ReportingUK Guidance7 min read · Updated June 2026

How to Report a Cyber Attack or Data Breach in the UK

Q: Can I find out who hacked me?

In most cases, no. Cybercriminals typically operate from other countries and use anonymising tools. The authorities may be able to identify criminal groups from patterns of reports over time. Focusing on securing your accounts and preventing future incidents is more productive than trying to identify the attacker.

If your account has been hacked, your personal data has been leaked, or you've been the victim of an online scam or fraud — reporting it matters. It protects you, helps your bank and the authorities take action, and helps prevent others from being targeted.

This guide tells you exactly who to report to, what to include, and what to expect.

Not sure if something has actually happened? Start with our Am I Being Hacked? guide first.

Key Reporting Contacts at a Glance

Most cybercrime and fraudactionfraud.police.uk / 0300 123 2040

Phishing email (any sender)report@phishing.gov.uk (forward the email)

Financial fraudBank fraud team — number on back of your card

Company data breachico.org.uk/make-a-complaint

HMRC phishingphishing@hmrc.gov.uk (forward the email)

Scam on social mediaPlatform in-app 'Report' function

Identity theftcifas.org.uk (protective registration)

Step 1 — Report to Action Fraud

Action Fraud is the UK's national reporting centre for fraud and cybercrime. It should be your first call for most online security incidents.

What Action Fraud handles

Email, social media, or bank account being hacked
Phishing scams (whether or not you clicked anything)
Financial fraud and online scams
Ransomware and malware attacks
Identity theft
Investment fraud and romance scams

How to report

Online: actionfraud.police.uk — available 24 hours a day, 7 days a week
Phone: 0300 123 2040 (Monday–Friday, 8am–8pm)

What to include in your report

When it happened (approximate date is fine)
How it happened (phishing email, phone call, link you clicked, etc.)
What personal or financial information was involved
Any phone numbers, email addresses, or website URLs associated with the incident
What financial loss was involved, if any

You'll receive a crime reference numberimmediately after reporting. Keep this — you may need it if you're claiming with your bank or insurance provider.

Your report goes to the National Fraud Intelligence Bureau (NFIB), which analyses reports to identify criminal networks and patterns. The NFIB passes cases meeting an evidence threshold to police for investigation. Not every individual report results in a direct prosecution, but every report contributes to the intelligence picture and helps disrupt criminal operations.

Step 2 — Contact Your Bank (If Financial Accounts Were Affected)

If your bank account, credit card, or a payment service such as PayPal has been accessed without your permission, contact your bank immediately.

Call the number on the back of your card, or log in to your bank's official app or website to find the fraud reporting number. Do not use any phone number found in a suspicious email or text message — it may be part of the fraud.

What your bank can do

Freeze your card or account to prevent further unauthorised transactions
Investigate and potentially refund fraudulent transactions
Issue a replacement card
Add extra monitoring to your account

Your legal rights

Under the UK Payment Services Regulations 2017, you are generally entitled to a refund for unauthorised card or account transactions — provided you report them promptly and you were not grossly negligent. Report as quickly as possible; delays can affect your claim.

If you transferred money to a scammer

Banks that have signed up to the Authorised Push Payment (APP) Fraud Voluntary Code may reimburse victims who were deceived into making bank transfers. Ask your bank about this if it applies to your situation.

If you paid by credit card and were defrauded

You may also have a Section 75 claim against your credit card provider for any purchase or service over £100. Contact your credit card provider directly to raise a Section 75 dispute.

Report a Phishing Email

Phishing emails can be reported even if you didn't click anything. Your report helps take down malicious websites before they catch anyone else.

Any sender (general)Forward to report@phishing.gov.uk — the NCSC analyses these to remove malicious sites

Claiming to be from HMRCForward to phishing@hmrc.gov.uk

Claiming to be from Royal MailForward to reportascam@royalmail.com

Claiming to be from your bankContact your bank directly and forward the email to their fraud team

Via your email clientUse the "Report phishing" or "Report spam" button in Gmail, Outlook, Apple Mail

You don't need to add a message — just forward the email.

If a Company's Data Breach Has Affected Your Personal Data

If a company has been breached and your personal data was involved, you have legal rights under UK data protection law.

Contact the company directly
Companies have a legal obligation under UK GDPR to notify affected individuals if a breach is likely to significantly impact their rights and freedoms. Ask: what data was affected, what steps are they taking, and what do you need to do to protect yourself?
Protect yourself immediately
Change your password for that service. Change it on any other service where you used the same password. Enable two-factor authentication on your email and key accounts. Monitor your bank statements.
If you're not satisfied, report to the ICO
The Information Commissioner's Office (ICO) is the UK's data protection regulator. Report at ico.org.uk/make-a-complaint or call 0303 123 1113. The ICO investigates whether organisations have complied with UK GDPR and can issue enforcement action and fines.

If You've Been the Victim of a Scam

Report to Action Fraud

This covers all types of fraud — romance scams, investment scams, impersonation fraud, and purchase scams. See Step 1 above for contact details.

Contact your bank immediately

If any money was transferred, ask about the APP Fraud Code refund process (see Step 2 above).

Report on the platform

Facebook, Instagram, or WhatsApp: use the in-app “Report” function on the account or message
WhatsApp scam messages: forward to 7726(SPAM) from your mobile number — goes to your mobile provider's fraud team
Email scams: forward to report@phishing.gov.uk

Consider CIFAS Protective Registration

If your identity may have been stolen, CIFAS (cifas.org.uk) adds a flag to your credit file, warning lenders to take extra care with any applications in your name. This costs around £25 for two years.

What Happens After You Report?

Action Fraud

You'll receive a crime reference number automatically. The NFIB reviews reports — investigations are intelligence-led. You'll receive email updates if action is taken. Not hearing back does not mean your report was ignored.

Your bank

Banks have legal timescales to respond to fraud disputes. Most acknowledge within 24–48 hours. If you're unhappy with your bank's response, you can escalate to the Financial Ombudsman Service (financial-ombudsman.org.uk).

The ICO

The ICO will acknowledge your complaint and advise whether it falls within their remit. ICO investigations take time — often months. The ICO's role is regulatory: they enforce compliance and can fine organisations, but they do not provide individual financial compensation to victims.

Not sure if something has happened?

If you're worried but not certain your accounts have been compromised, start here: Am I Being Hacked? Signs and What to Do →

Don't wait for the next incident.

Your free Cyber Nova AI plan walks you through every step that reduces your risk — passwords, two-factor authentication, secure browsing, device protection. NCSC-aligned. Plain English. Free.

Get my free protection plan

Frequently asked questions

Do I have to report a cyber attack?

As a home user, you're not legally required to report a cyber attack. However, it is strongly recommended — particularly if financial fraud is involved, because reporting is often a condition for accessing bank refund rights. Your report also helps the authorities identify criminal patterns and protect others.

Will the police investigate my case?

For most individual cyber incidents, the police response is intelligence-led and collective. Your report joins a pattern of evidence used to identify and disrupt criminal networks. Direct personal investigations are more likely when there is significant financial loss, clear local suspects, or an organised crime connection.

How do I report a phishing email?

Forward it to report@phishing.gov.uk — the NCSC's Suspicious Email Reporting Service. You don't need to add any message. If you also clicked a link in the email, change your passwords for any accounts you entered and run a malware scan on your device.

What if the breach happened months ago and I only just found out?

Report it anyway. Action Fraud, the ICO, and your bank can all act on historical reports. While delays can affect some bank fraud refund claims, it is always worth reporting — you may still be entitled to a refund, and your report contributes to the intelligence picture.

Can I find out who hacked me?

In most cases, no — not directly. Cybercriminals typically operate from other countries and use anonymising tools. The authorities may be able to identify criminal groups from patterns of reports over time, but tracing an individual attack to a specific person is extremely difficult. Focusing on securing your accounts and preventing future incidents is more productive.

Get properly protected — free

Cyber Nova AI gives you a personalised cybersecurity plan based on NCSC guidance. Free to start. No technical knowledge needed.

Start my free security plan