94% of IT decision-makers are confident their current disaster recovery plan covers scenarios involving agentic AI systems.

56% of IT decision-makers place a high priority on protecting SaaS data and disaster recovery when implementing AI solutions.

53.9% of consumers believe AI could increase the risk of online fraud

Brute force attempts decreased 22% year-over-year.

Within dark web "database" activity, stealer logs comprised 67.12% of advertised/shared datasets, combolists 16.47%, and leaked credentials 5.96%.

Credential-stealer infections were dominated by RedLine with 911,968 infections (50.80%), Lumma with 499,784 infections (27.84%), and Vidar with 236,778 infections (13.19%).

In 2025, nearly 30% of people who reported losing money to a scam said it started on social media

Reported losses for social media scams reached $2.1 billion in 2025. This is about eight times the 2020 figure.

Social media was the most costly fraud contact method last year in terms of aggregate reported losses for every age group under 80, and ranked second after phone calls for those 80 and over.

In 2025, people reported more money lost to scams that started on Facebook than on any other social media platform. WhatsApp and Instagram were a distant second and third.

In 2025 people reported far more money lost to scams on Facebook alone than they reported losing to text or email scams.

Ransomware attacks among businesses have declined compared with the previous two years (1% this year down from 3% in both 2024/2025 and 2023/2024)

There has been an increase in businesses reporting that the breach or attack led to loss of revenue or share value (2% in 2024/2025 to 5% in 2025/2026) and an increase in those reporting it resulted in reputational damage (1% in 2024/2025 to 3% in 2025/2026).

Adoption of more advanced controls like two-factor authentication (47% businesses and 38% charities), a virtual private network for staff connecting remotely (36% businesses and 17% charities) and user monitoring (30% businesses and 31% charities) remain lower than other measures.

A formal cyber security strategy was in place for almost six in ten medium businesses (57%), rising to seven in ten large businesses.

Around one in seven businesses (14%) and one in five charities (22%) said they held personal data that was not protected by techniques such as anonymisation or encryption, suggesting that the majority do protect personal data (77% of businesses and 69% of charities).

Around a third of businesses (30%) conducted a risk assessment covering cyber security, in line with last year (29%).

Cyber security was considered a high priority for senior management in around seven in ten businesses (72%) and six in ten charities (60%).

Seeking external information or guidance on cyber security was reported by 44% of businesses and 31% of charities.

The most commonly cited individual source of information remained external cyber security or IT consultants/providers (27% of businesses and 13% of charities).