline, which is contactable 24 hours a day, 7 days a week, via 1300 CYBER1 (1300 292 371)
  • publishing alerts, technical advice, advisories and notifications on significant cyber security threats
  • cyber threat monitoring and intelligence sharing with partners, including through the Cyber Threat Intelligence Sharing (CTIS) platform
  • helping Australian entities respond to cyber security incidents
  • exercises and uplift activities to enhance the cyber security resilience of Australian entities
  • supporting collaboration between over 110,000 Australian organisations and individuals on cyber security issues through ASD’s Cyber Security Partnership Program.

The most effective cyber security is collaborative and partnerships are key to this work. ASD thanks all of the organisations that contributed to this report. This includes Australian local, state, territory and federal government agencies, and industry partners.

Executive summary

Malicious cyber activity continued to pose a risk to Australia’s security and prosperity in the FY 2022-23. A range of malicious cyber actors showed the intent and capability needed to compromise vital systems, and Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.

ASD responded to over 1,100 cyber security incidents from Australian entities. Separately, nearly 94,000 reports were made to law enforcement through ReportCyber – around one every 6 minutes.

ASD identified a number of key cyber security trends in FY 2022–23:

State actors focused on critical infrastructure – data theft and disruption of business.

Globally, government and critical infrastructure networks were targeted by state cyber actors as part of ongoing information-gathering campaigns or disruption activities. The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs. Cyber operations are increasingly the preferred vector for state actors to conduct espionage and foreign interference.

In 2022–23, ASD joined international partners to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage, and also highlighted activity associated with a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical infrastructure organisations.

Australian critical infrastructure was targeted via increasingly interconnected systems .

Operational technology connected to the internet and into corporate networks has provided opportunities for malicious cyber actors to attack these systems. In 2022–23, ASD responded to 143 cyber security incidents related to critical infrastructure.

Cybercriminals continued to adapt tactics to extract maximum payment from victims. 

Cybercriminals constantly evolved their operations against Australian organisations, fuelled by a global industry of access brokers and extortionists. ASD responded to 127 extortion-related incidents: 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts. Business email compromise remained a key vector to conduct cybercrime. Ransomware also remained a highly destructive cybercrime type, as did hacktivists’ denial-of-service attacks, impacting organisations’ business operations.

Data breaches impacted many Australians .

Significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web.

One in 5 critical vulnerabilities was exploited within 48 hours.

This was despite patching or mitigation advice being available. Malicious cyber actors used these critical flaws to cause significant incidents and compromise networks, aided by inadequate patching.

Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence. To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community. This includes prioritising secure-by-design and secure-by-default products during both development (vendors) and procurement (customers).

ASD’s first year of REDSPICE increased cyber threat intelligence sharing, the uplift of critical infrastructure, and an enhanced 24/7 national incident response capability.

Genuine partnerships across both the public and private sectors have remained essential to Australia’s cyber resilience; and ASD’s Cyber Security Partnership Program has grown to include over 110,000 organisations and individuals.

Year in review

What asd saw.

Average cost of cybercrime per report, up 14 per cent

  • small business: $46,000
  • medium business: $97,200
  • large business: $71,600.

Nearly 94,000 cybercrime reports, up 23 per cent

  • on average a report every 6 minutes
  • an increase from 1 report every 7 minutes.

Answered over 33,000 calls to the Australian Cyber Security Hotline, up 32 per cent

  • on average 90 calls per day
  • an increase from 69 calls per day.

Top 3 cybercrime types for individuals

  • identity fraud
  • online banking fraud
  • online shopping fraud.

Top 3 cybercrime types for business

  • email compromise
  • business email compromise (BEC) fraud
  • online banking fraud.

Publicly reported common vulnerabilities and exposures (CVEs) increased 20 per cent.

What ASD did

  • Responded to over 1,100 cyber security incidents , similar to last year.
  • 10 per cent of all incidents responded to included  ransomware , similar to last year.
  • Notified 158 entities of ransomware activity on their networks, compared to 148 last year, roughly a  7 per cent increase.
  • Australian Protective Domain Name System blocked over 67 million malicious domain requests, up 176 per cent.
  • Domain Takedown Service  blocked over 127,000 attacks against Australian servers, up 336 per cent.
  • Cyber Threat Intelligence Sharing partners  grew by 688 per cent  to over 250 partners.
  • issued 103 High-priority Operational Taskings, up 110 per cent
  • distributed around 4,900 reports to approximately 1,360 organisations, up 16 per cent and 32 per cent respectively.
  • 3 CI-UPs completed covering 6 CI assets
  • 3 CI-UPs in progress
  • 20 CI-UP Info Packs sent
  • 5 CI-UP workshops held.
  • Notified 7 critical infrastructure entities of suspicious cyber activity , up from 5 last year.
  • Published or updated 34 PROTECT  and Information Security Manual (ISM)   guidance publications .
  • Published 64 alerts, advisories, incident and insight reports  on and the Partnership Portal.
  • Individual Partners up 24 per cent
  • Business Partners up 37 per cent
  • Network Partners up 29 per cent.
  • Led 20 cyber security exercises  involving over 75 organisations  to strengthen Australia’s cyber resilience.
  • Briefed board members and company directors covering 33 per cent of the ASX200.

Cyber security incidents

ASD is able to build a national cyber threat picture, in part due to the timely and rich reporting of cyber security incidents by members of the public and Australian business. This aggregation of cyber security incident data enables ASD to inform threat mitigation advice with the latest trends and threats posed by malicious cyber actors. Any degradation in the quantity or quality of information reported to ASD harms cyber security outcomes. Information reported to ASD is anonymised prior to it being communicated to the community.

ASD categorises each incident it responds to on a scale of Category 1 (C1), the most severe, to Category 6 (C6), the least severe. Incidents are categorised on severity of effect, extent of compromise, and significance of the organisation.

The number of C2 incidents rose from 2 in FY 2021–22 to 5 in FY 2022–23. This includes significant data breaches involving cybercriminals exfiltrating data from critical infrastructure for the purposes of financial gain.

Cyber security incidents are consistent with last financial year, with around 15 per cent of all incidents being categorised C3 or above. Of the C3 incidents, over 30 per cent related to organisations self-identifying as critical infrastructure, with transport (21 per cent), energy (17 per cent), and higher education and research (17 per cent) the most affected sectors.

The most common C3 incident type was compromised assets, network or infrastructure (23 per cent), followed by data breaches (19 per cent) and ransomware (14 per cent). Common activities leading to C3 incidents included exploitation of public–facing applications (20 per cent) and phishing (17 per cent).

Almost a quarter (24 per cent) of C3 incidents involved a tipper, where ASD notified the affected organisations of suspicious activity.

While reports of low-level malicious attacks are often categorised as unsuccessful, reports of unsuccessful activity are still indicative of continual targeting of Australian entities.

ASD responded to over 1,100 cyber security incidents, around the same as in the last financial year

Cyber security incidents by sector

Compared to 2021–22, the information media and telecommunications sector fell out of the top 5 reporting sectors.

Government sectors and regulated critical infrastructure have reporting obligations, which may explain the relatively high reporting rate for these sectors compared with others.

ASD categorises sectors following the Australian and New Zealand Standard Industrial Classification (ANZSIC) Divisions from the Australian Bureau of Statistics. The public safety and administration division encompasses several sectors including federal, state, territory and local governments, public order and safety services, and Defence.

Table 3 : The top 10 reporting sectors

Federal Government 30.7%, State and local government 12.9%, Professional, scientific and technical services 6.9%, and 7 more.

Chapter 1: Exploitation

  • Half of vulnerabilities were exploited within 2 weeks of a patch, or of mitigation advice being released, highlighting the risks entities take by not promptly patching.
  • Patching vulnerabilities in internet-facing services should occur within 2 weeks, or 48 hours if an exploit exists.
  • Vulnerable internet-facing devices and applications are convenient targets for malicious cyber actors. In addition to patching, unnecessary internet-facing services should be disabled.

Vulnerable and exposed

As Australians integrate more technology into their lives and businesses, the number of possible weak points or vectors for malicious cyber actors to exploit – known as the attack surface – grows. The larger the attack surface, the harder it is to defend. Malicious cyber actors often exploit security weaknesses found in ICT, known as common vulnerabilities and exposures (CVEs), to break into systems, steal data, or even take complete control over a system.

The number of published CVEs has been steadily on the rise. The US National Vulnerability Database published 19,379 CVEs in FY 2020–21, 24,266 CVEs in FY 2021–22, and 29,019 CVEs in FY 2022–23.

To identify the rates at which CVEs were exploited after a patch or mitigation was made available, ASD analysed 60 CVEs covering 1 July 2020 to 28 February 2023. The analysis found around 82 per cent of vulnerabilities had an attack vector of ‘network’ under the Common Vulnerability Scoring Scheme. This indicates that malicious actors prefer vulnerabilities that are remotely exploitable and are present on internet-facing or edge devices. Exploitation of these vulnerabilities allows malicious actors to pivot into internal networks. The analysis also found:

  • 1 in 5 vulnerabilities was exploited within 48 hours of a patch or mitigation advice being released
  • half of the vulnerabilities were exploited within 2 weeks of a patch or mitigation advice being released
  • 2 in 5 vulnerabilities were exploited more than one month after a patch or mitigation advice was released.

Despite more than 90 per cent of CVEs having a patch or mitigation advice available within 2 weeks of public disclosure, 50 per cent of the CVEs were still exploited more than 2 weeks after that patch or mitigation advice was published. This highlights the risk entities carry when not patching promptly. These risks are heightened when a proof-of-concept code is available and shared online, as malicious cyber actors can leverage this code for use in automated tools, lowering the barrier for exploitation.

ASD observed that Log4Shell (CVE-2021-44228) and ProxyLogon (CVE-2021-26855) were by far the most commonly exploited vulnerabilities throughout the analysis period, with these 2 vulnerabilities representing 29 per cent of all CVE-related incidents.

CVEs do not have an expiration date. In one instance, ASD observed that malicious cyber actors successfully exploited an unpatched 7-year-old CVE. Additionally, ASD still receives periodic reports of WannaCry malware – 6 years after its release – which is likely due to old, infected legacy machines being powered on and connected to networks. Incidents like this highlight the importance of patching as soon as possible, and also demonstrate the long tail of risks that unpatched and legacy systems can pose to entities.

Percentage of vulnerabilities by time to exploit

During 2022–23, ASD published many alerts warning Australians of vulnerabilities, such as the critical remote code execution vulnerability in Fortinet devices (CVE-2022-40684), and a high-severity vulnerability present in Microsoft Outlook for Windows (CVE-2023-23397). ASD also published a joint Five-Eyes advisory detailing the top 12 CVEs most frequently and routinely exploited by malicious cyber actors for the 2022 calendar year.

To help mitigate vulnerabilities, ASD recommends all entities patch, update or otherwise mitigate vulnerabilities in online services and internet-facing devices within 48 hours when vulnerabilities are assessed as critical by vendors or when working exploits exist. Otherwise, vulnerabilities should be patched, updated or otherwise mitigated within 2 weeks. Entities with limited cyber security expertise who are unable to patch rapidly should consider using a reputable cloud service provider or managed service provider that can help ensure timely patching.

ASD acknowledges not all entities may be able to immediately patch, update or apply mitigations for vulnerabilities due to high-availability business requirements or system limitations. In such cases, entities should consider compensating controls like disabling unnecessary internet-facing services, strengthening access controls, enforcing network separation, and closely monitoring systems for anomalous activity. Entities should ensure decision makers understand the level of risk they hold and the potential consequences should their systems or data be compromised as a result of a malicious actor exploiting unmitigated vulnerabilities.

Further patching advice can be found in ASD’s Assessing Vulnerabilities and Applying Patches guide.

Cyber hygiene

In addition to patching, effective cyber security hygiene is vital. At, ASD has published a range of easy-to-understand advice and guides tailored for individuals, small and medium business, enterprises, and critical infrastructure providers.

All Australians should:

  • enable multi-factor authentication (MFA) for online services where available
  • use long, unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
  • turn on automatic updates for all software – do not ignore installation prompts
  • regularly back up important files and device configuration settings
  • be alert for phishing messages and scams
  • sign up for the ASD’s free Alert Service
  • report cybercrime to ReportCyber.

Australian organisations should also:

  • only use reputable cloud service providers and managed service providers that implement appropriate cyber security measures
  • regularly test cyber security detection, incident response, business continuity and disaster recovery plans
  • review the cyber security posture of remote workers, including their use of communication, collaboration and business productivity software
  • train staff on cyber security matters, in particular how to recognise scams and phishing attempts
  • implement relevant guidance from ASD’s Essential Eight Maturity Model, Strategies to Mitigate Cyber Security Incidents and Information Security Manual
  • join ASD’s Cyber Security Partnership Program
  • report cybercrime and cyber security incidents to ReportCyber.

Case study 1: Malicious cyber actors exploit devices 2 years after patch

On 24 May 2019, Fortinet, a US vendor that creates cyber security products, released a security advisory and accompanying patch for CVE-2018-13379, which was a severe vulnerability that required immediate patching.

On 2 April 2021, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on the exploitation of Fortinet FortiOS vulnerabilities, which indicated advanced persistent threat (APT) groups were scanning devices for CVE-2018-13379 and likely to gain access to multiple government, commercial, and technology services networks.

On 3 April 2021, ASD released an alert reminding organisations that APT groups had been observed exploiting CVE-2018-13379. Later, in September 2021, ASD received a report of a successful exploitation of CVE-2018-13379 against an Australian entity. Despite being vulnerable for more than 2 years, the victim’s device had not been patched.

While it is difficult to ascertain how widely Fortinet devices are used globally, researchers identified around 50,000 targets that remained vulnerable 2 years after the patch was released. This number is so significant that it was added to CISA’s Top Routinely Exploited Vulnerabilities list.

The primary mitigation against these attacks is to patch vulnerabilities as soon as possible. If patching is not immediately possible, the entity should consider removing internet access from Fortinet devices until other mitigations can be implemented.

Case study 2: A network compromise at the Shire of Serpentine Jarrahdale

The rural Shire of Serpentine Jarrahdale, 45 kilometres from the Perth CBD, may seem an unlikely place for malicious cyber activity to unfold. But, in early 2023, the Shire experienced a network compromise. Shire ICT Manager Matthew Younger said the malicious cyber actor took advantage of a public-facing system. ‘We’re quite diligent with our patching, but unfortunately we missed an update to our remote work server,’ Mr Younger said.

Before taking immediate remediation action, the Shire’s ICT team held a conference call with ASD to discuss the best way to manage the compromise, and Mr Younger said ASD’s help was first-class. ‘We put a perimeter around the compromised server, checked for lateral movement, and gathered evidence to work out what happened. Everything we found led back to the importance of the Essential Eight.’

ASD also sent an incident responder to help the Shire’s ICT team capture virtual machine snapshots and log data. ASD handles incident data with strict confidentiality, and such data helps its analysts understand how cyber security incidents occur and produces intelligence to help build the national cyber threat picture and to prevent further attacks.

Mr Younger said that after the compromise, the Shire doubled-down on its efforts to implement ASD’s Essential Eight. ‘We enforced passphrases, we improved our information security policies, and we improved our user security training. We also validated our controls through penetration testing and phishing exercises.’

Mr Younger credits much of the Shire’s success to its agile leadership who, with limited resources, foster the right security culture to both respond to cyber threats and implement mitigations.


BIG-IP refers to a suite of products from cyber security vendor F5, which includes firewall and application delivery solutions. On 1 July 2020, F5 released a security advisory detailing a critical vulnerability in their BIG-IP Traffic Management User Interface (TMUI). Within 48 hours of patch release, security researchers discovered malicious cyber actors scanning for and exploiting unpatched devices.

Vulnerability Timeline

The Essential Eight

ASD’s Essential Eight are some of the most effective cyber security mitigation strategies, and includes:

cyber crime case study report

ASD uses its cyber threat intelligence to ensure its cyber security advice is contemporary and actionable. ASD’s advice is not formed in a silo. Feedback from partners across government and industry, such as how cyber security mitigations are implemented within organisations, is important. Feedback helps ASD update advice like the Essential Eight.

More information on the Essential Eight, including the Essential Eight Assessment Process Guide and Essential Eight Maturity Model Frequently Asked Questions , can be found at

Chapter 2: Critical infrastructure

  • During FY 2022–23, Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. Activity against these networks is likely to increase as networks grow in size and complexity.
  • Malicious cyber actors can steal or encrypt data, or gain insider knowledge for profit or competitive advantage. Some actors may attempt to degrade or disrupt services and these incidents can have cascading impacts.
  • Designing robust cyber security measures for operational technology environments is vital to protect the safety, availability, integrity and confidentiality of essential services. Secure-by-design and secure‑by-default products should be a priority.

Actors target critical infrastructure for many reasons

Critical infrastructure assets and networks are attractive targets for malicious cyber activity as these assets need to hold sensitive information, maintain essential services, and often have high levels of connectivity with other organisations and critical infrastructure sectors.

A cyber incident can result in a range of impacts to critical services. For instance, the disruption of an electricity grid could cause a region to lose power. Without power, a hospital may lose access to patient records and struggle to function, internet services may be down and affect communications and payment systems, or water supply could be impacted.

Globally, a broad range of malicious cyber actors, including state actors, cybercriminals and issue‑motivated groups, have demonstrated the intent and the capability to target critical infrastructure. Malicious cyber actors may target critical infrastructure for a range of reasons. For example, they may:

  • attempt to degrade or disrupt services, such as through denial-of-service (DoS) attacks, which can have a significant impact on service providers and their customers
  • steal or encrypt data or gain insider knowledge for profit or competitive advantage
  • preposition themselves on systems by installing malware, in anticipation of future disruptive or destructive cyber operations, potentially years in advance
  • covertly seek sensitive information through cyber espionage to advance strategic aims.

Critical infrastructure can be targeted by the mass scanning of networks for both old and new vulnerabilities. In February 2023, an Italian energy and water provider was affected by ransomware. While there was no indication the water or energy supply was affected, it reportedly took 4 days to restore systems like information databases. Italy’s National Cybersecurity Agency publicly noted the ransomware attack targeted older and unpatched software, exploiting a 2-year-old vulnerability.

Critical infrastructure is a target globally

During 2022–23, critical infrastructure networks around the world continued to be targeted, causing impacts on network operators and those relying on critical services. In the latter half of 2022, the French health system reportedly sustained a number of cyber incidents. One hospital fell victim to a ransomware incident, resulting in the cancellation of some surgical operations and forcing patients to be transferred to other hospitals. The hospital’s computer systems had to be shut down to isolate the attack.

Russia’s war on Ukraine has continued to demonstrate that critical infrastructure is viewed as a target for disruptive and destructive cyber operations during times of conflict. Malicious cyber actors have targeted and disrupted hospitals, airports, railways, telecommunication providers, energy utilities, and financial institutions across Europe. Destructive malware was also used against critical infrastructure in Ukraine.

In September 2022 and May 2023, ASD and its international partners published advisories highlighting that state actors were targeting multiple US critical infrastructure sectors, and strongly encouraged Australian entities to review their networks for signs of malicious activity. More details about these advisories is in the state actor chapter .

Australian critical infrastructure is impacted

Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. During 2022–23, ASD responded to 143 incidents reported by entities who self-identified as critical infrastructure, an increase from the 95 incidents reported in 2021–22. The vast majority of these incidents were low-level malicious attacks or isolated compromises.

The main cyber security incident types affecting Australian critical infrastructure were:

  • compromised account or credentials
  • compromised asset, network or infrastructure

These incident types accounted for approximately 57 per cent of the incidents affecting critical infrastructure for 2022–23. Other more prominent incident types were data breaches followed by malware infection.

ASD encourages critical infrastructure entities to report anomalous activity early and not wait until malicious activity reaches the threshold for a mandatory report. Reporting helps piece together a picture of the cyber threat landscape, and informs ASD’s cyber security alerts and advisories for the benefit of all Australian entities.

Critical infrastructure networks have a broad attack surface

The interconnected nature of critical infrastructure networks, and the third parties in their ICT supply chain, increases the attack surface for many entities. This includes remote access and management solutions, which are increasingly present in critical infrastructure networks.

Operational technology (OT) and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.

Systems where software or hardware are not up to date with the latest security mitigations are vulnerable to exploitation, particularly when these systems are exposed to the internet. ICT supply chain and managed service providers are another avenue malicious cyber actors can exploit.

Explainer 1: Operational technology

OT makes up those systems that detect or cause a direct change to the physical environment through the monitoring or control of devices, processes, and events. OT is predominantly used to describe industrial control systems (ICS), which include supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).

Australian critical infrastructure providers often operate over large geographical areas and require interconnection between dispersed OT environments. Separately, remote access to OT environments from corporate IT environments and the internet has become standard operating procedure. Remote access allows engineers and technicians to remotely manage and configure the OT environment. However, this interconnection or remote access requires an internet connection, which creates additional cyber security risks to OT environments.

In April 2023, irrigation systems in Israel were reportedly disrupted when the ICS supporting the automated water controllers were compromised. Israel’s National Cyber Organisation was able to warn many farmers to disconnect their remote control option for the irrigation systems, so the disruption was minimal. Being able to disconnect from remote control also highlights the value of a manual override mechanism in some instances.

Next-generation OT is expected to contain built-in remote access and security features, which could address some of the issues related to remote access and internet exposure. ASD continues to advise entities to prioritise secure-by-design and secure-by-default products in procurements, and take a risk-based approach to managing risks associated with new technologies or providers. Good cyber security practices will be particularly important during a transition to new technologies.

At, ASD has published a range of cyber security guides for OT and ICS, and also principles and approaches to secure-by-design and default.

In focus: food and grocery sector

The food and grocery sector covers a broad supply chain including processing, packaging, importing, and distributing food and groceries. Food and grocery manufacturing is Australia’s largest manufacturing sector, comprising over 16,000 businesses and representing around 32 per cent of all manufacturing jobs. Food and grocery organisations are an attractive target for malicious cyber actors as this sector’s provision of essential supplies has little tolerance for disruption.

The sector’s complex supply chains and growing online sales mean food and grocery organisations have a large attack surface. The sector is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems. Additionally, many entities in this sector hold sensitive data that may be of value to malicious cyber actors, such as personal information or intellectual property.

Like other manufacturing entities, food and grocery organisations have increasingly adopted just-in-time inventory and delivery chains in pursuit of greater efficiency and reduced waste. This means the food and grocery sector is also vulnerable if a supplier is affected by a cyber incident that disrupts services.

Large entities in this sector may be targeted based on the view that they can be extorted for large sums of money. Smaller entities may be perceived as having lower cyber security maturity, and may be used to access more lucrative targets in their supply chain. Malicious cyber actors may seek to remain undetected on systems to establish a secure foothold and then move to other systems within a business to exfiltrate data or maintain a presence for future malicious activity.

A cyberattack against entities in this sector could have significant impacts for both the victim organisation and its customers. For example, a ransomware attack that locks systems could halt production and delivery, rendering a business unable to fulfil its orders. The second order impacts of this could be costly – including lost revenue, or lost confidence from business partners and customers alike.

Early detection of malicious activity is vital for mitigating cyber threats. It can take time to discover a compromised network or system, so robust and regular monitoring is essential. Likewise, practised incident response plans and playbooks should form part of broader corporate and cyber plans to aid remediation and minimise the impact of a compromise. Entities in this sector should seek secure-by-design and secure‑by-default products wherever possible to boost their cyber security posture.

A comprehensive list of resources for critical infrastructure is available at, including guidance for cyber incident response and business continuity plans.

Case study 3: Global food distributor held to ransom

In February 2023, Dole – one of the world’s largest producers and distributors of fruit and vegetables – was a victim of a ransomware incident, resulting in a shut down of its systems throughout North America. Other reported impacts included some product shortages, a limited impact on operations, and theft of company data – including some employee information. While Dole acted swiftly to minimise the impacts of the incident, it still reported USD $10.5 million in direct costs, and faced reputational damage.

Explainer 2: Effective separation

Separating network segments can help to isolate critical network elements from the internet or other less sensitive parts of a network. This strategy can make it significantly more difficult for malicious cyber actors to access an organisation’s most sensitive data, and can aid cyber threat detection.

In 2022–23, ASD observed that effective separation through network segmentation and firewall policies prevented malware from impacting an Australian critical infrastructure provider. Additionally, through effective separation an Australian critical infrastructure provider prevented the deployment of malware from a contractor’s USB drive onto their OT environment.

Network separation is more than just a logical or physical design decision: it should also consider where system administration and management services are placed. Often, the corporate IT network is separated from the OT environment, because the corporate IT network is usually seen as having a higher risk of compromise due to its internet connectivity and services like email and web browsing.

However, if a malicious cyber actor compromises the corporate IT network and gains greater access privileges, then the corporate IT firewall may no longer provide the desired level of protection for the OT environment. This similarly applies if the Active Directory (AD) Domain for the OT environment is inside an AD Forest administered from the corporate IT network.

Critical infrastructure operators should regularly assess the risk of insufficient separation of system administrative and management role assignments. For example, in scenarios where the virtualisation of OT infrastructure or components is managed by privileged accounts from a corporate domain, if the corporate environment was to become compromised then the OT environment would potentially be impacted and those necessary privileged IT accounts may not be accessible.

Case study 4: Horizon Power working with ASD

Western Australian energy provider Horizon Power distributes electricity across the largest geographical catchment of any Australian energy provider – around 2.3 million square kilometres, or roughly an area 4 times bigger than France. It operates a diverse range of OT and ICT infrastructure to manage around 8,300 kilometres of transmission lines and deliver power to more than 45,000 customers.

In early 2023, Horizon Power partnered with ASD to conduct a range of activities to help examine and test its cyber security posture and controls. Horizon Power’s security team worked side-by-side with ASD’s experts to help improve threat detection, security event triage and response; practice forensic artefact collection; and enhance security communication across the enterprise. The activities have helped to improve both the speed and the quality with which Horizon Power can respond to and manage cyber incidents, including sharing cyber threat intelligence with ASD.

Horizon Power Senior Technology Manager Jeff Campbell said engaging ASD was easy, there were clear objectives, and the network assessments were excellent. ‘Long past are the days of holding cards to our chest. Sharing information is really important across multiple industries and sectors. To improve security, you need to find out what you don’t know.’

Mr Campbell said having ASD onsite helped to test many assumptions about the company’s network security, like its segmentation practices and vulnerability management. 'The engagement highlighted the importance of getting visibility over systems, and also helped to demonstrate that effective cyber security is vital to helping mitigate business risks.'

Learn more about the open, collaborative partnership between Horizon Power and the Australian Signals Directorate that enabled Horizon Power to bolster its cyber security controls.

Building cyber resilience in critical infrastructure

Malicious cyber activity against Australian critical infrastructure is likely to increase as networks grow in size and complexity. Critical infrastructure organisations can do many things to reduce the attack surface, secure systems, and protect sensitive data to help ensure Australia’s essential services remain resilient. Such as:

  • Follow best practice cyber security, like ASD’s Essential Eight, or equivalent framework as required for a critical infrastructure risk-management program.
  • Thoroughly understand networks, map them, and maintain an asset registry to help manage devices on all networks, including OT. Consider the security capabilities available on devices as part of routine architecture and asset review, and the most secure approach to hard-coded passwords.
  • Scrutinise the organisation’s ICT supply chain vulnerabilities and risks.
  • Prioritise secure-by-design or secure-by-default products. Consider the security controls of any new software, hardware, or OT before it is purchased, and understand vendor support for future patches and ongoing security costs. Build cyber security costs into budgets for the entire lifecycle of the product, including the product’s replacement.
  • Understand what is necessary to keep critical services operating and protect these systems as a priority. Ensure OT and IT systems can be, or are, segmented to ensure the service is able to operate during a cyber incident.
  • Treat a cyber incident as a ‘when’ not ‘if’ scenario in risk and business continuity planning, and regularly practice cyber incident response plans.
  • Maintain open communication with ASD. ASD has a number of programs to support critical infrastructure, including cyber uplift activities and cyber threat intelligence sharing.
  • Follow ASD’s cyber security publications tailored for critical infrastructure entities available at

Explainer 3: The Trusted Information Sharing Network

The Department of Home Affairs’ Trusted Information Sharing Network (TISN) takes an all-hazards approach to help build security and resilience for organisations within the Australian critical infrastructure community. To rapidly and flexibly address current and future threats to Australia’s security, the TISN allows for all levels of government and industry to connect and collaborate.

Since launching the TISN platform in 2022, the network has been vital in amplifying key messages and information to members, facilitating sector group meetings and contributing to the weekly Community of Interest meetings to inform members of current data breaches, cyber threats, and technical advice available from ASD.

Explainer 4: Resilience in financial services

CPS 230 Operational Risk Management

Events of recent years have demonstrated the critical importance of financial institutions being able to manage and respond to operational risks, evident for example in the challenges of the COVID-19 pandemic, technology risks and natural disasters. Sound operational risk management is fundamental to financial safety and system stability.

To ensure that all APRA-regulated entities in Australia are well placed to manage operational risk and respond to business disruptions when they inevitably occur, on 17 July 2023, APRA released the new Prudential Standard CPS 230 Operational Risk Management (CPS 230).

CPS 230 encompasses operational risk controls and monitoring, business continuity planning and the management of third-party service providers. The aim of the standard is to:

  • strengthen operational risk management with new requirements to address weaknesses that have been identified in existing practices of APRA-regulated entities. This includes requirements to maintain and test internal controls to ensure they are effective in managing key operational risks
  • improve business continuity planning to ensure that APRA-regulated entities are ready to respond to severe business disruptions, and maintain critical operations such as payments, settlements, fund administration and claims processing. It is important that all APRA regulated entities are able to adapt processes and systems to continue to operate in the event of a disruption and set clear tolerances for the maximum level of disruption they are willing to accept for critical operations
  • enhance third-party risk management by extending requirements to cover all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced.

The new standard also aims to ensure that APRA-regulated entities are well positioned to meet the challenges of rapid change in the industry and in technology more generally.

CPS 234 Information Security

As part of APRA’s Cyber Security Strategy, all regulated entities are required to engage an independent auditor to perform an assessment against CPS 234, APRA’s Information Security Prudential Standard. This is the largest assessment of its kind conducted by APRA.

By the end of 2023, more than 300 banks, insurers and superannuation trustees will have completed their assessment. Early insights, from the assessments completed so far, have identified a number of common weaknesses across the industry, including:

  • incomplete identification and classification for critical and sensitive information assets
  • limited assessment of third-party information security capability
  • inadequate definition and execution of control testing programs
  • incident response plans not regularly reviewed or tested
  • limited internal audit review of information security controls
  • inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.

A summary of these findings, along with guidance to address gaps, have been shared in a recent APRA Insight Article – Cyber Security Stocktake Exposes Gaps. Entities are encouraged to review the common weaknesses identified and incorporate relevant strategies and plans to address shortfalls in their own cyber security controls, governance policies and practices. APRA will continue to work with entities that do not sufficiently meet CPS 234 requirements, to lift the benchmark for cyber resilience across the financial services industry.

Chapter 3: State actors

  • State cyber actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains as part of ongoing cyber espionage and information‑gathering campaigns. They do not just want state secrets; businesses also hold valuable and sensitive information.
  • Some state actors are willing to use cyber capabilities to destabilise and disrupt systems and infrastructure. They may preposition on networks of strategic value for future malicious activities.
  • Government and industry partnerships are vital in boosting national cyber security and resilience against cyberattacks by state actors.

Strategic context

The global and regional strategic environment continues to deteriorate, which is reflected in the observable activities of some state actors in cyberspace. In this context, these actors are increasingly using cyber operations as the preferred vector to build their geopolitical competitive edge, whether it is to support their economies or to underpin operations that challenge the sovereignty of others. In the Australian Security Intelligence Organisation’s Annual Report 2021–22, espionage and foreign interference was noted to have supplanted terrorism as Australia’s principal security concern.

Some states are willing to use cyber capabilities to destabilise or disrupt economic, political and social systems. Some also target critical infrastructure or networks of strategic value with the aim of coercion or prepositioning on a network for future disruptive activity.

State actors have an enduring interest in obtaining information to develop a detailed understanding of Australians and exploit this for their advantage. While government information is an attractive target for state actors seeking strategic insights into Australia’s national policy and decisions, many Australian businesses also hold sensitive and valuable data such as proprietary information, research, and personal information. Unlike cybercriminals who may post stolen data in public forums, state actors usually try to keep their activities covert – seeking to remain unnoticed, both when they are on an entity’s network and after a compromise.

State actors use various tools and techniques

In some cases, state actors may develop bespoke tools and techniques to fulfil their operational aims. In May 2023, ASD released a joint cyber security advisory with its international partners on the Snake implant – a cyber espionage tool designed and used by Russia’s Federal Security Service (FSB) for long-term intelligence collection on high-priority targets around the globe. Shortly after, Australia co-badged another joint cyber security advisory with international partners that outlined malicious cyber activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor.

Case study 5: Advisory – People’s Republic of China state-sponsored cyber activity

[Go to advisory]

In May 2023, ASD joined international partners in highlighting a recently discovered cluster of activity associated with a PRC state-sponsored cyber actor, also known as Volt Typhoon. The campaign involved ‘living-off-the-land’ techniques – using built-in operating tools to help blend in with normal system and network activities. Private sector partners identified that this activity affected networks across US critical infrastructure sectors. However, the same techniques could be applied against critical infrastructure sectors worldwide, including in Australia.

ASD published the People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection advisory on and hosted numerous events to brief its Network Partners. For help to implement the advisory – call 1300 CYBER1 ( 1300 292 371 ).

Even when state actors have access to more advanced capabilities, they can use common tools and techniques to avoid the discovery of their best capabilities. For example, state actors continue to use relatively well-known tactics, such as exploiting unpatched or misconfigured systems and spear phishing.

The threat of state actor cyber operations is very real

State actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains, as part of ongoing cyber espionage and information-gathering campaigns. Significant disruptive and destructive activities could occur if there were a major deterioration in Australia’s geopolitical environment. It is clear that preventative cyber security measures – such as implementing cyber security essentials, information-sharing and national cyber cooperation – are by far the best ways to help secure Australian networks.

In focus: Russia’s war on Ukraine

Cyber operations have been used alongside more conventional military activities during Russia’s war on Ukraine. Both Russia and Ukraine have faced many cyberattacks that impacted their societies, with extensive targeting of government and critical infrastructure networks.

Cyberattacks that began before the invasion of Ukraine have continued into 2023. Between January 2022 and the first week of February 2023, the Computer Emergency Response Team-Europe (CERT-EU) identified and analysed 806 cyberattacks associated with Russia’s war on Ukraine.

There has been extensive cyber targeting of Ukrainian networks across many sectors, including finance, telecommunications, energy, media, military and government. Ukraine has faced ransomware, denial‑of‑service (DoS) attacks, and mass phishing campaigns against critical infrastructure, government departments, officials and private citizens.

Russia has also been subject to cyber operations. Russian authorities have reported some of its federal agencies’ websites, including its energy ministry, were compromised by unknown attackers in a supply chain attack. Cyberattacks against Russia have tended to target entities related to the government, military, banking, logistics, transport and energy sectors.

Cyberattacks in Europe associated with Russia’s war on Ukraine

Map highlighting most countries surrounding Ukraine

Figure 3 : Countries impacted by cyberattacks associated with Russia’s war on Ukraine

Cyber operations have enabled a borderless conflict

Cyber operations associated with Russia’s invasion have affected entities in multiple countries during the first year of the conflict, including the European Parliament, European governments, the Israeli Government, and hospitals in the Netherlands, Germany, Spain, the US, and the UK. Many of these countries have linked the attacks to pro-Russian groups. For example, pro-Russian hacktivists, KillNet, have claimed a number of attacks such as the February 2023 DoS attack on numerous German websites, including those for German airports, public administration bodies, financial sector organisations, and other private companies. Belarus also reported its railway network was disrupted by a cyberattack, allegedly as retaliation for its use in transporting Russian troops. In some cases, Australia–based operations of European organisations have been impacted.

Many cyber actors are involved in the conflict in offence and defence

The mix of state and non-state cyber actors participating in Russia’s war on Ukraine has added to an already complex cyberspace domain. While state actors were on the ‘cyber front’, particularly during the earlier stages of the conflict, there was significant activity by hacktivists from around the globe as the conflict progressed. Regardless of whether a malicious cyber actor was a state, state-sponsored, or a non-state actor acting of their own volition, the scale and frequency of malicious cyber activity during the conflict has challenged cyber defenders on all sides. For example, at least 8 variants of destructive malware were identified in the first 6 weeks of the conflict, including wiper malware designed to erase data or prevent computers from booting.

Both state and non-state cyber actors have been on the offensive and defensive. Ukraine’s networks have been resilient and have largely withstood sustained cyberattacks. Ukraine has said this resilience is due to robust defences developed following previous cyberattacks, as well as partnerships with private sector IT companies. For example, with the support of private companies, Ukrainian government data was migrated to cloud infrastructure, which assured continuity of government services. Private companies also rapidly released threat intelligence, like indicators of compromise, to assist cyber defenders to repel network attacks.

Threat intelligence that might impact Australian entities is obtained by ASD through international partners and shared through and ASD’s Cyber Security Partnership Program.

Cyber operations can cause disruption and destruction in conflict

While the conflict remains ongoing, there are many lessons Australia can learn from Russia’s war on Ukraine. The world is witnessing the destructive impact of cyber operations during conflict, or in the pursuit of a state’s national interests, and how a broad range of critical infrastructure can be disrupted as a result of malicious cyber activity. It also demonstrates the impact non-state participants can have in modern conflict. The conflict has exemplified how government and industry partnerships are critical to boosting national cyber security and resilience.

Case study 6: The CTIS community at work – KillNet

The Cyber Threat Intelligence Sharing (CTIS) platform, operated by ASD, was developed with industry, for Australian Government and industry partners to build a comprehensive national threat picture and empower entities to defend their networks. CTIS allows participating entities to share indicators of compromise (IOCs) bilaterally at machine speed. Participating entities can use these IOCs to identify and block activity on their own networks, and share IOCs observed on their own networks with other CTIS partners.

The number of partners using CTIS increased seven-fold over 2022–23:

  • in July 2022 there were 32 CTIS partners (18 consuming, 14 contributing)
  • in June 2023 there were 252 CTIS partners (165 consuming, 87 contributing)
  • by the end of FY 2022–23, CTIS shared 50,436 pieces of cyber threat intelligence
  • as of 2023, ASD is progressing a further 313 candidate organisations for on-boarding.

In March 2023, a CTIS partner shared almost 1,000 IP addresses relating to a distributed denial-of-service (DDoS) attack on an Australian organisation. The partner linked the DDoS attack to the malicious cyber actor KillNet, a well-known pro-Russian hacktivist group. Since Russia’s war on Ukraine began, KillNet’s focus had been primarily Europe; however, recent trends suggest a shift to countries abroad, including Australia and its critical infrastructure.

CTIS partner contributions help participants defend their networks, and inform ASD’s understanding of threat actors, their motives and their tactics, techniques, and procedures. This information also helps ASD to identify trends within and across sectors.

For more information on CTIS, visit and become a Network Partner. Existing Network Partners can register their interest in accessing CTIS by either clicking on the ‘Register your interest’ button via the ASD Partnership Portal, or by contacting [email protected] .

Chapter 4: Cybercrime

  • Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims.
  • Ransomware remains the most destructive cybercrime threat to Australians, but is not the only cybercrime. Business email compromise (BEC), data theft, and denial-of-service (DoS) continue to impose significant costs on all Australians.
  • Building a national culture of cyber literacy, practicing good cyber security hygiene, and remaining vigilant to cybercriminal activity – both at work and at home – will help make it harder for cybercriminals to do business.

Cybercrime is big business and causes harm

Cybercrime is a multibillion-dollar industry that threatens the wellbeing and security of every Australian. Cybercrime covers a range of illegal activities such as data theft or manipulation, extortion, and disruption or destruction of computer-dependant services. In 2022–23, cybercrime impacted millions of Australians, including individuals, businesses and governments. These crimes have caused harm and continue to impose significant costs on all Australians.

The Australian Institute of Criminology (AIC) found, in its Cybercrime in Australia 2023 report, that individual victims and small-to-medium businesses experience a range of harms from cybercrime that extend beyond financial costs, such as impacts to personal health and legal issues. Cybercrime remains significantly underreported in Australia. The AIC’s report revealed that two-thirds of survey respondents had been victims of cybercrime in their lifetimes.

ASD needs community assistance to understand the cyber threat landscape. Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber . ReportCyber is the Australian Government’s online cybercrime reporting tool coordinated by ASD and developed as a national initiative with state and territory police. ReportCyber may link Australians to other Australian Government entities for further support.

Cybercrime in 2022–23

The number of extortion-related cyber security incidents ASD responded to increased by around 8 per cent compared to last financial year.

Over 90 per cent of these incidents involved ransomware or other forms of restriction to systems, files or accounts.

ASD responded to 79 cyber security incidents involving DoS and DDoS , which is more than double the 29 incidents reported to ASD last financial year.

Cybercrime types

Cybercrime in 2022-2023

Cybercrime reports by state and territory

Australia’s more populous states continue to report more cybercrime. Queensland and Victoria report disproportionately higher rates of cybercrime relative to their populations. However, the highest average reported losses were by victims in New South Wales (around $32,000 per cybercrime report where a financial loss occurred) and the Australian Capital Territory (around $29,000).

Cybercrime by state and territory

Figure 4: Breakdown of cybercrime reports by jurisdiction for FY 2022–23 Note: Approximately one per cent of reports come from anonymous reporters and other Australian territories. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.

How criminals monetise access

Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims. Their targeting is largely opportunistic but can also be aimed at specific entities or individuals.

The professionalisation of the cybercrime industry means cybercriminals have been able to increase the scale and profitability of their activities. For example, initial access brokers sell their services and accesses to other malicious cyber actors who then use techniques, such as ransomware or data-theft extortion, to target victims. The accessibility of criminal marketplaces has also lowered the bar for entry into cybercrime, which has made cybercrime more accessible to a wide range of actors.

To gain initial access, cybercriminals may send multiple malicious links to a broad list of people (known as a phishing campaign), or scan for unpatched and misconfigured systems. Once they compromise a network, they may seek to move laterally through the network to gain access to higher-value systems, information or targets.

Cybercriminals may draw on a number of techniques to extract payment from victims, including employing multiple techniques at once – known as double or multiple extortion. While ransomware is a well-known technique, cybercriminals can monetise access to compromised data or systems in many different ways. They may scam a business out of money or goods, extort victims in return for decrypting data or non‑publication of data, on-sell compromised data or systems access for profit, or exploit compromised data or systems for future use.

Social engineering: how criminals get a foothold

Social engineering is a way in which cybercriminals can gain unauthorised access to systems or data by manipulating a person. They may do this by creating a sense of urgency or desire to help, or by impersonating a trusted source to convince a victim to click on a malicious link or file, or reveal sensitive information through other means – such as over the phone.

Phishing is one of the most common and effective techniques used by cybercriminals to gain unauthorised access to a computer system or network, and this activity may be indiscriminate or targeted. Once a victim engages with the malicious link or file, they may be prompted to provide personal details, or malware may run on their device to covertly retrieve this information. Cybercriminals may then use this information to steal money or goods, or leverage this information to access other accounts and systems of higher value.

Australians are becoming more aware of techniques dependent on social engineering, like phishing, but more can be done to build resilience:

  • think twice before clicking on links from unsolicited correspondence
  • verify the legitimacy of suspicious messages with the source via their official website or verified contact information, particularly if it is a request to transfer money or supply sensitive information. Visit the entity’s website directly, rather than via links in emails, SMS or other messaging services
  • report unusual activity as quickly as possible to ReportCyber and Scamwatch
  • educate staff on corporate-focused social engineering tactics and how to identify risk.

Explainer 5: Common cybercriminal techniques

Phishing is an attempt to trick recipients into clicking on malicious links or attachments to harvest sensitive information, like login details or bank account details, or to facilitate other malicious activity. Spear phishing is more targeted and tailored: cybercriminals may research victims using social media and the internet to craft convincing messages designed to lure specific victims.

Ransomware is a type of extortion that uses malware for data or system encryption. Cybercriminals encrypt data or a system and request payment in return for decryption keys. Ransomware-as-a-Service (RaaS) is a business model between ransomware operators and ransomware buyers known as ‘affiliates’. Affiliates pay a fee to RaaS operators to use their ransomware, which can enable affiliates with little technical knowledge to deploy ransomware attacks.

Data-theft extortion does not require data encryption, but cybercriminals will use extortion tactics such as threatening to expose sensitive data to extract payment. The added threat of reputational damage is intended to pressure a victim into complying with the malicious cyber actor’s demands.

Data theft and on-sale is when data is extracted for use by a cybercriminal for the purpose of on-selling the data (such as personal information, logins or passwords) for further criminal activity, including fraud and financial theft. Some malware known as an ‘infostealer’ can do this job for the cybercriminal.

Business email compromise (BEC) is a form of email fraud. Cybercriminals target organisations and try to scam them out of money or goods by attempting to trick employees into revealing important business information, often by impersonating trusted senders. BEC can also involve a cybercriminal gaining access to a business email address and then sending out spear phishing emails to clients and customers for information or payment.

Denial-of-service (DoS) is designed to disrupt or degrade online services, such as a website. Cybercriminals may direct a large volume of unwanted traffic to consume the victim network’s bandwidth, which limits or prevents legitimate users from accessing the website.

Ransomware is a destructive cybercrime

Ransomware remains the most destructive cybercrime threat in 2022–23 to Australian entities. ASD recorded 118 ransomware incidents – around 10 per cent of all cyber security incidents.

A quarter of the ransomware reports also involved confirmed data exfiltration, also known as ‘double extortion’, where the actor extorts the victim for both data decryption and the non-publication of data. Other ransomware actors claimed to have exfiltrated data, but it is difficult to validate these claims until data exfiltration is confirmed or the legitimacy of leaked data is confirmed.

Ransomware is deliberatively disruptive, and places pressure on victims by encrypting and denying access to files. A ransom, usually in the form of cryptocurrency, is then demanded to restore access. This can inhibit entities, particularly those that rely on computer systems to operate and undertake core business functions.

Customers may also be impacted if they rely on the goods or services from that entity, or if their data is impacted. For example, in January 2023, cybercriminals reportedly compromised the postal service in the UK, encrypting files and disrupting international shipments for weeks. In other instances, ransomware incidents have had cascading impacts, sparking panic buying, fuel shortages, and medical procedure cancellations.

ASD advises against paying ransoms. Payment following a cybercrime incident does not guarantee that the cybercriminals have not already exfiltrated data for on-sale and future extortion.

ASD’s incident management capabilities provide technical incident response advice and assistance to Australian organisations. Further information can be found in the How the ASD's ACSC Can Help During a Cyber Security Incident guide.

Case study 7: Ransomware in Australia

In late 2022, an Australian education institution was impacted by the Royal ransomware, which is likely associated with Russian-speaking cybercrime actors. Royal ransomware restricts access to corporate files and systems through encryption. Notably, it uses a technique called ‘callback phishing’, which tricks a victim into returning a phone call or opening an email attachment that persuades them to install malicious remote access software.

When the institution detected the ransomware, it shut down some of its IT systems to stop the spread, which resulted in limited service disruption. An investigation revealed that a limited amount of personal information of both students and staff was compromised. The institution notified affected individuals and reminded them to remain vigilant for suspicious emails or communication. The institution also advised all students and staff to reset their passwords and introduced an additional verification process for remote users.

An ICT manager from the institution said downtime from the incident was minimal due to an effective  business continuity plan and access to regular backups, which were unaffected by encryption. After the incident, the institution began moving toward more secure data storage methods.

The ICT manager said the incident highlighted how ubiquitous data is in an enterprise environment. ‘There were no crown jewels affected, so to speak. Important data was spread across the network. This incident taught us some lessons in relation to account management, and the regular review and archival of data’.

In January 2023, ASD published to the Royal Ransomware Profile , which describes its tactics, techniques and procedures and outlines mitigations. The ransomware profile was informed by cyber threat intelligence that the education institution shared with ASD.

Sectors impacted by ransomware-related cyber security incidents

The professional, scientific and technical services sector reported ransomware-related cyber security incidents most frequently to ReportCyber in 2022–23, followed by the retail trade sector, then the manufacturing sector. These 3 sectors accounted for over 40 per cent of reported ransomware-related cyber security incidents.

Professional, scientific and technical services 17.4%, Retail trade 16.3%, Manufacturing 9.8% and 2 more

Table 5: Top 5 sectors reporting ransomware-related incidents in FY 2022–23 (ReportCyber data)

Entities should consider how a ransomware incident could impact their business and their customers. To help prevent a ransomware attack, it is important to secure devices by turning on multi-factor authentication (MFA), implementing access controls, performing and testing frequent backups, regularly updating devices, and disabling Microsoft Office macros. It is also equally important to practice incident response plans to minimise the impact in the event of a successful ransomware incident.

Business email compromise is lucrative

BEC is an effective and lucrative technique that exploits trust in business processes and relationships for financial gain. Cybercriminals can compromise the genuine email account of a trusted sender, or impersonate a trusted sender, to solicit sensitive information, money or goods from businesses partners, customers or employees.

For example, a cybercriminal may gain access to the email account of a business and send an invoice with new bank account details to a customer of that business. The customer pays the invoice using the fraudulent bank account details provided by the cybercriminal, which is often thousands of dollars. A compromised business may only detect BEC once a customer has paid cybercriminals.

In 2022–23, the total self-reported BEC losses to ReportCyber was almost $80 million. There were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

Before replying to requests seeking money or personal information, look out for changes such as a new point-of-contact, email address or bank details. Simple things like calling an existing contact or the trusted sender to verify a request for money or change of payment details can help to prevent BEC.

Explainer 6: Business email compromise advice

Organisations should implement clear policies and procedures for workers to verify and validate requests for payment and sensitive information. Additionally:

  • Register additional domain names to prevent typo-squatting – cybercriminals may create misleading domain names based on common typographic errors of a website, hoping its customers do not notice. Further information on Domain Name System Security for Domain Owners is available at
  • Set up email authentication protocols business domains – this helps prevent email spoofing attacks so that cybercriminals cannot wear a ‘digital mask’ pretending to be legitimate.

ASD has published the Preventing Business Email Compromise guide to help Australian organisations understand and prevent BEC.

Case study 8: Scams in Australia

In April 2023, the Australian Competition and Consumer Commission (ACCC) released its Targeting Scams report . The report, which compiles data reported to the ACCC’s Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and other government agencies, provides insight into the scams that impacted Australians in 2022. The report also outlines some of the activities by government, law enforcement, the private sector and community to disrupt and prevent scams.

The Targeting Scams report revealed Australians lost over $3 billion to scams in 2022. This is an 80 per cent increase on total losses recorded in 2021.

Investment scams were the highest loss category ($1.5 billion), followed by remote access scams ($229 million) and payment redirection scams ($224 million).

The most reported contact method used by scammers was text message; however, scam phone calls accounted for the highest reported losses. The second highest reported losses were from social media scams.

Older Australians lost more money to scams than other age groups with those aged 65 and over losing $120.7 million, an increase of 47.4 per cent from 2021. First Nations Australians, Australians with disability, and Australians from culturally and linguistically diverse communities each experienced increased losses to scams when compared with data from 2021.

On 1 July 2023, the Government launched the National Anti-Scam Centre. The Anti-Scam Centre will expand on the work of the ACCC’s Scamwatch service and bring together experts from government agencies, the private sector, law enforcement, and consumer groups to make Australia a harder target for scammers.

Hacktivists are using cyberattacks to further their causes

Hacktivism is used to describe a person or group who uses malicious cyber activity to further social or political causes, rather than for financial gain.

These malicious cyber actors, which include issue-motivated groups, are typically less capable, less organised, and less resourced than other types of malicious cyber actors. That said, even rudimentary disruptive activity – such as website defacement, hijacking of official social media accounts, leaking information, or DoS – can cause significant harm, reputational damage, and operational impacts to targeted entities.

Like cybercriminals, hacktivists may leverage malicious tools and services online to gain new capabilities and improve their ability to degrade or disrupt services for their cause.

Case study 9: Australian critical infrastructure targeted by issue-motivated DDoS

In March 2023, ASD became aware of reports of issue-motivated groups (hacktivists) targeting Australian organisations. Open source reporting linked the targeting of over 70 organisations to religiously motivated hacktivists.

The malicious activity commenced on 18 March with the defacement of, and/or DDoS against, the websites and other internet-facing services of small-to-medium businesses. This progressed to DDoS activity targeting the websites of Australian critical infrastructure entities, with multiple hacktivist groups announcing support for the campaign and publishing ‘target lists’ across a variety of platforms.

ASD received several incident reports from organisations experiencing hacktivist activity, including critical infrastructure providers. However, there was no impact on critical infrastructure operations, as only public-facing websites were affected. ASD provided advice and support to organisations, including by identifying IP addresses related to the attacks. ASD also shared indicators of compromise with its Network Partners.

In addition to ASD support, critical infrastructure providers worked closely with commercial incident-response providers and their in-house incident-response teams. One critical infrastructure provider identified through open source research that a second DDoS attack was being planned against their servers.

To prevent this attack, administrators enabled geo-blocking – where traffic from specific geolocations known to be used by the malicious cyber actor were blocked – to limit malicious traffic. This simple tactic helped the organisation avoid a second attack. As a result, the organisation did not suffer from any additional downtime.

ASD urges organisations to report all incidents – even those with minimal impact on operations – to enhance national situational awareness, especially of coordinated malicious activity. Your report to ASD could help prevent or defend against an attack on other Australian networks.

Denial-of-service operations are designed to disrupt

DoS attacks disrupt or degrade online services such as websites and email, and are another tactic used by cybercriminals and hacktivists. This technique causes access or service disruption to the victim, sometimes to pressure them into payment or to highlight a cause.

In these attacks, an online service is overwhelmed by so many illegitimate requests that it loses capacity to serve real users. DoS can also be achieved by hijacking an online service to redirect legitimate users to other services controlled by malicious cyber actors. In some instances, DDoS attacks can use huge numbers of ‘zombie’ computers or bots (hijacked by malware), to direct large volumes of unwanted network traffic to a web service.

ASD recorded 79 DoS and DDoS cyber security incidents in 2022–23, with service availability partly or wholly denied for the victim in 62 of those incidents. The remainder of the incidents had no impact on the victim. Entities who maintained situational awareness of DoS threats and proactively implemented mitigations were reportedly less impacted by subsequent DoS.

Although entities cannot avoid being targeted, they can implement measures to prepare for and reduce the impact of a DoS attack. This includes using DDoS protection services and exercising incident response and business continuity plans.

Defence against cybercrime

Both individuals and organisations can take simple steps to help build their cyber security. Many of these steps can often prevent initial access by cybercriminals.

  • enable multi-factor authentication (MFA) for online services when available
  • use long unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
  • sign up for ASD’s free Alert Service
  • review the cyber security posture of remote workers including their use of communication, collaboration and business productivity software
  • implement relevant guidance from ASD’s Essential Eight Maturity Model , Strategies to Mitigate Cyber Security Incidents and Information Security Manual

ASD has published a range of guides at to support Australians and Australian organisations in building their cyber resilience, including how to defend against ransomware attacks, and how to detect socially engineered messages, phishing emails and texts.

Chapter 5: Cyber enabled data breaches

  • During FY 2022–23, ASD received an increase in data breach reports as millions of Australians had their information compromised through significant data breaches.
  • Malicious cyber actors stole data by using valid account credentials or by exploiting internet-facing applications.
  • Sensitive data should be deleted or de-identified when it is no longer needed or required. Organisational policies and processes should consider how to protect gathered and generated data.

Data ubiquity

Data is valuable to malicious cyber actors as data and data flows underpin almost every modern technology and digital service. During 2022–23, millions of Australians had their private information compromised through significant data breaches, and some Australians were exposed to multiple breaches.

A data breach occurs when information is shared with, or is accessed by, an unauthorised person or third party. Isolation and remediation of the breach could cost millions of dollars. The complete recovery cost is hard to quantify, but could include losses due to productivity, legal action and reputational damage. An entity’s customers or staff could experience harm from a data breach if their private information is used by criminals for cyber or other fraud or scams, including identity theft. Protecting data, particularly sensitive personal information, is vital for the safety of the community, the prosperity of business, and the nation’s security.

Explainer 7: Vital data

Organisations should consider what data is vital to their operations, and individuals should consider what data might affect their privacy.

Data can take many forms such as personal information. Personal information includes a broad range of information, or an opinion, that could identify an individual. It can encompass things such as an individual’s name, date of birth, drivers licence or passport details, phone number, home address, health records, credit information, mobile device location history, and voiceprint and facial recognition details.

Other forms of data could include sensitive financial information, corporate emails, intellectual property and research, or strategic business plans. Information associated with network telemetry and endpoint security information, or machine learning models, also generate potentially useful information which can be exploited by malicious cyber actors.

Data breach incidents in Australia

During 2022–23, many data breaches reported to ASD involved cybercriminals stealing customer personal information from organisations to support extortion activities. Organisations should be aware that a data breach could be a precursor to the destruction or encryption of data.

Of the cyber security incidents recorded by ASD during 2022–23, 150 were data breaches, making up around 13 per cent of all incidents. Compared to 2021–22, this is up from 81 data breaches or 7 per cent of all incidents. Data breaches were the third most common incident type in 2022–23, behind compromised infrastructure (15.2 per cent) and compromised credentials (18.8 per cent).

Phishing, a tactic whereby a user is induced to open a malicious email attachment or to visit a compromised website, was commonly used to steal credentials. Malicious cyber actors also obtained credentials from unrelated cyberattacks and breaches. ASD’s incident data showed an extensive network compromise almost always occurred when a malicious cyber actor successfully accessed privileged accounts.

In 2022–23, ASD responded to a number of data breaches that involved common characteristics and intrusion chains. Broadly, these incidents demonstrated either:

  • opportunistic intrusions involving a malicious actor exploiting a single internet-facing application or service which contained data. Actors typically used a ‘smash and grab’ technique to steal data directly from this single initial access vector
  • complex intrusions involving a malicious actor demonstrating a wider variety of techniques after initial access as they escalated privileges, and moved laterally seeking data to exploit. These intrusions resulted in more extensive network compromise. Generally, incidents where malicious actors successfully compromised privileged accounts also resulted in more complex intrusions and extensive incidents.

Diving deeper into data breaches

ASD conducted a detailed analysis of data breach incidents between 1 November 2021 and 30 October 2022. Analysis revealed the average amount of data reported to have been exfiltrated during a breach was around 120 gigabytes, with the highest reported amount being around 870 gigabytes. Table 6 outlines the top information types exposed during a breach.

Contact information 32%, Identity information 18%, Financial details 14%, commercial sensitive 10% and 4 more.

Table 6: Types of information stolen in data breaches Note: some incidents included the breach of multiple types of information.

Different types of information may carry different risks. For example, health information is likely to be more sensitive than contact information and will require greater protection. Table 6 indicates contact information was breached most frequently, likely because this type of data is widely collected and has increased exposure.

During the same analysis period, 41 per cent of data breaches involved malicious cyber actors exploiting valid accounts and credentials to access cloud services, local systems, or entire networks. Malicious cyber actors commonly used brute-force attacks to take advantage of simple and re-used passwords to access accounts, or used phishing to obtain credentials.

Around 34 per cent of data breaches involved exploitation of internet-facing applications. Common vulnerabilities and exposures (CVEs) were often exploited, and so was human misconfiguration of devices like unsecured application programming interfaces, or common bugs and flaws in software; for example, insecure direct object references.

To help Australian organisations, the ASD has published the  Preventing Web Application Access Control Abuse advisory.

Vulnerability anatomy

Figure 5 : Anatomy of a data breach

To steal data from an organisation, malicious cyber actors will commonly exploit online services and internet-facing devices, or penetrate a network’s perimeter using stolen or easily guessed credentials. Once inside a network, malicious actors will often attempt to escalate their privileges, move laterally across a network to find data to steal and/or other systems to exploit, and then attempt to exfiltrate data back through the network perimeter.

Stolen data for nefarious use

Different malicious cyber actors have differing motivations for stealing data. For example, cybercriminals may use stolen data, particularly personal information, as a basis for identity theft or to conduct phishing campaigns for financial gain. State actors are also interested in personal information, among other data types, although this is more likely for espionage purposes rather than financial gain. Irrespective of motivation, the impacts of data breaches on victims are actor agnostic – Australians can be exposed to harm and organisations can experience losses.

Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors. For example, stolen credentials may end up with initial access brokers who specialise in dealing stolen usernames and passwords. Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear phishing, fraud, or to leverage that person to gain other privileged accesses and information.

Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion. A victim’s real name and home address can be difficult to change, unlike stolen credentials which are easily updated.

ASD has also received reports of cyber security incidents in which threat actors claimed to have exfiltrated data; however, subsequent investigations have not identified evidence of exfiltration. While a threat actor’s assertion of data exfiltration may be an attempt to elevate urgency or pressure affected entities, it remains important to thoroughly investigate evidence to support or counter the claim.

Case study 10: Operation GUARDIAN

On 28 September 2022, the Australian Federal Police’s Joint Policing Cybercrime Coordination Centre (JPC3) commenced Operation GUARDIAN to coordinate efforts to protect those at higher risk of financial fraud and identity theft as a result of the Optus data breach.

Since the Optus incident, Operation GUARDIAN has expanded to include the Medibank, MyDeal, Latitude, and the Go-Anywhere data breaches. Some breaches have resulted in the exposure of personal information and sensitive data of Australians.

The purpose of Operation GUARDIAN is to monitor, disrupt and prosecute any person misusing personal information exposed as a result of data breaches. It aims to deter criminals from using data for malicious purposes and to educate the public.

Operation GUARDIAN works with the public and private sectors to search the internet and known criminal online sites to identify exposed personal information and those who are attempting to buy or sell it.

Case study 11: Awareness and impact of data breaches in the Australian community

According to the Office of the Australian Information Commissioner’s Australian Community Attitudes to Privacy Survey (ACAPS) 2023 , three-quarters (74 per cent) of Australians believe that data breaches are one of the biggest privacy risks they face today, and a quarter (27 per cent) said it is the single biggest risk to privacy in 2023.

Almost half (47 per cent) of Australians said they had been told by an organisation that their information was involved in a data breach in the prior year, and a similar proportion (51 per cent) know someone who was affected by a breach.

Three-quarters (76 per cent) of those whose data was involved in a breach said they experienced harm as a result. More than half (52 per cent) reported an increase in scams or spam texts or emails. There were 3 in 10 (29 per cent) who said they had to replace key identity documents, such as drivers licences or passports. Around 1 in 10 experienced significant issues such as emotional or psychological harm (12 per cent), financial or credit fraud (11 per cent) or identity theft (10 per cent).

Nearly half (47 per cent) of Australians said they would close their account or stop using a product or service provided by an organisation that experienced a data breach. However, most Australians are willing to remain with a breached organisation provided that organisation promptly takes action, such as quickly putting steps in place to prevent customers experiencing further harm from the breach (62 per cent) and making improvements to their security practices (61 per cent). Only 12 per cent of Australians said there is nothing an organisation could do that would influence them to stay after a data breach.

There are a range of ways organisations can protect personal information. A quarter (26 per cent) of Australians believe the most important step is for organisations to collect only the information necessary to provide the product or service. Australians view the second most important thing organisations can do is take proactive steps to protect the information they hold (24 per cent).

The OAIC commissioned Lonergan Research to undertake ACAPS 2023. The survey was conducted in March 2023 with a nationally representative sample of 1,916 unique respondents aged 18 and older. To read the full report visit .

Mitigating data breaches

Implementing ASD’s Essential Eight, and the Open Web Application Security Project (OWASP) Top Ten Proactive Controls will help protect data by minimising the risks to systems and networks, online services and internet-facing devices. At least fortnightly, organisations should use an automated method to scan for security vulnerabilities and apply timely patches or mitigations to minimise risks. Other effective controls to help mitigate data breaches include:

  • deploy multi-factor authentication (MFA) to mitigate stolen credential abuse
  • enforce strong passphrase policy to secure accounts
  • block internet-facing services that are not authorised to be internet-facing
  • immediately decommission unnecessary systems and services
  • configure server applications to run as a separate account with the minimum privileges to mitigate account abuse
  • mandate user training to recognise phishing or social engineering attempts.

Encryption can further protect data that is stored or in transit between systems. For example, sensitive data about former customers that must be legally retained should be encrypted and stored offline, inaccessible to the internet. Data communicated between database servers and web servers, especially over the internet, are susceptible to compromise and should be encrypted. Further guidance about how organisations can protect data is contained within ASD’s Information Security Manual .

The most cyber resilient organisations have a well-thought-out and exercised cyber incident response plan that includes a data breach response plan or playbook. A robust plan will help organisations respond to a data breach, rapidly notify relevant organisations and individuals to minimise the risk of harm, restore business operations, comply with relevant obligations, and reduce the costs and potential reputational damage that may result from a breach.

Organisations should include a strategy for communicating with customers in their cyber incident response plan, and consider how to protect customers from, and assist with, the consequences of a breach. For example, organisations can inform their customers whether or not hyperlinks will be used in their communications after a breach – or at all – to help them avoid falling prey to phishing attempts.

ASD has published guidance on, like the Guidelines for Database Systems to help organisations enhance database security.

Chapter 6: Cyber resilience

  • Cyber resilience is helping to ensure an entity is resistant to cyber threats. For enterprise, this includes organisation-wide cyber risk management and consideration of third-party risks, such as vendors, service providers, and new technologies.
  • Artificial intelligence (AI) has great benefits to organisations but also poses security challenges; a risk-based approach to using AI within ICT environments as per other services is recommended.
  • Invest in prevention, response and recovery to reduce the impact of a compromise and build the resilience of Australian systems.
  • Practice good cyber hygiene at work and at home. Enable multi-factor authentication (MFA), use unique passphrases, enable automatic updates, regularly back up important data, and report suspicious cyber activity.
  • Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activities. Keep up to date at, and engage with ASD’s Cyber Security Partnership Program to help build the nation’s collective cyber resilience.

Digital supply chains increase the attack surface

Most entities have some component of their ICT outsourced to a third party, such as hardware supply, web and data hosting, and software-as-a-service or other enterprise resource planning tools.

According to the Australian Bureau of Statistics’ Characteristics of Australian Business data, during 2021–22, around 85 per cent of Australian businesses used ICT, and 59 per cent used cloud technology. These measures have been trending up year-on-year.

During 2022–23, ASD published a number of alerts warning Australians about vulnerabilities relating to products commonly found in ICT supply chains, like Citrix Gateway and Application Delivery Controller devices. During March 2023, ASD published an alert describing a supply chain compromise affecting multiple versions of the 3CX DesktopApp – a popular voice-over-IP application.

While an entity can outsource ICT functions to access specialist skills, increase efficiency, and lower costs, it must still manage and be accountable for cyber security risk. ICT supply chain expansion can increase the attack surface, particularly as there may be varying levels of cyber security maturity among both customers and suppliers.

A malicious cyber actor can compromise numerous victims at scale by targeting a single upstream or third‑party supplier. An ICT supply chain attack comprises 2 attacks: an initial attack on a supplier, and a subsequent attack on its customers. For example, a managed service provider (MSP) might have privileged network access to hundreds of customers or hold huge amounts of sensitive data. After compromising an MSP, a malicious cyber actor could then exploit the MSP’s privileged network accesses, or steal sensitive data to extort its customers directly. This highlights that, while an entity might have leading-edge cyber defences, its security posture will only be as strong as its weakest link, which may be in its ICT supply chain.

To conduct an ICT supply chain attack, malicious cyber actors will commonly abuse misconfigurations in devices and the trust between supplier services and customer networks, conduct phishing attacks, and exploit common vulnerabilities and exposures (CVEs). Figure 6 outlines some of the common adversary goals and techniques associated with ICT supply chain attacks.

Defeating ICT supply chain threats requires effort from both customers and suppliers. The most effective measures combine both business and technical controls conducted at the earliest stage of ICT procurement or development. While a downstream customer may have no influence over their supplier’s security posture, they can improve their own cyber security to help mitigate risks. Suppliers should prioritise the secure-by-design and secure-by-default principles to improve their own product security and therefore their customers’ security.

Customers should clearly state cyber security expectations upfront as part of any contract, such as requiring that a supplier meet particular cyber security standards. Entities should appraise their suppliers of their risk tolerances, and might want to ask how the supplier will demonstrate good security practices, justify their product’s accesses and privileges, and guarantee genuine product delivery. Entities should also consider whether their supplier may be subject to foreign control or interference.

Insecure ICT

Figure 6 : ICT supply chain threats

Australian organisations face many cyber threats, including from the ICT supply chain. Malicious cyber actors who target upstream suppliers, such as by compromising a cloud host, may be able to impact downstream customers by exploiting the trust between that supplier and its customers. An attacker could then conduct data theft and extortion activities, or other attacks like denial-of-service. An organisation’s cyber security posture is only as strong as its weakest link, which could be an entity in its ICT supply chain.

Mitigating ICT supply chain threats

Organisations can boost their ICT supply chain defences in many ways, including by implementing ASD’s Essential Eight. The most effective technical controls to mitigate risks combine both mitigation and detection techniques, and are supported by a positive organisation-wide cyber secure culture. Some controls for both customers and suppliers include:

  • deploy MFA to mitigate stolen credential abuse
  • regularly scan for vulnerabilities and update software to minimise risks from vulnerabilities
  • segment networks and enforce account management to isolate critical systems
  • correctly configure software to minimise security risks
  • use network and endpoint detection systems to identify malicious traffic and files
  • monitor logon and network logs to detect unusual activity

To help Australian organisations, ASD has published guidance, available at such as Identifying Cyber Supply Chain Risks , Cyber Supply Chain Risk Management , Guidelines for Procurement and Outsourcing , and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default .

Secure-by-design and secure-by-default products

Secure-by-design products are those where the security of the customer is a core business goal, not just a technical feature, and start with that goal in mind before development. Secure-by-default products require little to no configuration changes out of the box to ensure security features are enabled.

Together, these approaches move much of the burden of staying secure to the manufacturers, which reduces the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues at the user end.

Entities are encouraged to prioritise secure-by-design and secure-by-default products in procurement processes, and collaborate with industry peers and manufacturers to help improve upcoming security initiatives in products. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default , offers further advice to software manufacturers and customers.

Artificial intelligence cyber security challenges

In early 2023, AI tools were among the fastest growing consumer applications globally. Broadly, AI is a collection of methods and tools that enable machines to perform tasks that would ordinarily require human intelligence. AI tools are increasingly being used to augment human activities like sorting large data sets, automating routine tasks, and assisting visual design work.

Machine learning (ML) is a sub-discipline of AI encompassing models that use feedback mechanisms to update model behaviour. ML models are typically used to make classifications and predictions, and to uncover patterns or insights in large data sets that may be impossible for a human to spot.

Over the last 3 years, the practical applications for AI have expanded, the costs have come down, and AI tools are more accessible than ever. Australians already interact frequently with AI, as AI drives internet searching, shopping recommendations, satellite navigation, and can aid complex activities like logistics management, medical diagnosis, and cyber security. AI tools can be used to provide human-like customer responses for help desks or call centres, and can help predict upcoming maintenance for industrial equipment.

While AI has benefited the economy and society, it has also created new challenges and data security risks. As AI becomes increasingly integrated into business environments and ICT infrastructures, additional and potentially unforeseen risks could be introduced. And, like any tool, AI can be misused either inadvertently or deliberately.

In 2022, a medical research collaboration for a pharmaceutical company trained an AI model using ML techniques to catalogue thousands of molecules for therapeutic use while discarding toxic molecules. While the researchers were able to catalogue many beneficial molecules, the researchers also wanted to know how AI could be misused. So they changed the AI model to find toxic rather than safe molecules. Using open source data, their AI model generated over 40,000 potentially lethal molecules in less than 6 hours.

Security researchers have also shown how data sets used for ML can be attacked and ‘poisoned’ with anomalous data to produce misleading outputs. In 2016, Microsoft abruptly ended testing of a chatbot after a subset of its users deliberately provided data containing misinformation and abusive material, resulting in offensive text being produced by the chatbot.

Malicious cyber actors could also use AI tools to augment their activities. For example, a cybercriminal may be able to produce low effort, high quality material for phishing attacks. AI could also be used to create fraudulent deepfake content like voice and video clips, or to create malware. Security researchers have demonstrated with existing technologies that malicious actors could use AI to help orchestrate cyber intrusions.

AI tools may also challenge the protection of sensitive information. For example, AI tools that produce or summarise text may not guarantee data privacy if it is fed sensitive or proprietary information. Additionally, using sensitive information for AI models and ML may contravene privacy laws, policies, or rules in some instances.

As online adversaries can use AI tools, so too can system defenders. AI can sort through large volumes of logs or telemetry data to look for malicious behaviour, identify malware, detect and block exploitation attempts, or derive intelligence insights. AI can also help triage information and automate security tasks, so humans can focus on other problems.

Entities wanting to adopt AI tools should treat them with the same care as any other ICT service, use a risk-based approach to procurement, and consider:

  • if the AI tool is secure-by-design and secure-by-default, including its ICT supply chain
  • if there are inaccuracies in the AI tool’s model or bias in its algorithms
  • how the AI tool will be protected from misuse and interference (including foreign)
  • how the AI tool will affect the entity’s privacy and data protection obligations
  • how the AI tool will support, rather than outsource, human decision-making
  • who is accountable for oversight or if something goes wrong with the AI tool.

Explainer 8: Ethical AI at ASD

In early 2023, ASD published the Ethical AI in ASD statement, which outlines ASD’s framework of ethical principles governing AI usage. This includes:

  • lawful and appropriate use of AI consistent with the legislation, policies, processes and frameworks that govern ASD’s functions and protect the privacy of Australian citizens
  • enabling human decision-making, allowing our workforce and customers to make informed decisions based on AI system outputs, and to maintain trust in AI systems
  • reliable and secure AI, ensuring that technologies continue to meet their intended purpose and remain protected from external interference
  • accurate and fair AI mitigating against unintended bias
  • accountable, transparent and explainable AI allowing human oversight and control, with clear accountabilities enacted for all stages of the AI development lifecycle, facilitating appropriate and proportionate operations.

Ensuring remote work cyber security

Many organisations rapidly adopted new remote work solutions to support business continuity as a result of the COVID-19 pandemic. The number of Australian companies advertising remote work post-pandemic continues to grow, and it is clear that remote work will be an ongoing feature of many organisations and an expectation of many employees.

Some hastily implemented remote working solutions may not have fully considered cyber security implications. For example, bring-your-own-device policies are popular with organisations, but could introduce additional information management risks to corporate networks if not appropriately managed.

During 2022–23, ASD recorded extensive corporate network breaches that stemmed from employees conducting work from compromised personal devices. In 2022, US company LastPass suffered a data breach due to credentials being stolen via keylogger malware installed on the home computer of one of its employees.

Remote work often relies on employees using their own devices like home computers and internet routers, which usually have limited security features and less secure default settings when compared to enterprise products used in corporate environments. Internal corporate networks could be exposed to the internet directly via a remote employee’s home router, if that home router is misconfigured. Adding to the risks, employees may not regularly update their personal devices or use anti malware software, may access dubious websites or use illegal software, or may have failed to change the default credentials of their devices.

Malicious cyber actors are known to compromise common small-home-office products and internet-of-things devices to steal sensitive information, target corporate networks, or to enslave them into botnets for distributed-denial-of-service (DDoS) attacks.

Organisations should consider how cyber security mitigations for remote solutions are implemented, maintained, and audited. Organisations should also verify that policies are in place to ensure staff know how to securely use systems, and to ensure compliance with legal obligations like the protection of sensitive data.

ASD has published a number of guides at including G uidelines for Enterprise Mobility , Remote Working and Secure Mobilit y and Risk Management of Enterprise Mobility (including Bring Your Own Device) .

Explainer 9: Working from home and cybercrime

The Australian Institute of Criminology’s Cybercrime in Australia 2023 report examined whether working from home was a risk factor for cybercrime victimisation. Small-to-medium business owners who transitioned to working from home due to public health measures associated with the COVID-19 pandemic were 1.4 times as likely to be a victim of identity crime and misuse, 1.2 times as likely to be a victim of malware attacks and 1.3 times as likely to be a victim of fraud and scams.

There are various reasons that moving to remote working may have increased the likelihood of cybercrime victims. For a business working remotely, home internet connections may be less secure, devices may no longer be protected by corporate security controls or routine maintenance, and there may be a tendency to store or share sensitive work information on unsecure personal devices.

Cyber security through partnerships

The speed with which cyber threats spread and evolve means that no single entity can effectively defend against all threats in isolation. Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activity.

It is vital cyber security incidents are reported to ASD to help build a national cyber threat intelligence picture, which better supports Australian organisations and individuals through informed guidance and mitigation advice. There are many other ways in which Australian organisations can engage with ASD.

ASD’s Cyber Security Partnership Program enables Australian entities to engage with ASD and fellow partners, drawing on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy. ASD’s Cyber Security Partnership Program is delivered through ASD’s state offices located around Australia.

An ASD Network Partnership is available to organisations with responsibility for the security of a network or networks (either their own or on behalf of customers) as well as academic, research and not-for-profit institutions with an active interest and expertise in cyber security. An ASD Business Partnership is available to those with a valid Australian Business Number. Individuals and families can sign up to the ASD Home Partner Program.

By strengthening our ties with agencies like ASD and broader cyber security partners within the transport and logistics sector, the Toll Group is proud to contribute to building resilient supply chain capability in Australia and around the world. ASD’s partnership, training, and participation in industry forums have been of tremendous value in promoting strong cyber security practices and cooperation across government and critical services, which our teams continue to benefit from. – Toll Group

The National Exercise Program (NEP) helps critical infrastructure and government organisations validate and strengthen Australia’s nationwide cyber security arrangements. The program uses exercises and other readiness activities that target strategic decision-making, operational and technical capabilities, strategic engagement and communications.

The Critical Infrastructure Uplift Program (CI-UP) assists Australian critical infrastructure organisations to improve their resilience against cyberattacks, with a focus on critical infrastructure assets and operational technology environments. As an intelligence-driven program, CI-UP focuses on improving the cyber security of critical infrastructure in a range of areas, including:

  • enhancing visibility of malicious cyber activity and awareness of vulnerabilities
  • enhancing the ability to contain and respond to an incident
  • furthering culture and cyber maturity.

The Cyber Threat Intelligence Sharing Platform (CTIS) shares indicators-of-compromise in real‑time, within a growing community of Australian government and industry partners. CTIS also supports community partners to share their threat intelligence. Co-designed with industry, CTIS alerts security operations centre analysts to threats targeting Australian organisations.

AARNet has been engaged with the CTIS project from its inception and has seen firsthand the value of industry and government partnerships for threat intelligence sharing. By sharing information, the breadth and depth of our visibility of unwanted cyber attention is much greater. – AARnet

The Australian Protective Domain Name System (AUPDNS) is an opt-in security service available to all federal, state and territory government entities to protect infrastructure from known malicious activity. Information from AUPDNS directly assists ASD’s mission to build a national cyber threat picture, which in turn is shared with ASD partners, including individuals, businesses, academia, not-for-profits, and government entities.

The Cyber Hygiene Improvement Programs (CHIPs) track and monitor the cyber security posture of the internet-facing assets of entities at all levels of government. CHIPs also conducts High-priority Operational Tasking (HOT) CHIPs scans when potential cyber threats emerge, such as newly disclosed vulnerabilities. CHIPs builds visibility of security vulnerabilities across governments and provides notifications to system owners.

Program Highlights

Figure 7: ASD’s program highlights

Through ASD’s Cyber Security Partnership Program, Australian organisations can draw on the collective understanding, experience and capability of the community to lift Australia’s cyber resilience. ASD Network Partners bring their insights and technical expertise to the community to collaborate on shared threats and opportunities.

Explainer 10: Incident response to stay ahead of adversaries

There is an actor behind every cyber security incident, and each actor will have different intent and capability. For example, state actors are usually focused on long-term goals in opposition to Australia’s national interests, whereas cybercriminals are generally focused on short-term financial gain. Additionally, the techniques different actors use will vary due to their risk appetites for being detected. For example, cybercriminal actions are often ‘loud and public’, as opposed to state actors whose intent is to usually remain undetected for long periods.

Customising the incident response method ensures the best outcome for impacted organisations. For example, during a cyber security incident, ASD can provide immediate incident response advice and assistance to support impacted Australian organisations. ASD can also work closely with commercial incident response partners in support of an incident.

If the incident is likely the result of a state actor, ASD may offer a more detailed approach such as a comprehensive digital forensic technical investigation to ensure comprehensive remediation.

Public communications on an incident may also differ. An immediate public statement may be required in some incidents. However, there is a need to balance public statements with remediation efforts – particularly when a state actor may be involved. If a state actor is responsible, a public statement could cause the actor to ‘lay low’, impacting a defender’s ability to detect the actor – including tradecraft or accesses that may help them to remain on an organisation’s network.

ASD’s tailored approach to incident response is consistent with industry best-practice, and highlights the importance of public–private partnerships to stay ahead of Australia’s cyber adversaries.

ASD’s ACSC Incident Response

ASD’s incident management capabilities provide tailored incident response advice and guidance to Australians impacted by a cyber security incident. ASD is not a law enforcement agency or regulator; however we work closely with these agencies if needed.

Report a cybercrime or cyber security incident

Report at or call the 24/7 Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ).

Cybercrime reports are automatically referred directly to the relevant state or territory law enforcement agency.

Cyber security incidents

All cyber security incidents should be reported to ReportCyber. An incident does not have to be a confirmed compromise to be reported and could include:

  • denial-of-service (DoS)
  • scanning and reconnaissance
  • unauthorised access to network or device
  • data exposure, theft or leak
  • malicious code/malware
  • phishing/spear phishing
  • any other irregular cyber activity that causes concern.

For ASD to help you effectively, we may request:

  • indicators of compromise
  • memory dumps
  • disk information
  • network traffic captures.

How ASD can help

ASD will provide you with immediate advice and assistance such as:

  • tailored information on how to contain and remediate an incident
  • advisory products to assist you with your incident response
  • linking you with other Australian Government entities that may further support your response such as the Australian Federal Police, or Department of Home Affairs through the National Cyber Security Coordinator and the Cyber Security Response Coordination Unit
  • we may also link you to other government partners like IDCare, ScamWatch, or the e-Safety Commissioner.

How your reporting matters

ASD uses information from your report to build our understanding of the cyber threat environment. This understanding assists with the development of new and updated advice, capabilities, techniques and products to better prevent and respond to evolving cyber threats. Some of these products include:

  • advisories published on ASD’s Partnership Portal
  • alerts published on
  • quarterly Trends and Insights reports
  • the ASD's Cyber Threat Report.

Your confidentiality is paramount

ASD does not share any information provided by you without your express consent. Only information about the incident is captured when you report.

Ways ASD supports Australians

Figure 8: ASD’s support to Australians

During 2022–23, ASD monitored cyber threats across the globe 24 hours a day, 365 days a year, to alert Australians to cyber threats, provide advice, and assist with incident response. ASD’s ACSC is a hub for private and public sector collaboration and information-sharing on cyber security, to prevent and combat threats and minimise harm to Australians.

ASD’s advice and assistance is for the whole economy, including critical infrastructure and systems of national significance, federal, state and local governments, small and medium businesses, academia, not-for-profit organisations and the Australian community.

Cyber resilience for all Australians

The average Australian household has well over a dozen internet-connected devices and this number is growing. The explosion of remote and hybrid work has also seen corporate networks extend into Australian homes. While growing digitisation and virtualisation of services may have improved consumer convenience and boosted business productivity over the last 3 years, it has also increased the cyber risks for Australians.

Every Australian should practice basic cyber security hygiene to help protect themselves from online threats. The most effective cyber defences are also some of the easiest to use and fastest to setup. The top things Australians can do are:

At, ASD has published a range of simple how-to guides for all Australians, including children and seniors, that explain how individuals and families can improve their home cyber security.

Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber , or by calling the Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ). The hotline is available 24 hours a day, 7 days a week.

Act Now, Stay Secure

ASD provides tailored cyber security guidance to protect Australia against evolving cyber threats. The Act Now, Stay Secure cyber security awareness-raising campaign identified key cyber threats to individuals and small-to-medium businesses, and highlighted ASD advice and tools to help improve the audience’s cyber security posture. Over 2022–23, the campaign:

  • reached a potential audience of more than 490,000 Australians and achieved over 11,500 engagements, such as likes, shares, and comments through social media
  • was amplified by 170 stakeholders across government, industry, non-profit sectors, and peak body associations, who shared campaign content to their channels
  • attracted over 30,000 visitors to the website, resulting in nearly 73,000 page views of campaign content and cyber security guidance
  • bolstered content delivered at 15 tailored events by ASD state offices.

Monthly cyber security themes were developed to promote planned or new ASD guidance, tools and products to enhance the cyber posture of Australian individuals and small-to-medium businesses. The themes for 2022–23 were:

2022 themes

REDSPICE is the most significant single investment in ASD’s history and will equip ASD to ensure that Australia is best prepared to respond to the strategic environment. Commencing on 1 July 2022, ASD scaled existing services and introduced new intelligence and cyber capabilities to enhance Australia’s cyber defences.

To help achieve this, in FY 2022–23, ASD opened new facilities in Brisbane and Melbourne, and received over 26,000 job applications across Canberra, Melbourne, Brisbane and Perth. ASD also:

  • undertook innovative first-of-type ‘cyber hunt’ activities on the most critical government and critical infrastructure networks
  • engaged over 175 new customers onto the Cyber Threat Intelligence Sharing platform to improve machine-speed cyber threat intelligence sharing across government and industry
  • deployed over 25,000 new host-based sensors to customer networks to build increased visibility of emerging threats to Australia’s most critical systems
  • established a secure design and architecture team to provide advice to major government information and communications technology projects
  • expanded ASD’s national incident response footprint and 24/7 defence operations capability, including additional upgrades for the Australian Cyber Security Hotline (1300 CYBER 1) and ReportCyber, and a new incident response team in Melbourne
  • improved the resilience of critical infrastructure through a number of uplift activities to increase cyber security maturity across Australian industry.


About the contributors

ASD manages or uses a number of unique datasets to produce tailored advice and assistance for Australian organisations and individuals. Not all cybercrimes lead to cyber security incidents, and the statistics in this report are from 2 distinct datasets: cybercrimes reported to law enforcement through ReportCyber, and cyber security incidents responded to by ASD. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.

Cybercrime and cyber security incidents reported to ASD may not reflect all cyber threats and trends in Australia’s cyber security environment.

ASD encourages the reporting of cyber security incidents and cybercrimes to inform ASD advice and assistance to vulnerable entities, and enhance situational awareness of the national cyber threat environment.

Defining cybercrimes

In Australia, the term ‘cybercrime’ is used to describe both:

  • Cyber dependent crimes, such as computer intrusions and DoS attacks, directed at computers or other ICTs.
  • Cyber enabled crimes, such as online fraud, identity theft and the distribution of child exploitation material, which can increase in their scale and/or reach through the use of computers or other forms of ICTs.

The ASD glossary provides definitions for terms used in this report and other ASD publications and can be viewed at: .

Thanks for your feedback!

  • Managed IT Support
  • Cloud Solutions
  • Microsoft 365 Services
  • Backup & Disaster Recovery
  • Digital Transformation Services
  • Infrastructure as a Service (IaaS)
  • Business Telecoms Solutions
  • Hardware Services
  • IT Engineering Services
  • IT Project Implementation Services
  • IT Project Design
  • Outsourced IT Support
  • IT Project Management Services
  • IT Management Services
  • IT Consulting Services
  • IT Strategy
  • Pay-As-You-Go IT Support

Tom on the phone

  • Cloud Backup
  • Cloud Consulting
  • Cloud Disaster Recovery
  • Cloud Infrastructure Services
  • Cloud Networking
  • Cloud Storage for Business
  • Microsoft Learning Portal
  • Office 365 Training
  • Microsoft 365 Licences
  • Microsoft 365 Implementation
  • Microsoft Copilot For Office 365
  • Sharepoint Implementation
  • Windows Virtual Desktop

office 365 productivity hacks

Do more with Office 365 productivity hacks

  • Disaster Recovery as a Service (DRaaS)
  • Disaster Recovery Planning
  • Telecoms Disaster Recovery
  • Digital Transformation Consulting
  • Digital Transformation Strategy
  • Financial Digital Transformation
  • Public Sector Digital Transformation
  • Retail Digital Transformation
  • Server Storage
  • Hardware as a Service (HaaS)
  • IT Procurement Services
  • Managed Print Services

The Latest 2024 Cyber Crime Statistics (updated March 2024)

cyber crime case study report

Headline Cyber Crime Statistics

  • Nearly 1 billion emails were exposed in a single year, affecting 1 in 5 internet users.
  • Data breaches cost businesses an average of $4.35 million in 2022.
  • Around 236.1 million ransomware attacks occurred globally in the first half of 2022.
  • 1 in 2 American internet users had their accounts breached in 2021.
  • 39% of UK businesses reported suffering a cyber attack in 2022.
  • Around 1 in 10 US organisations have no insurance against cyber attacks.
  • 53.35 million US citizens were affected by cyber crime in the first half of 2022.
  • Cyber crime cost UK businesses an average of £4200 in 2022.
  • In 2020, malware attacks increased by 358% compared to 2019.
  • The most common cyber threat facing businesses and individuals is phishing.

Cyber Crime Overview

Cyber attacks globally increased by 125% in 2021 compared to 2020, and increasing volumes of cyber attacks continued to threaten businesses and individuals in 2022.

What Is The Most Common Type of Cyber Crime?

Phishing remains the most common form of cyber crime.

In 2021, 323,972 internet users reported falling victim to phishing attacks. This means half of the users who suffered a data breach fell for a phishing attack. During the height of the pandemic, phishing incidents rose by 220%.

2021 saw nearly 1 billion emails exposed, affecting 1 in 5 internet users. This may partly explain the continued prevalence of phishing attacks.

How much does phishing cost victims?

Despite its prevalence, phishing had the lowest loss to victims. Individuals lose an average of $136 in phishing attacks. This is well below the average data breach cost of $12,124.

Visit our phishing statistics page for the latest information on global phishing trends.

Ransomware – A Growing Threat

Ransomware attacks continue to pose a serious threat to individuals and organisations, with more advanced attack methods forcing payouts from victims. Around 236.1 million ransomware attacks were reported worldwide in the first half of 2022.

For more information, visit our ransomware statistics page.

The Cost of Cyber Crime

It is clear that the rate and cost of data breaches are increasing. Since 2001, the victim count has increased from 6 victims per hour to 97, a 1517% increase over 20 years.

The average cost of data breaches per hour worldwide has also increased. In 2001, the average cost per hour to individuals was $2054. Since then, the hourly loss rate has increased, standing in 2021 at $787,671.

The increasing threat to organisations globally means more are taking cyber security seriously. 73% of SMBs agree that cyber security concerns now need action, with 78% saying they will increase investment in cyber security in the next 12 months.

A concerning statistic is that 67% of SMBs feel that they do not have the in-house skills to deal with data breaches. However, this issue is mitigated as increasing numbers of SMBs are working with Managed Service Providers for cyber security; 89% as of 2022, up from 74% in 2020.

We work with many industries in which compliance and regulation are major factors, and provide IT Support for law firms and financial services companies among others. We know it has never been more important to take cyber security seriously.

What is the costliest type of cyber crime?

In 2022, investment fraud was the most costly form of cyber crime, with an average of $70,811 lost per victim.

How much does cyber crime cost businesses?

In 2022, data breaches cost businesses an average of $4.35 million – up from $4.24 million in 2021.

How did the pandemic affect cyber security?

The pandemic affected cyber security as businesses were forced to rapidly move to remote work environments. Cyber criminals took advantage of network misalignments and security gaps as these transitions happened. In 2020, malware attacks increased 358% compared to 2019.

Covid-19 clearly impacted the number of hourly victims. 2019 cyber crime statistics show the hourly number of victims was 53. In 2020, the first full year of the pandemic, the hourly number of victims jumped to 90, an increase of 69%.

the main threats to cyber security for business

Global Cyber Crime Statistics

What country has the strongest cyber security.

Poland has the strongest cyber security, according to the National Cyber Security Index.

The NCSI measures a country’s ability to prevent cyber threats and manage cyber incidents. As of December 2023, the 5 countries with the highest scores on the NCSI are:

  • Poland (90.83)
  • Estonia (85.83)
  • Ukraine (80.83)
  • Latvia (79.17)
  • United Kingdom (75.00)

Where are organisations most at risk of cyber crime?

In 2021, Asian organisations suffered the most attacks worldwide. The percentage of attacks against organisations by continent in 2021 is as follows:

  • Europe (24%)
  • North America (23%)
  • Middle East and Africa (14%)
  • Latin America (13%)

2021 saw an average of $787,671 lost every hour due to data breaches.

  • The UK had the highest number of cyber crime victims per million internet users at 4783 in 2022 – up 40% over 2020 figures.
  • The country with the next highest number of victims per million internet users in 2022 was the USA, with 1494, a 13% decrease over 2020.
  • 1 in 2 North American internet users had their accounts breached in 2021.
  • The Netherlands has seen the greatest rise in victims – 50% more than in 2020.
  • Greece has seen the largest decrease in victims – down 75% over 2020.
  • In 2021, there were an average of 97 data breach victims every hour worldwide.
  • Between May 2020-2021, cyber crime in the Asia-Pacific region increased by 168%. Japan experienced a 40% increase in cyber attacks in May 2021 compared to previous months that year.
  • China (4852% amounting to 14,157,775 breached accounts)
  • Japan (1423% amounting to 1,246,373 breached accounts)
  • South Korea (1007% amounting to 1,669,124 breached accounts)
  • Sri Lanka (-99% amounting to 1,440,432 fewer breached accounts)
  • Myanmar (-82% amounting to 17,887 fewer breached accounts)
  • Iraq (-78% amounting to 16,113 fewer breached accounts)
  • There was a 70% increase in accounts breached in Q3 2022 compared to Q2.
  • 108.9 million accounts were breached between July-September in 2022. This equates to 14 accounts being leaked every second.
  • 76% of respondents in a 2022 case study covering the US, Canada, UK, Australia and New Zealand say their organisation has suffered at least 1 cyber attack this year. This is a large increase over the 55% figure in 2020. From the same study, only 30% have cyber insurance, with 69% fearful that a successful cyber attack could put their SMB out of business entirely.
  • In Asia, the main attack type experienced was server access, with 20% of observed attacks. This was ahead of ransomware (11%) and data theft (10%).
  • In Europe, ransomware was the main attack type, accounting for 26% of attacks in the continent. Server access attacks (12%) and data theft (10%) were the next most common attack types.
  • In North America, the main attack type was also ransomware, with 30% of attacks. This was ahead of business email compromise (12%) and server access attacks (9%).
  • In the Middle East and Africa, the main attack type observed was server access, making up 18% of attacks. Server access attacks were also seen in 18% of attacks, followed by misconfiguration (14%).
  • In Latin America, the main attack type was ransomware, making up 29% of attacks. This was ahead of business email compromise and credential harvesting (both seen in 21% of attacks).
  • eCommerce fraud is expected to cost the retail sector $48 billion globally in 2023.
  • Online payment fraud is predicted to cost businesses $343 billion between 2023-2027.

cyber security in manufacturing

UK Cyber Crime Statistics

How many businesses suffer cyber attacks in the uk.

32% of UK businesses reported suffering a cyber attack or breach in 2023. For medium businesses, this rises to 59%. 69% of large businesses reported an attack.

How much does cyber crime cost the UK?

It is estimated that UK businesses lost around £736 million to cyber crime in 2021. Including consumers, as much as £2.5 billion may have been lost in 2021 to cyber criminals.

  • The average cost of a breach against medium and large UK businesses is £4960 as of December 2023.
  • 24% of UK charities reported suffering a cyber attack between 2022-2023.
  • The proportion of micro-businesses listing cyber security as a high priority has dropped to 68% in 2023 – down from 80% in 2022.
  • 5th on the NCSI, with a score of 75.00
  • 2nd on the Global Cyber Security Index
  • 11th on the E-Development Index
  • 10th on the Network Readiness Index
  • In 2022, 39% of UK businesses have experienced a cyber attack, the same as in 2021. However, this has dropped since 2020 (46%).
  • 31% of businesses that suffer an attack estimate they are attacked at least once a week.
  • Cyber crime cost UK businesses an average of £4200 in 2021. For just medium and large businesses, this number rises to £19,400.
  • The most common cyber threat facing UK businesses in 2022 is phishing (83% of identified attacks).
  • 82% of boards or senior management in UK businesses see cyber security as a high priority. This is an increase from 77% in 2021.
  • In addition, just 19% of businesses implement extra training sessions after a cyber attack.
  • 13% of UK businesses assess the risks posed by their immediate suppliers.
  • Less than a fifth (19%) of UK businesses have a formal incident response plan.
  • 39% of UK businesses have assigned roles should a cyber incident occur.
  • Just 6% of UK businesses had Cyber Essentials certification in 2022, and 1% have Cyber Essentials Plus certification – this is largely due to low awareness of the schemes.
  • 45% of UK businesses have employees that use personal electronic devices for work purposes, or have Bring Your Own Device policies.
  • For small businesses, this rises to 20%.
  • For large businesses, this rises to 23%.
  • Large UK businesses are above the average at 57%.
  • However, ‘micro’ businesses are below the UK average at 20%.
  • In 2022, 43% of UK businesses were insured against cyber attacks – an increase over 2020 when only 32% were insured.
  • Those aged 25-44 are most likely to be targeted by phishing attempts.
  • Between March 2020 to March 2022, there was a 57% increase in retail and consumer fraud.
  • In 2022, 4.8% of fraud in the UK was related to Coronavirus. A common scam involved fraudsters sending targets a link to book their next Covid-19 booster jab, asking them to enter their card details to pay for the jab itself or an admin fee.
  • £11 million in client money was stolen from UK law firms by cyber criminals between 2016-2017.

US Cyber Crime Statistics

How many people in the us are affected by cyber crime.

An estimated 53.35 million US citizens were affected by cyber crime in the first half of 2022. Between July 2020 and June 2021, the US was the most targeted country for cyber attacks, accounting for 46% of attacks globally.

How much does the US lose to cyber crime?

US citizens lost $6.9 billion in 2021 to cyber-related crimes, including romance scams ($956 million), investment scams ($1.4 billion) and business email compromise ($2.39 billion).

For businesses, ransomware is a serious threat to security, with 60% of US organisations having their data encrypted in successful ransomware attacks. The cost to rectify these attacks cost an average of $1.08 million in 2021, a decrease of 49% from 2020 ($2.09 million).

Are US organisations protected against cyber threats?

Unfortunately, many US organisations are not adequately protected against cyber threats. Just 50% of US organisations have cyber insurance with full cover.

A further 28% have cyber insurance with exclusions or exceptions in the policy, meaning they may not be covered for certain attacks or under certain circumstances.

Most worryingly, this means around 1 in 10 US organisations (12%) have no coverage against cyber attacks, risking financial ruin should they suffer an attack.

  • The US IC3 department received reports from 24,299 victims of cyber crime. This amounted to more than $956 million lost.
  • 32% of the victims were over 60 – the largest proportion of victims in 2021.
  • 16% were aged between 50-59.
  • Just 2% were under 20.
  • Sextortion is another prevalent issue in the US. Cyber criminals threaten to release sensitive photos, videos or information involving sexual acts of the victim if their demands are not met.
  • The IC3 department received more than 18,000 complaints in 2021 relating to sextortion.
  • Victim losses amounted to more than $13.6 million.
  • Potential losses to cyber crime by individuals in the US in 2022 totalled more than $10.2 billion. This is significantly higher than in 2021 when individuals lost an estimated $6.9 billion. Considering there were 5% fewer complaints in the US in 2022 compared to 2021, this suggests that cyber crime costs more per victim than the previous year.

it centralisation image, abstract server stacks

Cyber Crime In Asia

Cyber crime in pakistan.

Cyber crime has become an increasingly severe problem in Pakistan in recent years.

Financial fraud is the most common type reported; in 2020, of 84,764 total complaints, 20,218 Pakistanis reported falling victim to financial fraud-related online crimes. This is ahead of hacking (7966), cyber harassment (6023) and cyber defamation (6004).

An increasing number of Pakistanis have experienced cyber crime through social media. Between 2018-2021, financial fraud through social media increased by 83%. Of 102,356 complaints received in 2021, 23% of cyber crimes used Facebook.

Cyber crime in India

Like many countries, India is suffering increasingly from cyber crime. The number of cyber-related crimes reported in 2018 was 208,456. In the first 2 months of 2022 alone, there were 212,485 reported cyber crimes, more than the entirety of 2018.

The figures rose more sharply through the pandemic, with reported crime jumping from 394,499 cases in 2019 to 1,158,208 in 2020 and 1,402,809 in 2021. Between Q1 and Q2 2022, cyber crime across India increased by 15.3%.

Additionally, there have been an increasing number of Indian websites hacked in recent years. In 2018, some 17,560 sites were hacked. In 2020, an additional 26,121 sites were hacked.

78% of Indian organisations experienced a ransomware attack in 2021, with 80% of those attacks resulting in the encryption of data. In comparison, the average percentage of attacks was 66%, with the average encryption rate at 65%.

What is the most common form of cyber crime in India?

The most common form of cyber crime in India is financial fraud. This accounted for 75% of cyber crime in India between 2020 and 2023, with a high point of over 77% of crimes committed during the period.

Cyber crime in Malaysia

79% of Malaysian organisations were targeted by ransomware in 2021, with 64% of attacks resulting in the encryption of data.

How common is cyber crime in Malaysia?

Cyber crime is becoming increasingly common in Malaysia. Over 20,000 cyber crimes were reported in 2021, amounting to RM560 million ($123 million) lost from victims.

Between 2017-2021, the total amount lost to cyber crime in Malaysia was estimated at RM2.23 billion ($490 million). From January to July 2022, there were 11,367 reported cases of cyber crime, with the rate of crime increasing 61% from 2016 to 2022.

Cyber crime in Nepal

Despite its small population, cyber crime is still an issue in Nepal.

For the fiscal year 2020-2021, there were 3906 recorded cases of cyber crime. In just the first 3 months of the current fiscal year (2021-2022), there have been 1547 reported cyber crime cases.

Nepal currently ranks 109th out of 160 countries on the National Cyber Security Index, and 94th on the Global Cyber Security Index. Nepal also ranks 140th on the ICT Development Index.

Cyber Crime In America

Cyber crime in canada.

Canada has experienced a marked increase in the rate of cyber crime in recent years. Between 2017 and 2021, reported cyber crime increased by 153%, from 27,829 cases in 2017 to 70,288 cases in 2021.

Coupled with this increase in cyber crime is an increasing worry amongst Canadians about the use of personal information online. A 2020 study revealed that 48% of internet users in Canada were ‘extremely worried’ about their data being used in identity theft.

How much do Canadian organisations lose to cyber crime?

Canadian organisations lost $1.5 billion in 2017 through cyber crime. In 2021, 85.7% suffered at least one cyber attack.

For comparison, 89.7% of organisations in the USA were attacked at least once in 2021; in the UK, this percentage drops to 71.1%.

Phishing and online fraud continue to plague Canada. In the first 6 months of the pandemic, 34% of Canadians received at least 1 phishing email. In addition, in 2021, Canadians lost $100 million to online fraud.

The most common form of online fraud involved romance, which accounted for $42.2 million lost by victims. Investment scams were also common.

Cyber Crime In Oceania

Cyber crime in australia.

Cyber crime continues to be an issue in Australia. Scams are one of the main concerns, with investment scams having cost Australians more than $48 million so far in 2022. In total, more than $72 million has been lost through scams in 2022. In addition, 1 in 4 Australians have fallen victim to identity fraud.

Australians are, on average, some of the wealthiest people in the world. A study of the median wealth per adult put Australians at the top of the rich list, with a median wealth of $273,900 – ahead of Belgium ($267,890) and New Zealand ($231,260). This perhaps partly explains why cyber criminals target Australian individuals and organisations.

In September 2022, a major data breach at telecommunications company Optus, affected around 2.1 million customers. 9.8 million individual records were stolen, including addresses, names, dates of birth and, in some cases, passport numbers. However, no bank details were compromised in the attack.

How often does cyber crime occur in Australia?

On average, there is a cyber attack every 10 minutes in Australia, with 43% of these attacks targeting SMEs. Education, healthcare and government are the most targeted areas.

From July 2021 to June 2022, cyber attacks in Australia increased by 81%. Network traffic only increased by 38% during the same period, highlighting the continuing prevalence of cyber crime in the country. Attacks targeting financial sites have risen more than 200% in 2022.

Cyber Crime In Africa

Cyber crime in nigeria.

In 2020, Nigeria was ranked 16th in the world for countries most affected by cyber crime. A recent development in Nigeria’s cyber threat landscape is hackers tempting employees of Nigerian organisations to act as insider threats.

Research revealed that hackers have started offering money in return for employees to divulge sensitive information on an organisation’s network. While the report did not say whether any staff had acted as insider threats, it’s clear that this is a growing area of concern.

In Q3 of 2022, Nigeria experienced a 1616% increase in data breaches, from 35,472 in Q2 to 608,765 in Q3.

However, the Nigerian government is continuing to fight against cyber crime. Since the start of 2022, Nigeria’s Economic and Financial Crimes Commission (EFCC) have convicted 2847 people in connection with cyber-related crimes.

Cyber crime in Zambia

Zambia ranks 58th out of 161 countries on the National Cyber Security Index and 73rd out of 194 countries on the Global Cyber Security Index.

As a developing country, access to technology is somewhat restricted – only 50% of Zambians own a personal computer. However, around 75% own smartphones, which makes scams via text a particular issue.

In 2021 alone, 10.7 million cyber crimes were reported to the Zambia Computer Incident Response Team (ZM-CIRT), which included mobile money reversal scams and social media hijacking.

The GDP per capita of Zambia is $4000. Between 2020 and Q2 2022, the Zambian finance sector suffered losses of over 150 million ZMK ($872,000). In the same period, SMS fraud cost Zambians over 1 million ZMK ($58,000).

Cyber Crime In Europe

Cyber crime in russia.

Russia experiences high levels of cyber crime. In Q1 of 2022 alone, there were 42.92 million data breaches.

While this decreased to 28.78 million breaches in Q2 of 2022, it is clear that cyber crime is a serious threat in Russia. There are an average of more than 249,000 cases of digital fraud annually. In a single day, over 8 billion phishing emails were sent from Russian addresses.

In Q3 of 2022, 22.3 million Russian internet users had their accounts breached, the highest of any country.

The 5 countries with the highest amount of breached accounts in Q3 of 2022 were Russia, France (13.8 million), Indonesia (13.2 million), the US (8.4 million) and Spain (3.9 million).

These countries accounted for more than half of the total breaches globally in Q3 2022. As of November 2022, for every 1000 internet users, 153 have had their accounts breached.

Cyber crime in Germany

A 2022 study suggested that 72.6% of German organisations had suffered at least one successful cyber attack in the preceding 12 months. In comparison, Columbian organisations suffered the worst, with 93.9% compromised by at least one successful attack.

74.3% of German organisations indicated that further cyber attacks in the next 12 months are more likely than not going to occur.

However, German hackers are contributing to the global phishing threat. In 2022, 5.19% of spam originated from Germany. The top 5 countries of origin for spam were Russia (29.82%), Mainland China (14%), the USA (10.71%), Germany (5.19%) and the Netherlands (3.70%).

zero trust

Cyber Crime Trends

The growing cost of cyber crime.

As attack methods become increasingly sophisticated, organisations globally have to invest in more advanced security measures, update training, and, especially in larger companies, hire dedicated cyber security staff.

When these companies are hacked, the costs of rectifying the breach and recovering from downtime can spiral into millions.

The average cost of a cyber breach in 2022 was $4.35 million. It’s predicted that cyber crime cost the global economy around $7 trillion in 2022, and this number is expected to rise to $10.5 trillion by 2025.

The average cost of a cyber breach in 2022 was $4.35 million.

Supply chain attacks

Supply chains are becoming increasingly interconnected and complex as technology improves.

However, this connection presents risks if businesses in the chain aren’t adequately protected. Security vulnerabilities in one business can expose partners they are connected with.

Cyber criminals are targeting these vulnerabilities, with up to 40% of cyber threats now occurring indirectly through the supply chain.

Research highlights that cyber security leaders are burnt out and in an ‘always on’ state as increased digital connections demand more of their time.

Cyber criminals are using this fatigue to their advantage. A study has revealed that just 23% of security leaders monitor their partners and vendors in real-time for cyber security risks. These organisations also limit third-party coverage to their immediate vendors and suppliers. This excludes their wider ecosystem of customers, business partners, investors and others.

Is awareness of cyber risk increasing?

Awareness of third-party risk is increasing. By 2025, it is estimated that 60% of organisations will use cyber security risk as a key factor when determining transactions and business engagements with third parties.

Supply chain attacks are seen by 60% of C-Suite executives as the most likely type of cyber threat that would affect their business.

Recent research also highlights C-Suite executives’ worry about vulnerabilities in the supply chain .

When 900 companies were asked what they thought were the most likely types of cyber attacks on their business, 60% responded with supply chain attacks. DDoS attacks were seen as equally likely, ahead of cyber espionage (59%) and APT (57%), but less than ransomware and data theft (66%).

Atlassian demonstrates the risks within the supply chain. Used by 83% of Fortune 500 companies, Atlassian products are hugely popular across the world, with 180,000 customers in more than 190 countries.

However, cyber criminals exposed a severe vulnerability in Atlassian Confluence in June 2022. As mentioned above, Atlassian products are used by some of the biggest organisations in the world; the consequences of data leaks could be crippling.

Research found that almost 200,000 companies depend on organisations that may have been affected by the vulnerability.

The risk of Internet of Things (IoT) devices

The IoT doesn’t require human interaction to function, making IoT devices excellent assets in business to automate tedious workflows and reduce the margin for error.

However, these devices are a prime target in cyber crimes. GPS trackers, ‘smart’ wearables and other IoT devices can hold valuable data but often don’t have robust security software.

This was discovered in the case of MiCODUS. The MiCODUS MV720 GPS tracker is a popular automotive tracking device, designed to help with vehicle fleet management. It is hardwired into vehicles, enabling anti-theft, fuel cut-off, geofencing and remote control capabilities.

MiCODUS products are used in 169 countries by the general public, government agencies, militaries, law enforcement and businesses. 6 severe vulnerabilities were found in the MV720.

Exploiting these vulnerabilities means attackers could track shipments, cut fuel to emergency vehicles or extort ransoms by disabling fleets.

The human element

The human element remains a critical vulnerability for both businesses and individuals. 82% of breaches against businesses involved a human element through issues like error and social engineering.

Phishing attacks are the most common form of cyber threat, and more damaging attacks are often dependent on the success of an initial malicious email. Encouraging people to follow a link to a spoof website and enter credentials or download malware gives hackers the tools needed to escalate attacks. From there, serious threats like ransomware can be delivered.

Cyber crime on social media

The growth of social media in recent years has given cyber criminals another avenue of attack. Meta, the parent company of Facebook, uncovered more than 400 malicious iOS and Android apps in 2022 that targeted mobile users to steal their Facebook login credentials.

43% of these apps were ‘photo editors’, including ones that allowed the user to turn themselves into a cartoon. A further 15% were ‘business utility’ apps, which claimed to be able to provide hidden features not found in official apps from reputable platforms.

By creating fake reviews, cyber criminals can artificially inflate the ranking of their apps and disguise poor reviews that highlight issues. Unsuspecting users then download the app, where they are then asked to log in using Facebook. The hacker can see any details entered.

How common is cyber crime on social media?

Cyber crime is very common on social media. In Q2 of 2022 alone, Facebook removed 8.2 million items of content that violated its policies on bullying and harassment. In Q1 of 2022, 9.5 million pieces of policy-violating content were removed, the highest-ever number removed by the platform.

Romance scams cost UK victims £14.6 million in a single month.

Cyber criminals will use social media to scope out individuals to target in crimes such as romance scams. This type of fraud involves the criminal establishing a ‘relationship’ with a target, before getting the unfortunate victim to send money, purportedly for plane tickets, an urgent operation or other ruses.

In the UK, romance scams cost victims £14.6 million in May 2021 alone. Half of romance scam victims in the UK in 2021 were women, with 39% men and the final 11%, not specifying their gender.

The Russia-Ukraine War

Russia’s invasion of Ukraine has had a massive impact on the cyber threat landscape. Since the start of the war, Russian-based phishing attacks against email addresses of European and US-based businesses have increased 8-fold.

Nearly 3.6 million Russian internet users have also experienced breaches in the first quarter of 2022, an 11% increase quarter-on-quarter.

What has the UK done to help Ukraine?

To help protect Ukrainian critical infrastructure against Russian attacks, the UK launched the ‘Ukraine Cyber Programme’ in 2022. The UK mobilised an initial £6.35 million package in response to increased Russian cyber activity immediately following the Ukraine invasion.

This programme provides incidence response to protect Ukraine Government entities against attacks, as well as DDoS protection so Ukrainian citizens can still access critical information and firewalls to block attacks.

Cyber Security Lock Screen Image

Notable Cyber Breaches

What happened in the 2021 jbs ransomware attack.

JBS is the largest meat processing company in the world. On May 30th 2021, cyber criminals breached the JBS network with ransomware, disrupting plants in the USA, Canada and Australia. All JBS-owned beef processing plants in the USA were temporarily inoperative.

Impacts included the US Department of Agriculture being temporarily unable to offer wholesale prices for beef and pork, and highlighted vulnerabilities in the meat processing supply chain.

On June 9th, JBS paid an $11 million ransom to the cyber criminals, preventing further disruption and the potential leaking of sensitive data. JBS stated that it spends over $200 million annually on IT and employs more than 850 IT professionals worldwide.

What happened in the 2021 Robinhood hack?

Robinhood is a USA-based stock trading app. On November 3rd 2021, data of 7 million users was stolen and held to ransom by cyber criminals.

The hackers accessed this data through social engineering, divulging employee login details to access the network without using brute force.

This led to 5 million users having their email addresses compromised, with a further 2 million having their full names exposed. 310 victims had more personal information stolen, including dates of birth and US zip codes.

The hackers demanded a ransom to prevent this data from being leaked. Robinhood refused, hiring a cyber security firm to investigate the breach.

How did the Uber breach happen?

It is likely that the September 2022 Uber breach was able to occur as a contractor had their personal device infected with malware. The hacker was then able to purchase the exposed credentials on the dark web.

The hacker used these credentials to repeatedly log in to the contractor’s Uber account, which triggered MFA approval requests. Repeated MFA requests caused ‘MFA fatigue’ where the contractor became fed up with receiving notifications. When the contractor eventually accepted a request, the hacker gained access to the account and escalated the attack.

Uber responded by identifying potentially compromised accounts, either blocking them or resetting their passwords. They also reset access to internal tools and locked down the codebase to prevent any new code changes.

No public-facing applications were accessed, meaning sensitive data such as customer credit card details and bank account information remained secure.

What happened in the 2022 National Health Service (NHS) cyber security breach? On 4th August, Advanced, a key supplier of digital NHS services like patient check-ins and NHS 111, suffered a ransomware attack from an unknown hacking group.

The attack took several services offline, including software used by medical professionals for patient check-ins, patient records and NHS 111. GP practices suffered as access to important patient information was blocked, and notifications could not be electronically sent between hospitals and GPs.

In-person visits had to be recorded manually, extending wait times and piling extra work onto an already thinly stretched NHS workforce.

From August 22nd, NHS 111 services started to return to normal. Advanced worked on its security vulnerabilities and is restoring impacted services in a new, secure environment.

How did Nvidia get breached?

On 23rd February, Nvidia, a major microchip producer suffered a data breach which saw source code fall into the hands of cyber criminals.

The hacking group Lapsu$ claimed responsibility for the attack, claiming it had stolen around 1TB of data. This included employee information, such as account passwords, and source code for graphics card drivers.

No ransomware was detected in the security breaches, with the crime group instead demanding Nvidia make their drivers open-source.

Nvidia responded by changing all staff members’ passwords, ensuring any leaked information would be useless. Lapsu$ also claimed that Nvidia launched a ransomware attack against them, encrypting the stolen data so it couldn’t be leaked.

What was WannaCry?

One of the most widespread cyber breaches in history, WannaCry was a global ransomware attack that affected more than 200,000 computers in over 150 countries.

WannaCry exploited a vulnerability in unpatched versions of the Windows operating system. This vulnerability was known as ‘EternalBlue’, and had allegedly been developed in the US by the National Security Agency. A hacking group known as ‘The Shadow Brokers’ exposed the issue before the attack happened.

Microsoft released a patch that removed EternalBlue. However, businesses and individuals across the world ignored the update, not realising the danger their computers were in.

As such, WannaCry was a devastating attack. The ransomware infected hundreds of thousands of computer systems across the globe. The attackers encrypted data on the affected machines, demanding the victims pay the attackers $300 in Bitcoin to avoid having their data deleted.

WannaCry is estimated to have caused over $4 billion in damages worldwide. In the UK, the NHS had to cancel 19,000 appointments, costing the health service around £92 million.

Costa Rica ransomware attack 2022

A national emergency was declared in Costa Rica in 2022 in the face of a series of ransomware attacks against critical institutions.

The first attacks ran from mid-April until the start of May, with 27 government bodies targeted. The digital tax service and the IT system for customs control were crippled. The attacks also impacted an estimated 800 servers and several terabytes of information in the finance ministry.

The encryption of key data and systems meant trade was affected, with losses from import and export businesses estimated somewhere between $38 million and $125 million per day. While a manual form of import was implemented after 10 days, the increased paperwork load still caused delays.

The second attack started on May 31st 2022. The main target this time was the Costa Rican Social Security Fund, which handles the country’s health service. An estimated 10,400 computers and more than half of the servers were impacted, with important healthcare systems going offline and forcing doctors to cancel appointments.

In the first week following the attack, around 34,677 appointments had to be rescheduled – 7% of all appointments that week across the country.

A ransomware group known as ‘Conti’ claimed responsibility for the first series of attacks, demanding a $10 million ransom to prevent the stolen information from being leaked. The second series of attacks were claimed by the HIVE ransomware group, which has some links to Conti.

Marquard & Bahls supply chain attack 2022

On January 29th 2022, 2 subsidiaries of German fuel trader Marquard & Bahls were hit with cyber attacks, forcing companies like Shell to re-route shipments.

Oiltanking and Mabanaft were both targeted by hackers, with their IT systems and supply chains impacted. The knock-on effects of these attacks were felt across Germany.

Aral, who operates the largest network of petrol stations in Germany (around 2300 stations), had to source oil from alternative sources after the attacks.

The companies produce 1.6 million litres of fuel oil and 2.1 million litres of fuel annually, and the disruption from these attacks has affected 233 stations in northern Germany. A spokesperson for the Federal Office for Information Security said the situation was ‘serious, but not grave’. Both affected companies said in a joint statement that they were working to resolve the issue as soon as possible.

siem services image

What is cyber crime?

Cyber crime is split into two categories:

Cyber-dependant crime: Crime that can only be committed through the use of technology, ‘where the devices are both the tool for committing the crime, and the target of the crime.’ Examples include malware that targets victims for financial gain and hacking to delete or damage data.

Cyber-enabled crime: ‘Traditional’ crime that has extended reach through the use of technology. Examples include cyber-enabled fraud and data theft.

How much does cyber crime cost the economy?

Cyber crime cost global economies around $787,671 per hour in 2021. Over the course of the year, this amounts to $6,899,997,960 lost worldwide to cyber criminals.

Why is cyber crime increasing?

Cyber crime against businesses in the UK had been decreasing pre-Covid (from 46% of UK businesses reporting suffering a cyber attack in 2017 to 32% in 2019). However, the changes in the workplace brought about by lockdowns through the pandemic caused cyber crime to spike again as 46% of UK businesses reported suffering a cyber attack in 2020.

Cyber crime against UK businesses has since slowly decreased – in 2021 and 2022, 39% of UK businesses reported suffering a cyber attack.

Cyber crime victim density in the UK increased 40% from 2020 to 2021, likely driven by using personal electronic devices for work and generally using the internet more during lockdowns.

Who does cyber crime affect?

Cyber crime affects everyone.

The least affected are typically those under 20, but students switching to studying online during the pandemic in 2020 contributed to a nearly 100% increase in victims under 20 (from around 10,000 to more than 20,000).

Numbers have dropped by 36% in 2021, but remain 56% above pre-Covid levels.

Pensioners (60+) are the group most vulnerable to crime online. 2020 saw a 55% increase in victims over the age of 60, and this trend has continued through 2021 to over 92,000 victims.

How often does cyber crime occur?

With an average of 97 cyber crime victims per hour, this means there is a victim of cyber crime every 37 seconds.

In addition, 2 internet users have had their data leaked every second in 2022. This is an improvement over 2021, where 6 users had their data leaked every second.

Which country has the most cyber crime?

The latest cyber crime statistics highlight that hackers target certain countries over others – in 2021, 71% of countries had below the global average breach density (16.5 leaked emails per 100 internet users).

The UK has the highest density of cyber crime victims per million internet users – 4783. This is followed by the USA with 1494.

Russia currently has over 3.5 million breached users – the highest in the world in 2022. This is followed by the USA with almost 2.5 million breached users.

What is hacking in cyber crime?

‘Hacking’ is the act of gaining unauthorised access to a computer or data.

How common is hacking?

There is no single data source for how many people get hacked. However, it is estimated that there is a victim of cyber crime every 37 seconds. In 2021, 1 in 5 internet users had their emails leaked online, which could lead to hackers being able to access their accounts or target the email in phishing attacks.

What is eavesdropping in cyber crime?

‘Eavesdropping’ enables hackers to view, intercept, modify or delete data sent between 2 devices. Eavesdropping can be passive, where the hacker ‘listens’ to data being transmitted but does not otherwise interfere.

Active eavesdropping happens when hackers intercept data packets on a network by pretending to be a genuine connection. ‘Man-in-the-middle’ attacks are the most common form of active eavesdropping. Hackers access networks through social engineering or malicious software, and can then steal, redirect or delete data sent between devices on that network.

What is fraud in cyber crime?

Online fraud is when criminals use technology to gain an advantage, usually financial, over a person or business. Fraud cost the UK £137 billion in 2021, the losses amounting to more than Jeff Bezos’ net worth.

What are the common types of cyber crime?

The most common forms of cyber crime include phishing, ransomware and personal data breaches.

Phishing remains the most common form of cyber attack, with around 3.4 billion spam emails sent daily. Phishing is often an ‘entry’ attack, where cyber criminals collect sensitive information (like login details or credit card numbers) that they can then use to launch further attacks.

For instance, phishing is the most common entry point for ransomware attacks. Hackers spam their targets until the victim follows the link. That link could contain ransomware or take them to a spoof website where the victim unwittingly enters their login details. The hackers can then use that information to get internal access to a network, escalate their attack and inject ransomware.

Deep Instinct, Surfshark, IBM, World Economic Forum, ConnectWise, Statista, Gartner, Bulletproof, Kaspersky, Atlassian, BitSight, Verizon, NCSI, UK government, Pakistan Federal Investigation Agency, CERT-IN, Statistics Canada, Cyber Edge, Savvy, Optus, Credit Suisse, Imperva, Deloitte, EFCC, Bloomberg UK, JBS, BBC, Uber, Nvidia, Bloomberg, ZDNet, CPS, NCSC, National Fraud Intelligence Bureau, Action Fraud, Crowe, Microsoft, Sophos, Business Today, Commercial Crime Investigation Department (Malaysia), Indian Cyber Crime Coordination Centre, Nepal Police Cyber Bureau, Meta, OSAC, ZM-CIRT, GCI, Reuters, IC3, Canadian Anti-Fraud Centre, Valimail, Cybersecurity Ventures, Juniper Research, F5 Labs, SRA, Future Crime Research Foundation

Download our free guide: Cyber Security Threats for Business in 2024

cyber crime case study report

Related insights

Browse more articles from our experts and discover how to make better use of IT in your business.

cyber crime statistics

The Latest Cyber Crime Statistics (updated March 2024)

Read the latest cyber crime statistics, updated for March 2024, and see how the threat landscape has changed in recent years. Read More

Ransomware statistics

The Latest Ransomware Statistics (updated March 2024)

Ransomware is an ever-present threat to cyber security worldwide. See how it has affected individuals and organisations with the latest ransomware statistics, updated for March 2024. Read More

Cloud computing statistics

The Latest Cloud Computing Statistics (updated March 2024)

Cloud computing has transformed both the business world and our personal lives. Find out how the cloud is evolving with the latest cloud computing statistics, updated for March 2024. Read More

AAG IT Support


  1. Latest Cyber Crime Cases In Malaysia : 2018 Cybercrime Statistics A

    cyber crime case study report

  2. Cyber Crimes in India Spiked Nearly Nine Times Since 2013, UP Topped

    cyber crime case study report

  3. A Look at 23 Key Cyber Crime Statistics Data From 2021 and 2022 (2022)

    cyber crime case study report

  4. (PDF) Brief Study of Cybercrime on an Internet

    cyber crime case study report

  5. ⇉Effects Of Cyber Crime On The Social Media Essay Essay Example

    cyber crime case study report

  6. (PDF) Cyber Crime: An Analytical Study of Cyber Crime Cases at the Most

    cyber crime case study report


  1. Cyber Crime


  1. Top 10 cyber crime stories of 2021

    Here are Computer Weekly's top 10 cyber crime stories of 2021: 1. Colonial Pipeline ransomware attack has grave consequences. Though it did not trouble the fuel supply at petrol stations in the ...

  2. PDF A Case Study of the Capital One Data Breach

    2. Technical assessment of the main regulations related to the case study; 3. Answer to the question: Why were the regulations insufficient to protect the data and what are the recommendations for an effective protection? 4. Recommendations for regulatory agencies, organizations, and entities. 3.1. Technical Criteria for Selection of the Case Study

  3. Cybercrime Investigation Case Studies: An Excerpt from Placing the

    Case in Point. FBI Anthrax Investigation (Arredondo, 2008) Doctor Bruce Ivins, a biodefense researcher at the US Army Medical Research Institute of Infectious Diseases, was suspected of mailing anthrax-contaminated letters causing 5 deaths and injury to dozens of more people.

  4. Unpacking Cyber Crime: In-depth Analysis and Case Studies

    Depicting Major Cyber Crime Case Studies. When regarding the multifaceted arena of cybercrimes, a few notorious examples have made all the difference in shaping both legislative processes and public perception. These archetypical scenarios paint a stark picture of the danger posed by cybercriminals and the significant, often devastating ...


    2022 3INTERNET CRIME REPORT INTRODUCTION Dear Reader, Today's cyber landscape has provided ample opportunities for criminals and adversaries to target U.S. networks, attack our critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten our national security.

  6. PDF Target Cyber Attack: A Columbia University Case Study

    Executive Summary. In this case study, we examine the 2013 breach of American retailer Target, which led to the theft of personally identifiable information (PII) and credit card information belonging to over 70 million customers from Target's databases. This case study will first consider Target's vulnerabilities to an external attack in ...

  7. PDF 2020 Internet Crime Report

    Crimes of this type are just a small part of what the FBI combats through our criminal and cyber investigative work. Key to our cyber mission is the Internet Crime Complaint Center (IC3), which provides the public with a trustworthy source for information on cyber criminal activity, and a way for the public to report directly to us

  8. Cyberattack Paralyzes the Largest US Health Care Payment System

    The hacking shut down the nation's biggest health care payment system, causing financial chaos that affected a broad spectrum ranging from large hospitals to single-doctor practices.

  9. Cybercrime case studies

    Case studies about online grooming, online scams, ransomware, and malware and intimate image abuse. ... Jin and Bella contacted Victoria Police to report the crime. The majority of Jin and Bella's clients were unable to submit their tax returns on time. ... 2021, ACSC Annual Cyber Threat Report: 1 July 2020 to 30 June 2021. 22 Office of the ...

  10. Making the most of cybercrime and fraud crime report data: a case study

    Furthermore, compared to the pre-pandemic period, while the number of incidents of other crime decreased by 19%, fraud and computer misuse (F&CM) increased by 24% and 85% respectively [ 1 ]. 1 In addition, there was a 28% increase in reports of fraud and a 16% increase in CM reported via the UK's national reporting centre Action Fraud (AF ...

  11. 2021 Norton Cyber Safety Insights Report

    With the effects of the COVID-19 pandemic in the past year, learn how consumers were impacted by cybercrime and identity theft in the 2021 Norton™ Cyber Safety Insights Report, a yearly report surveying over 10,000 adults in 10 countries. In this year's report, discover: The number of consumers impacted by cybercrime and identity theft in ...

  12. Understanding cybercrime in 'real world' policing and law enforcement

    It is widely accepted that cybercrime is highly prevalent and increasing. A recent report suggests that Internet Service Providers (ISPs) record around 80 billion automated scans daily by online perpetrators with the aim of identifying targets for cybercrime (Lewis, 2018), and in the year ending September 2019, 1 million 'computer misuse' crimes were reportedly committed against households ...

  13. Phishing Attacks: A Recent Comprehensive Study and a New Anatomy

    With the significant growth of internet usage, people increasingly share their personal information online. As a result, an enormous amount of personal information and financial transactions become vulnerable to cybercriminals. Phishing is an example of a highly effective form of cybercrime that enables criminals to deceive users and steal important data. Since the first reported phishing ...

  14. Cyber Crime & Forensic Investigation: Case Study Analysis

    2.1) Aims & Objectives. Our aim is to implement a proper methodology by using the incremental approach for the. investigation. One of the main objectives of this forensic examination is to find ...

  15. Small Business Cybersecurity Case Study Series

    The following Case Studies were created by the National Cyber Security Alliance, with a grant from NIST, and should prove useful in stimulating ongoing learning for all business owners and their employees. Case 1: A Business Trip to South America Goes South Topic: ATM Skimming and Bank Fraud; Case 2: A Construction Company Gets Hammered by a ...

  16. ASD Cyber Threat Report 2022-2023

    Through case studies, the report demonstrates the persistence and tenacity of these cyber actors. It shows that these adversaries constantly test vulnerabilities in Australia's cyber ecosystem and employ a range of techniques to evade Australia's cyber defences. ... Case study 1: Malicious cyber actors exploit devices 2 years after patch ...

  17. The Latest 2024 Cyber Crime Statistics (updated March 2024)

    76% of respondents in a 2022 case study covering the US, Canada, UK, Australia and New Zealand say their organisation has suffered at least 1 cyber attack this year. This is a large increase over the 55% figure in 2020. ... The US IC3 department received reports from 24,299 victims of cyber crime. This amounted to more than $956 million lost.

  18. (PDF) India's domestic Cyber Security and CyberCrime: A Case Study of

    Manipur Cyber Crime Police Station able to be solved nearly 65 perce nt of the reported case. The The Officer- in -Charge also informs that 23 were arrested for cybercrime un der I T Act and I PC.


    did not report any case of cyber crime i.e., neither under the IT Act nor under IPC Sections during the year 2011. And 53 mega cities have reported 858 cases under IT Act and 200 cases