Cybercrime and Fraud in the UK Explained

Illustration showing online fraud and cybercrime activity affecting UK users

Cybercrime and fraud are among the fastest-growing and most pervasive forms of criminal activity in the United Kingdom. From online scams targeting individual consumers to sophisticated attacks on major corporations and government institutions, digital crime now accounts for a significant proportion of all offences committed in the UK. The scale and complexity of cybercrime and fraud present major challenges for law enforcement, regulators and the wider criminal justice system.

This guide explains how cybercrime and fraud are defined, what types of offences are most common, who is responsible for investigation and enforcement, how the UK’s legal and regulatory framework addresses these threats and what individuals and businesses can do to protect themselves.

What is cybercrime?

Cybercrime refers to criminal activity that is committed using computers, digital networks or the internet. It can be divided into two broad categories: cyber-dependent crimes, which can only be committed using digital technology — such as hacking, malware attacks, distributed denial-of-service (DDoS) attacks and ransomware — and cyber-enabled crimes, which are traditional offences that have been scaled up or transformed by the use of technology, such as online fraud, identity theft, online harassment, child sexual exploitation and the distribution of illegal content.

The UK’s primary legislation covering cybercrime is the Computer Misuse Act 1990 (CMA), which criminalises unauthorised access to computer systems (hacking), unauthorised access with intent to commit further offences, and unauthorised acts that impair the operation of computers or data. The CMA has been amended several times since its original enactment to address evolving threats, including the introduction of a specific offence for acts causing serious damage to human welfare, the environment, the economy or national security. However, critics and law enforcement agencies have argued that the CMA is outdated and does not adequately address the full range of modern cyber threats.

The scale of cybercrime in the UK is enormous. The Crime Survey for England and Wales estimates that there are millions of cyber-related offences each year, though many go unreported. Action Fraud, the national reporting centre for fraud and cybercrime, receives hundreds of thousands of reports annually. The true economic cost of cybercrime to UK businesses and individuals is difficult to quantify but is estimated by the government and industry bodies to run into billions of pounds per year.

What is fraud and how does it differ from cybercrime?

Fraud is a criminal offence involving dishonesty for personal gain or to cause loss to another person. The Fraud Act 2006 defines three main types of fraud: fraud by false representation (making a dishonest statement to gain a benefit or cause a loss), fraud by failing to disclose information (dishonestly failing to share information where there is a legal duty to do so), and fraud by abuse of position (dishonestly misusing a position of trust or responsibility). Fraud also includes offences such as making or supplying articles for use in fraud and obtaining services dishonestly.

While fraud can be committed without technology — for example, through forged documents, confidence tricks or embezzlement — the vast majority of fraud in the modern UK is digitally enabled. Online shopping fraud, banking fraud, investment fraud, romance fraud, advance fee fraud, impersonation scams and phishing attacks all exploit digital channels to reach victims at scale. The National Fraud Intelligence Bureau (NFIB), operated by the City of London Police, analyses reports received by Action Fraud and identifies patterns, networks and opportunities for law enforcement intervention.

Fraud is now the single most commonly experienced crime in England and Wales, according to the Crime Survey, yet it receives a fraction of the law enforcement resources devoted to other crime types. This imbalance has been the subject of sustained criticism from parliamentary committees, victim advocacy groups and the fraud investigation community, leading to the government’s Fraud Strategy published in 2023, which set out plans for a more coordinated and resourced response.

Who investigates cybercrime and fraud?

The investigation of cybercrime and fraud in the UK involves multiple agencies. The National Crime Agency (NCA) leads the national response to serious and organised cybercrime, working with international partners to disrupt criminal networks, take down infrastructure and pursue the highest-harm offenders. The NCA’s National Cyber Crime Unit (NCCU) has specialist capabilities for investigating the most complex cyber-dependent crimes, including ransomware attacks, dark web marketplaces and state-sponsored cyber threats.

The City of London Police is the national lead force for fraud and operates the National Fraud Intelligence Bureau (NFIB), which processes reports from Action Fraud and disseminates intelligence to local police forces for investigation. Regional Organised Crime Units (ROCUs) provide specialist investigative capacity for complex fraud and cybercrime cases that cross police force boundaries. Individual police forces investigate local cases of cybercrime and fraud, though many forces have limited specialist capacity in these areas.

The Serious Fraud Office (SFO) investigates and prosecutes the most serious and complex cases of fraud, bribery and corruption, typically involving large corporations, financial institutions or cases with an international dimension. HMRC investigates tax fraud and evasion. The Financial Conduct Authority (FCA) has powers to investigate and prosecute financial fraud, including insider dealing, market manipulation and unauthorised financial services activity. The Information Commissioner’s Office (ICO) investigates breaches of data protection law that may be linked to cybercrime.

What types of cybercrime and fraud are most common in the UK?

The most commonly reported types of fraud in the UK include online shopping and auction fraud (where goods are paid for but never delivered, or counterfeit products are supplied), banking and credit card fraud (including unauthorised transactions, account takeovers and card-not-present fraud), advance fee fraud (where victims are persuaded to make upfront payments for goods, services or financial rewards that do not materialise), romance fraud (where victims are manipulated through online relationships into sending money to offenders), investment fraud (including cryptocurrency scams and Ponzi schemes) and impersonation fraud (where offenders pose as banks, government agencies or trusted companies to extract personal or financial information).

Ransomware has emerged as one of the most damaging forms of cybercrime, in which criminal groups encrypt victims’ data or systems and demand payment — typically in cryptocurrency — in exchange for the decryption key. UK organisations including the NHS, local councils, law firms, schools and businesses of all sizes have been targeted by ransomware attacks. The disruption caused can be severe, with organisations unable to access their systems for days or weeks, leading to cancelled appointments, lost data, operational shutdowns and significant financial costs.

Business email compromise (BEC), in which offenders impersonate senior executives or trusted suppliers to trick employees into making fraudulent payments or sharing sensitive information, is another significant threat, particularly for larger organisations. Phishing — the use of deceptive emails, text messages or websites to trick individuals into revealing passwords, bank details or other personal information — remains the most common vector for cyber-enabled fraud and is the entry point for many more serious cyber attacks.

What is the UK’s cyber security framework?

The UK’s approach to cyber security is coordinated by the National Cyber Security Centre (NCSC), part of GCHQ, which provides guidance, threat intelligence and incident response support to government, businesses and the public. The NCSC publishes regular threat assessments, offers practical advice on cyber hygiene and operates the Cyber Essentials certification scheme, which provides a baseline standard of cyber security for organisations.

The government’s National Cyber Strategy, updated regularly, sets out the UK’s approach to building cyber resilience, deterring hostile activity, developing the UK’s cyber security industry and ensuring that the UK is a safe place to live and work online. The strategy emphasises the importance of partnership between government, law enforcement, the private sector and international allies in addressing cyber threats.

The Online Safety Act 2023 introduced new obligations for technology companies to protect users from harmful content and illegal activity online, including fraud and scams. Under the Act, platforms are required to take proactive steps to prevent fraudulent content from appearing on their services, and Ofcom — the designated regulator under the Act — has the power to impose significant fines on platforms that fail to comply. This represents a significant shift towards placing responsibility on technology companies for the safety of their users, though the effectiveness of the new framework will depend on how robustly it is enforced.

What are the international and state-sponsored cyber threats facing the UK?

The UK faces significant cyber threats from state-sponsored actors as well as criminal groups. The NCSC’s Annual Review regularly identifies hostile activity from nation states — including Russia, China, Iran and North Korea — targeting UK government systems, critical national infrastructure, defence and intelligence, academic institutions and commercial enterprises. State-sponsored cyber operations range from espionage and intellectual property theft to pre-positioning for potential disruptive or destructive attacks on infrastructure such as energy networks, water systems, telecommunications and financial services.

The UK’s response to state-sponsored cyber threats involves coordination between GCHQ, the NCSC, the intelligence agencies (MI5 and MI6), the Ministry of Defence and the NCA. The UK has attributed several major cyber incidents to state actors, including the NotPetya attack attributed to Russia’s GRU and various Chinese cyber espionage campaigns targeting government departments and technology companies. The government has used diplomatic tools, sanctions and public attribution to deter and respond to hostile cyber activity, though the effectiveness of these measures in changing state behaviour is debated.

Critical national infrastructure operators are subject to the Network and Information Systems Regulations 2018 (NIS Regulations), which require them to implement appropriate security measures, report significant incidents to the relevant regulatory authority and cooperate with government agencies on threat management. The government has proposed strengthening these requirements through a Cyber Security and Resilience Bill, which would expand the scope of the regulations and increase enforcement powers.

How are emerging technologies changing the cybercrime landscape?

The rapid development of new technologies is continuously reshaping the cybercrime landscape. Artificial intelligence is being used by both attackers and defenders — criminals are using AI to generate more convincing phishing emails, create deepfake audio and video for impersonation fraud and automate the discovery of vulnerabilities in software, while security professionals use AI for threat detection, anomaly identification and incident response.

The growth of the Internet of Things (IoT) — connected devices including smart home systems, industrial sensors, medical devices and vehicles — has created a vastly expanded attack surface for cyber criminals. Many IoT devices have weak security features, making them vulnerable to exploitation for surveillance, data theft or incorporation into botnets used for DDoS attacks. The Product Security and Telecommunications Infrastructure Act 2022 introduced minimum security requirements for consumer connectable products sold in the UK, including bans on default passwords and requirements for vulnerability disclosure policies.

Cryptocurrency and decentralised finance (DeFi) platforms have created new opportunities for financial crime, including money laundering, ransomware payments, Ponzi schemes and the sale of illegal goods and services on dark web marketplaces. The regulation of cryptocurrency is still developing in the UK, with the FCA responsible for anti-money laundering supervision of crypto-asset businesses. The government has announced plans for a broader regulatory framework for cryptocurrency, but legislation has not yet been enacted.

The advent of quantum computing poses a longer-term but potentially transformative threat to cyber security. Quantum computers, once sufficiently powerful, could break many of the encryption algorithms that currently protect digital communications, financial transactions and government secrets. The NCSC has published guidance on preparing for the transition to quantum-resistant cryptography, and the UK is investing in quantum-safe technologies through its National Quantum Strategy.

What can individuals and businesses do to protect themselves?

While law enforcement and regulation play essential roles, individuals and businesses are also responsible for protecting themselves against cybercrime and fraud. The NCSC recommends basic cyber hygiene measures including using strong, unique passwords for all accounts, enabling multi-factor authentication wherever possible, keeping software and devices up to date with security patches, being cautious about clicking links or opening attachments in unsolicited emails and messages, and backing up important data regularly.

Businesses are advised to implement the Cyber Essentials framework as a minimum standard of protection, conduct regular staff training on phishing and social engineering threats, maintain an incident response plan, ensure that their supply chain meets appropriate cyber security standards and consider cyber insurance to mitigate the financial impact of a successful attack. For organisations handling large volumes of personal data, compliance with the UK GDPR and the Data Protection Act 2018 — including requirements for breach notification and data protection impact assessments — is both a legal obligation and a practical component of cyber resilience.

Anyone who is a victim of cybercrime or fraud should report the offence to Action Fraud (the national reporting service) or, in an emergency, to the police via 999. Reports to Action Fraud are analysed by the NFIB and may be allocated to a police force for investigation. Banks and financial institutions have their own fraud teams and may be able to recover lost funds, particularly if the fraud is reported promptly. The Financial Ombudsman Service can consider complaints about how banks handle fraud cases if the customer is dissatisfied with the outcome.

Why do cybercrime and fraud matter?

Cybercrime and fraud represent one of the most significant threats to the UK’s economy, national security and the wellbeing of individuals. The financial losses are enormous — running into billions of pounds annually — but the human impact is also severe, with victims experiencing financial hardship, emotional distress, loss of trust and in some cases long-term psychological harm. The rapid evolution of technology, the global nature of criminal networks and the relative ease with which offenders can operate across borders make cybercrime and fraud uniquely challenging to prevent, detect and prosecute.

Addressing these challenges requires a coordinated response across government, law enforcement, regulators, the technology sector, the financial services industry and the public. Understanding how cybercrime and fraud work, who is responsible for tackling them and what protections are available is essential for anyone living and working in an increasingly digital society.

Related guides

These guides explain related topics in more detail:

Related coverage:
Read our latest UK crime and cybercrime news

Prepared by:

Alaric Whitcombe

Political Correspondent
Alaric Whitcombe is a political correspondent reporting from Westminster, London. He covers UK politics, parliamentary activity, government decision-making, and UK Crime, providing clear, fact-based context around legislation, policy developments, and major public-safety stories. His work focuses on factual reporting and clear explanation, helping readers follow political events without bias or speculation.
· Westminster lobby reporting, select committee analysis, court proceedings coverage
· Parliamentary debates, legislation and policy, elections, criminal justice system, policing, Crown and Magistrates' Courts