Summary
In the second quarter of 2025, the NCSC responded to 1,315 incident reports through its two distinct triage processes.
Of these, 56 incidents were triaged for specialist technical support due to their potential national significance. This is a moderate decrease from the 77 incidents of potential national significance in Q1, 2025.
1,259 reports were handled through the NCSC’s general triage process. This is a 3% decrease compared to the 1,292 reports received in the previous quarter.
Direct financial loss reported during Q2 was lower than Q1, at $5.7M. This is a 27% decrease compared to the previous quarter’s $7.8M.
Individuals accounted for $4.5M in direct financial loss, and organisations for $1.2M.
The bulk of incidents reported were for scams and fraud, however unauthorised access amounted to the most significant financial loss of $3.7M this quarter.
This quarterly report includes articles on two areas of focus. The first article details techniques used by cyber criminals to target IT helpdesks with the goal of obtaining access and information. The second article describes a recent incident the NCSC assisted with, and how good preparation helped to prevent a more serious situation from occurring.
The NCSC endeavours to provide the richest possible view of the data available. Where possible, our statistical categories include all incidents. However, due to the way information is collected and processed, for some categories it is not possible for us to include incidents triaged for specialist technical support.
Data highlights
The NCSC responded to 56 incidents with potential to cause national harm. This is a 27% decrease from 77 in Q1 2025.
1,259 incidents were handled through the NCSC’s general triage process in Q2, down 3% from Q1 2025.
Incident reports to the NCSC relating to malware increased by 83% from Q1 2025.
$5.7M in direct financial loss was reported in Q2, down 27% from the previous quarter. Incidents with reported loss of $10,000 and over made up $5.3M (94%) of reported loss, despite consisting of only 50 incidents.
If you are interested in more data, read our Data Landscape section. This provides a standardised set of results, graphs, and an analysis of the latest trends.
Data Landscape: a closer look at our numbers
Number of incidents
A total of 1,315 incidents were recorded by the NCSC in Q2.
Direct financial loss
There were 420 incidents in Q2 2025 that reported a direct financial loss, and 408 reports that specified the loss amount.
Direct financial losses totalled $5.7 million in Q2 2025, decreasing by 27% compared to the previous quarter.
Incident severity
Of the total reports received:
- 3 were categorised as C3 - significant incidents
- 13 were categorised as C4 - moderate incidents
- 51 were categorised as C5 - routine incidents
- 1,122 were categorised as C6 - minor incidents.
There were no C2 – highly significant incidents, or C1 – national cyber emergencies, this quarter.
The distribution of incident severity categories is reflective of typical previous quarters. The majority of incidents were within the C4 to C6 range, and only a small number of significant (C3) incidents took place during the quarter.
Incidents by suspected actors
Where possible, the NCSC links incidents triaged for specialist support to a known actor or activity grouping. Of the 56 such incidents handled by the NCSC in Q2 2025:
- 48% were assessed to be likely linked to state-sponsored actors,
- 32% were assessed to be likely linked to cybercrime actors, and
- 20% did not have enough evidence to link the activity to a known malicious cyber actor.