It is estimated that nearly a third of cyberattacks against UK businesses go unreported to the police. Law enforcement in the UK is keen to have businesses report more cybercrime to them to get a better picture of the online criminal landscape and dedicate the right resources to combatting cybercrime.
In an emergency, the National Crime Agency recommends to always call 999. However, the UK Crown Prosecution Services recommends that if you believe you have been a victim of cyber/online crime, you should report it to the police by calling 101 or report it via the national Action Fraud website.
Where to report cybercrime in the UK
The primary place to report cybercrime in the UK is Action Fraud, which is the UK's national fraud reporting service. Victims are given a crime reference number and their case is passed on to the National Fraud Intelligence Bureau (NFIB), which is run by the City of London's police service. However, Action Fraud is a reporting and analysis centre only, and local police forces will deal with the incident if it is referred to them.
While its public phone has regular opening hours of Monday to Friday 8 am to 8pm, Action Fraud says that any business suffering a live cyberattack should call 0300 123 2040 immediately, as this service is available 24 hours a day, seven days a week.
Alternatively, organisations can report cybercrimes to Action Fraud via its online reporting tool, but this requires a registration. Action Fraud may also share information about incidents with other bodies, potentially including local police forces and regulatory bodies.
If you wish to report a crime anonymously, you can you provide information to CrimeStoppers, who will pass on your information to the police.
Reporting insider cybercrime to police
Steven Richards, partner at UK legal firm Foot Anstey, has previously told CSO that many businesses will prefer to deal with cybercrimes involving insiders through the civil courts before or instead of referring them to the police to prioritize recovering whatever assets were stolen over sending the perpetrator to prison. If a company does wish to report a cybercrime involving an insider, they should likely phone the police on 101.
Where to whistleblow
If you wish to report an incident occurring within your company and it doesn’t have its own internal whistleblowing services set up, people can contact government-prescribed people and bodies relevant to their industry--for instance, Ofcom in the media industry.
Reporting cybercrime to the NCSC
Though it isn’t obligatory, organisations may wish to report cybercrime to the National Cyber Security Centre (NCSC). While it doesn’t fulfill any reporting requirements for compliance purposes, the centre can provide technical advice and guidance and in certain circumstances deploy incident response to provide technical support.
The NCSC also runs a Suspicious Email Reporting Service (SERS) where users can submit suspected phishing emails which the centre will analyse. The NCSC claims that over 5,000 emails have been submitted to the services, resulting in over 80 malicious web campaigns being taken down.
The NCSC has previously made public statements that while it will “encourage” organisations to meet their requirements under GDPR and the NIS Directive, it will not share information reported to them with regulators without first seeking the consent of the organisation concerned. The NCSC says it may share details with law enforcement partners such as the National Crime Agency to “help identify investigation and mitigation opportunities.”
Reporting cybercrime to the ICO
As well as reporting to the police, organisations may be required to report cybercrimes to the regulators for compliance purposes. Organisations should report to the ICO if the cybercrime in question involves data subject to the GDPR, PECR, eIDAS Regulation, or the NIS Directive if you are a digital service provider and classed as an operator of essential services. The ICO has different reporting forms for each regulation under its purview on its incident reporting page.
Reporting cybercrime under the NIS Directive
While the ICO is the data protection regulator, organisations that are subject to the EU NIS Directive will have to report cybercrime incidents to their own industry body, known as Competent Authorities.
Within the UK, there are a multitude of Competent Authorities, including the Departments for Business, Energy & Industrial Strategy (BEIS), Transport (DfT), Health and Social Care (DHSC), Environment, Food & Rural Affairs (DEFRA), as well as the ICO, Ofgem, Ofcom, HSE, the Civil Aviation Authority (CAA), the Bank of England, the Financial Conduct Authority, and others.
Different bodies will have different reporting requirements. The ICO, for example, asks about the type of incident, whether you have identified the root cause, how it was discovered, if it has been remediated, and the material impact to users.
Don’t report cybercrime to Interpol or Europol
Although Interpol and Europol will potentially be involved if a cybercrime involves international actors, they do not take reports of cybercrime directly and will refer you to your local law enforcement to escalate it as they see fit.