Reporting a cyber incident: who should you tell?

Ever wondered which organisations you should report a cyber incident to? Should you call the police?

If you need advice right now because you’re in the middle of an incident, and don’t know who to call, stop reading this and go to the NCSC website. They have a list of companies that will help you with response and recovery.

Should we call the police?

If, for instance, you are experiencing a ransomware attack, call the local police. Ask to be put through to the local cyber crimes unit. If need be, they’ll escalate to the regional units, who may have more specific information about that kind of ransomware, but they’ll certainly be able to advise you on how to proceed. They’ll help you preserve evidence, and then help you deal with the problem. If you have found someone to help you with response and recovery, the cyber crimes unit will work with them.

You might think your experience is not worth reporting to the police. However, your information, when added to information from other victims, might help them find or disrupt the attackers.

Who does what?

As for so many things: it depends. Who will take charge will vary depending on the scale and nature of the incident. Organisations that might be involved include:

  • law enforcement:
    • your local police force
    • the appropriate regional organised crime unit (one of the 10 ROCU)
    • and the National Crime Agency (NCA)
  • the National Cyber Security Centre (NCSC)
  • the Information Commissioner’s Office (ICO), to whom you may need to report any breach of personal data
  • central government, including the Cabinet Office, who would call a COBR (Cabinet Office Briefing Room) meeting with ministers, in the case of a national cyber emergency
  • and, as mentioned above, there are many private sector specialist organisations who would be able to help with response and recovery.

The Cyber Incident Signposting Service

GOV.UK has a Cyber Incident Signposting Service (CISS), provided by the NCSC. This steps you through how to report an incident and to whom, depending on your answers to a suite of questions.

Note, though, that if there has been a breach of personal data, you’ll need to report it separately to the ICO, and there is a self-assessment tool on their website to help guide you.

CISS starts by asking whether you are reporting as an individual or as a business (because the responses will vary), followed by questions about the incident, such as:

  • where the incident happened
  • whether money was stolen or if the attacker asked for money
  • whether a computer system or network was damaged
  • whether critical national infrastructure was damaged
  • who you’ve notified

and so on, to advise you on who you should notify.

It’s not mandatory to report a cyber incident to NCSC, but they may be able to help you minimise harm caused, and the information will be useful to them as they work to support other UK organisations.

Who responds to a cyber incident?

In the UK, there is a model of cyber incident severity, which is applied across all sectors. The table below shows which of the organisations listed above is likely to lead the response to a cyber incident.

National cyber emergencyHighly significantSignificantSubstantialModerateLocal
National securityA
Essential servicesABC
Central governmentABCD
UK populationAB
UK economyAB
Local governmentBCD
Large organisationBCD
Medium organisationBCD
Small organisationBD
Response led byCOBR, NCSCNCSC, NCANCSCNCSC or NCA or ROCUROCU or local policeLocal police
Who responds to a cyber incident?
ASustained disruption leading to economic/social consequences or loss of life
BSerious impact
CPoses a considerable risk
DIndications of cyber activity
Scale of cyber attack

Scams, fraud, and phishing

There are other organisations that can help, and/or to whom you can report cyber incidents, depending on the kind of incident you are experiencing.

Scams or Fraud

If you think you’ve been a victim of a scam or fraud contact:

  • the Police (on 101 if it’s not an emergency)
  • your bank (on 159, or call the number on the back of your bank card)
  • Action Fraud: you can report fraud online Action Fraud
  • Victim Support or the Samaritans, if you are upset, frightened, or feel you need some support.

If the scammer is imitating a real person or company, let that person or company know about it too.

Phishing emails or messages

Phishing emails should be reported to This will go to the National Cyber Security Centre, who will investigate.

Suspicious text messages can be forwarded to 7726, which is free, and will alert your service provider so they can investigate.

HMRC-specific phishing emails, texts and phone calls can be reported to Take screenshots of texts or other messages for forwarding to this address.

Misleading or scam adverts

Scam adverts on social media should be reported to the company you saw it on (e.g. Facebook). You can also report them to the Advertising Standards Authority (ASA), who will take your report of other online scam adverts.

If the scam involves cryptocurrency, insurance, your investments or your pension, you can report it to the Financial Conduct Authority.

Cyberbullying, online blackmail and hacking

The National Bullying Helpline is available Monday to Friday and their website has lots of advice about all kinds of bullying, including online.

And of course, we are here to help. If you’d like to discuss how you would handle a cyber security incident before you are in the middle of a crisis, do give us a call on 0113 733 6230.