The Australian Institute of Criminology has published its Cybercrime in Australia 2025 report, based on a nationally representative survey of 10,593 Australians. 45.5 percent of respondents were cybercrime victims in the 12 months prior to the survey. 63.9 percent had been victimised at some point in their lifetime.
The most common crime types: online abuse and harassment at 24.9 percent, at 21.5 percent, identity crime at 20.6 percent, and online fraud and scams at 11.1 percent.
What changed year on year
The headline victimisation rate held roughly steady from 2024. The more important story is in the mix.
Online fraud and scam victimisation rose from 9.7 to 11.1 percent. Pure victimisation rose from 2.5 to 3.2 percent, a 28 percent relative increase. Add ransomware-related data theft and extortion (where criminals steal data and threaten to publish it, sometimes without encrypting anything) and 5.8 percent of respondents received a ransom message on their device in the past year.
Financial account compromise went the other direction, dropping from 17.7 to 15.8 percent. Banks have been tightening controls, and that appears to be making a difference. But other forms of identity compromise (utility accounts, telecoms, health portals, government services) rose from 4.8 to 5.7 percent. Criminals are moving where the controls are weaker.
Who's getting hit hardest
SME owners, operators and managers were more likely than other employed Australians to be victimised across every crime category the survey measured. For malware specifically, 31.5 percent of SME respondents were victims in the past 12 months, compared to 20.4 percent of other workers.
One in four SME respondents said cybercrime had negatively impacted their business in the past year. The most commonly reported impacts:
- Operations disrupted: 28.7%
- Extra expenses incurred: 16.4%
- Business information lost: 15.9%
- Reputation or revenue damaged: 14.1%
- Staff impacts (people leaving or losing jobs): 10.0%, up from 5.9% in 2024
- Legal or regulatory issues: 7.9%, up from 5.1% in 2024
The staff and legal figures are worth watching. Staff impacts have nearly doubled year on year. Legal exposure is heading the same direction.
The reporting gap
Just over one in ten victims made an official report to police or ReportCyber. That figure has been broadly consistent across the AIC's Cybercrime in Australia series for several years.
The most common reasons for not reporting: victims didn't think the incident was serious enough, they were worried about shame or embarrassment, or they didn't know ReportCyber existed. That last one is notable. A government reporting portal has been operating for years and a meaningful share of victims still don't know it's an option.
Low reporting means incomplete national . It also means the actual scale of cybercrime is considerably larger than what shows up in law enforcement statistics.
Security behaviours are going the wrong way
The AIC survey tracks online safety strategy use alongside victimisation. For the second consecutive year, it fell. Fewer Australians are running antivirus software, using different passwords across accounts, or being careful with links from unknown senders. These aren't advanced controls. They're the basics, and adoption is declining.
The combination of declining security hygiene and rising ransomware victimisation points in one direction. Ransomware groups go where the math works: sensitive data, limited defences, high recovery cost. SMEs meet all three criteria more often than large enterprises, and the data reflects that.
What this means in practice
The remains the standard framework for baseline cyber defence in Australia, though the has recently announced plans to retire it. For SMEs without a dedicated security function, the three controls most directly relevant to ransomware are: patch applications, patch operating systems, and maintain regular offline backups. Application control adds another layer by preventing malicious software from executing even after a successful attempt.
The AIC data makes the direction clear. The threat environment isn't stabilising. It's shifting toward the paths of least resistance, and for too many Australian businesses, those paths run straight through their front door.



