Summary
In the fourth quarter of 2025, the NCSC responded to 1,131 incident reports through its two distinct triage processes.
Of these, 90 incidents were triaged for specialist technical support due to their potential national significance. This is an 18% decrease from the 110 incidents of potential national significance in Q3, 2025.
1,041 reports were handled through the NCSC’s general triage process. This is an 8% decrease compared to the 1,139 reports received in the previous quarter.
Direct financial loss reported during Q4 was lower than Q3, at $3.2 million. This is a 75% decrease compared to the previous quarter’s $12.4 million, noting that the losses recorded in Q3 were unusually high.
Individuals accounted for $2.9 million in direct financial loss, and organisations for approximately $300,000.
The bulk of incidents reported were for scams and fraud which had the highest reported direct financial loss of $2.6 million, however unauthorised access had a loss of approximately $440,000.
This quarterly report includes articles about why it's wise to keep business and personal online lives apart. Our case study describes the journey of a single business email address used for a personal website that ended up appearing in numerous publicly disclosed data breaches over a period of 16 years.
The second article details the risks of staff using equipment, software and services for work purposes without their organisation knowing about them.
The NCSC endeavours to provide the richest possible view of the data available. Where possible, our statistical categories include all incidents. However, due to the way information is collected and processed, for some categories it is not possible for us to include incidents triaged for specialist technical support.
Data highlights
The NCSC responded to 90 incidents with potential to cause national harm. This is an 18% decrease from 110 in Q3 2025.
1,041 incidents were handled through the NCSC’s general triage process in Q4, down 8% from Q3 2025.
Scams and fraud continued to be the most common incident category since Q4 2024. Reporting numbers decreased slightly from 446 in Q3 to 432 in Q4.
$3.2 million in direct financial loss was reported in Q4 2025, a 75% decrease from the previous quarter’s $12.4 million.
If you are interested in more data, read our Data Landscape section. This provides a standardised set of results, graphs, and an analysis of the latest trends.
Data Landscape: a closer look at our numbers
Number of incidents
A total of 1,131 incidents were recorded by the NCSC in Q4.
Breakdown by incident category
Direct financial loss
There were 321 incidents reported to the NCSC during Q4 2025 that reported a direct financial loss, and 308 reports that specified the loss amount.
Direct financial losses totalled $3.2 million in Q4 2025, decreasing by 75% compared to last quarter.
Incident severity
Of the total reports received:
- 4 were categorised as C3 - significant incidents
- 41 were categorised as C4 - moderate incidents
- 31 were categorised as C5 - routine incidents
- 887 were categorised as C6 - minor incidents
- Remaining incidents were not categorised.
There were no C2 – highly significant incidents, or C1 – national cyber emergencies, this quarter.
The distribution of incident severity categories is reflective of typical previous quarters. The majority of incidents were within the C4 to C6 range, and only a small number of significant (C3) incidents took place during the quarter.
Incidents by suspected actors
Where possible, the NCSC links incidents triaged for specialist support to a known actor or activity grouping. Of the 90 such incidents handled by the NCSC in Q4 2025:
- 23% were assessed to be likely linked to state-sponsored actors,
- 51% were assessed to be likely linked to cybercrime actors, and
- 26% did not have enough evidence to link the activity to a known malicious cyber actor.