Skip to main content

Accessibility controls

Contrast
Main content area

Cybercrime - prosecution guidance

Updated: 26 September 2019, 31 January 2024, 3 July 2024, 5 July 2024, 15 July 2024|Legal Guidance, Cyber / online crime

Introduction

This guidance provides a summary of the main types of cybercrime offending and highlights where further guidance is available. This guidance explains:

  • The definition of cybercrime
  • Cyber-dependent crimes and the legislation which should be considered when reviewing and charging a cyber-dependent case;
  • Cyber-enabled crimes and the legislation which should be considered when reviewing and charging a cyber-enabled case, and
  • Practical and operational points to consider when prosecuting a cybercrime case.

Definitions

Cybercrime is an umbrella term used to describe two closely linked, but distinct ranges of criminal activity. The Government's National Cyber Security Strategy defines these as:

  • Cyber-dependent crimes - crimes that can be committed only through the use of Information and Communications Technology (‘ICT’) devices, where the devices are both the tool for committing the crime, and the target of the crime (e.g. developing and propagating malware for financial gain, hacking to steal, damage, distort or destroy data and/or network or activity).
  • Cyber-enabled crimes - traditional crimes which can be increased in scale or reach by the use of computers, computer networks or other forms of ICT (such as cyber-enabled fraud and data theft).

Cyber-Dependent Crimes

Cyber-dependent crimes fall broadly into two main categories:

  • Illicit intrusions into computer networks, such as hacking; and
  • the disruption or downgrading of computer functionality and network space, such as malware and Denial of Service (DOS) or Distributed Denial of Service (DDOS) attacks.

Cyber-dependent crimes are committed for many different reasons by individuals, groups and even sovereign states. For example:

  • Highly skilled individuals or groups who can code and disseminate software to attack computer networks and systems, either to commit crime or facilitate others to do so;
  • Individuals or groups with high skill levels but low criminal intent, for example protest hacktivists;
  • Individuals or groups with low skill levels but the ability to use cyber tools developed by others;
  • Organised criminal groups;
  • Cyber-terrorists who intend to cause maximum disruption and impact;
  • Other states and state sponsored groups launching cyber-attacks with the aim of collecting information on or compromising UK government, defence, economic and industrial assets; and
  • Insiders or employees with privileged access to computers and networks.

The majority of cyber criminals have relatively low skills levels, but their attacks are increasingly enabled by the growing online criminal marketplace, which provides easy access to sophisticated and bespoke tools and expertise, allowing these less skilled cybercriminals to exploit a wide range of vulnerabilities.

Hacking

Hacking is a form of intrusion targeted at computers, including mobile phones and personal tablet devices. It is the unauthorised use of, or access into, computers or networks by exploiting identified security vulnerabilities. Hacking can be used to:

  • gather personal data or information of use to criminals;
  • deface websites; or
  • launch DoS or DDoS attacks.

Cybercriminals may use a number of methods to hack into a computer system or network. In many cases, the offender may be motivated by personal profit or financial gain. Consideration should be given to the impacts associated with the primary offending behaviour as well as any subsequent offending. For larger organisations, the financial losses may be very significant, or may have severe impacts on infrastructure, which also need to be taken into account.

Disruption of Computer Functionality

Malware (malicious software) spreads between computers and interferes with computer operations. Malware may be destructive, for example, deleting files or causing system crashes, but may also be used to steal personal data. Prosecutors need to be aware that some programmes have a dual use. They have a legitimate function but can also be used for criminal purposes. Types of malware include:

  • Viruses are one of the most well-known types of malware. They can cause mild computer dysfunction, but can also have more severe effects in terms of damaging or deleting hardware, software or file They are self-replicating programs, which spread within and between computers. They require a host (such as a file) in a computer to act as a carrier, but they cannot infect a computer without human action to run or open the infected file.
  • Worms are also self-replicating programs, but they can spread autonomously, within and between computers, without requiring a host or any human action. The impact of worms can therefore be more severe than viruses, causing destruction across whole networks. Worms can also be used to drop Trojans onto the network system.
  • Trojans are malicious computer programs that present themselves as useful, routine, or interesting in order to persuade a victim to install it. This malware can perform functions, such as stealing data, without the user's knowledge and may trick users by undertaking a routine task while actually undertaking hidden, unauthorised action.
  • Spyware is software that invades users' privacy by gathering sensitive or personal information from infected systems and monitoring the websites visited. This information may then be transmitted to third partie Spyware can sometimes be hidden within adware (free and sometimes unwanted software that requires you to watch advertisements in order to use it). One example of spyware is key-logging software which captures and forwards keystrokes made on a computer, enabling collection of sensitive data such as passwords or bank account details.
  • Ransomware is software that can hold your data hostage, for example, a trojan may copy the contents of the ‘My Documents’ folder into a password- protected file and delete the original file. It will then send a message demanding payment in exchange for access to the folder.

Malware may be distributed by spam - unsolicited or junk email that is not targeted but typically sent in bulk to millions of recipients around the world.

A botnet is a term for a number of internet-connected computers under the control of a botnet controller. Usually the computers that make up a botnet have been infected with code that enables the botnet controller to undertake illegal activity through multiple devices.

A DoS attack is an attempt to make a machine or network resource unavailable to its intended users, to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

DDoS is where the attack source is more than one, and often thousands of, unique IP addresses. A common method is to flood an internet server with so many requests that they are unable to respond quickly enough. This can overload servers causing them to freeze or crash, making websites and web-based services unavailable to users.

Relevant Offences and Legislation

Computer Misuse Act 1990 (‘CMA1990’) is the main UK legislation relating to offences or attacks against computer systems such as hacking or denial of service.

The CMA 1990 deliberately does not define what is meant by a 'computer', to allow for technological development. In DPP v McKeown and, DPP v Jones [1997] 2 Cr App R 155 HL, Lord Hoffman defined computer as 'a device for storing, processing and retrieving information'; this means that a mobile smartphone or personal tablet device could also be defined as a computer in the same way as a traditional 'desk-top' computer or 'PC'.

There is jurisdiction to prosecute all CMA 1990 offences if there is "at least one significant link with the domestic jurisdiction" (England and Wales) in the circumstances of the case.

Offences under the CMA 1990:

  • Section 1 CMA 1990 – causing a computer to perform a function with intent to secure unauthorised access to computer material. This offence involves 'access without right' and is often the precursor to more serious offending. There has to be knowledge on the part of the offender that the access is unauthorised; mere recklessness is not sufficient. There also must have been an intention to access a program or data held in a computer. Note the offence is committed irrespective of whether access is obtained.
  • Section 2 CMA 1990 - unauthorised access with intent to commit or facilitate commission of further offence
  • Section 3 CMA 1990 - unauthorised acts with intent to impair the operation of a computer. The offence is committed if the person behaves recklessly as to whether the act will impair, prevent access to or hinder the operations of a computer. Section 3 should be considered in cases involving DDoS.
  • Section 3ZA - unauthorised acts causing, or creating risk of, serious damage, for example, to human welfare, the environment, economy or national security. This section is aimed at those who seek to attack the critical national infrastructure.
  • Section 3A CMA 1990 - making, supplying or obtaining articles for use in offences contrary to sections 1,3 or 3ZA CMA 1990. Section 3A CMA 1990 deals with those who make or supply malware.

There is jurisdiction to prosecute all CMA 1990 offences if there is "at least one significant link with the domestic jurisdiction" (England and Wales) in the circumstances of the case. Further guidance can be found in the prosecution guidance on the Computer Misuse Act 1990.

Under section 3(1) of the Investigatory Powers Act 2016 (‘IPA 2016’), which came into force on 27 June 2018, it is an offence to intentionally intercept a communication (in the UK and without lawful authority) in the course of its transmission by means of a public or private telecommunication system or a public postal service. Such offences are triable either way and any prosecution requires the DPP's consent.

A similar offence, now omitted under Schedule 10, paragraph 45 of the IPA 2016, existed under section 1 of the Regulation of Investigatory Powers Act 2000 (‘RIPA’) and continues to apply to offences committed before 27 June 2018.

Offences under sections 170 to 173 of the Data Protection Act 2018 (‘DPA 2018’) may be committed alongside cyber-dependant crimes. These include:

  • Knowingly or recklessly obtaining or disclosing personal data without the consent;
  • Procuring the disclosure of any personal data to another person without consent or after retaining personal data without the consent of that person
  • Selling personal data disclosed or retained without consent.

Further guidance can be found in the prosecution guidance on the DPA.

Cyber-Enabled Crimes

These are crimes which do not depend on computers or networks but have been transformed in scale or form by the use of the internet and communications technology. They fall into the following categories:

  • Economic related cybercrime, including:
    • Fraud
    • Intellectual property crime - piracy, counterfeiting and forgery
  • Online marketplaces for illegal items
  • Malicious and offensive communications, including:
  • Communications sent via social media or other electronic means
  • Cyber bullying/trolling
  • Virtual mobbing
  • Offences that specifically target individuals, including cyber-enabled violence against women and girls (‘VAWG’):
    • Disclosing private sexual images without consent
    • Cyber stalking and harassment
    • Coercion and control
  • Child sexual offences and indecent images of children, including:
    • Child sexual abuse
    • Online grooming
    • Prohibited and indecent images of children
  • Extreme pornography, obscene publications and prohibited images

Economic Related Cybercrime

Economic related cybercrimes include unauthorised access, sabotage or use of computer systems with the intention to cause financial gain to the perpetrator or financial loss to the victim. It may involve computer fraud or forgery, hacking to steal personal or valuable data for commercial gain or the distribution of viruses.

Victims may not report these crimes if, for example, they feel that the issue is trivial or do not actually recognise that what has happened to them is in fact a crime. Additionally, where individuals have had their bank account details accessed or hacked, either the bank or the individual or both may not report the crime if the individual is reimbursed by their bank. Similarly, some businesses may not report for the same reasons, or for fear of reputational damage, or may choose to deal with such issues internally.

Fraud

Cyber-enabled fraud is possibly the most common of all cybercrime offences. The internet allows offenders to hide their identities behind websites and email addresses, providing a forum in which they never have to meet a victim in person to commit the crime. Some offenders may also be part of a wider criminal gang who may also never meet each other, with members based anywhere in the world.

Online fraud can be committed in a number of ways. For example:

  • Electronic financial frauds, for example, online banking frauds and internet enabled card-not-present (CNP) fraud. Internet-enabled CNP fraud involves transactions conducted remotely, over the internet, where neither cardholder nor card is present. Related to this are e-commerce frauds, which refer more generally to fraudulent financial transactions related to retail sales carried out online. Both businesses and customers may be victims.
  • Fraudulent sales through online auction or retail sites or through fake websites, which may offer goods or services that are not provided. Alternatively buyers may be led to purchase a counterfeit product (when led to believe it was an original). This may also include other retail misrepresentations, such as online ticketing fraud
  • Mass-marketing frauds and consumer scams, including but not limited to:
    • Phishing: these scams are a particular kind of mass-marketing fraud - they refer specifically to the use of fraudulent emails disguised as legitimate emails that ask or fish for personal or corporate information from users, for example, passwords or bank account details. Phishing attempts can be sent out en masse to a range of potential targets;
    • Pharming, which occurs when a user is directed to a fake website, sometimes from phishing emails, to input their personal details; and
    • Online romance (or social networking/dating website) frauds. Individuals may be contacted via social networking or dating sites and persuaded to part with personal information or money following a lengthy online relationship.

Cyber criminals may seek to obtain personal and financial data for fraudulent purposes. Valuable forms of data may include:

  • personal information (names, bank details, and National Insurance numbers);
  • company accounts;
  • client databases; and
  • intellectual property (for example, new company products or innovations).

Action Fraud is the UK's national reporting centre for fraud and cybercrime and more details about specific types of cyber fraud is available from Action Fraud.

Relevant Offences and Legislation

Offences under the Fraud Act 2006 are applicable to a wide range of cyber-frauds by focussing on the underlying dishonesty and deception. The nature of the offending will dictate the appropriate charges, and prosecutors may also consider offences under the Theft Act 1968, Theft Act 1978, CMA 1990, Forgery and Counterfeiting Act 1981, and Proceeds of Crime Act 2002 (‘POCA 2002’).

Note that if an offender accesses data, reads it and then uses the information for his/her own purposes, then this is not an offence contrary to the Theft Act. Confidential information per se does not come within the definition of property in section 4 of the Theft Act 1968 and cannot be stolen (Oxford v Moss 68 Cr App R183 DC). It is likely however that this would constitute an offence under section 1(1) CMA 1990. Also, if it was done with the intent to commit or facilitate the commission of further offences, it would constitute an offence contrary to section 2(1) CMA1990.

Where there are a number of suspects allegedly involved in an online fraud, a statutory conspiracy under section 1 of the Criminal Law Act 1977, or common law conspiracy to defraud may be appropriate. Prosecutors should consider the Attorney General's Guidelines on the Use of the common law offence of Conspiracy to Defraud before making a charging decision. Where several people have the same access to a computer, one way to seek to prove the involvement of suspects will be to follow the payment trail as payments will often be required to be sent to a designated account, and may be attributed to an individual.

The acts of setting up a false social networking accounts or aliases could also amount to criminal offences under the Fraud Act 2006 if there was a financial gain, as under section 8 possession or making or supplying articles for use in frauds includes any program or data held in electronic form. For further guidance see the prosecution guidance on the Fraud Act 2006.

Intellectual Property Crime (Piracy, Counterfeiting and Forgery)

Intellectual property is defined as a right by an owner, of a copyright, design, patent or trademark. Intellectual property crime can cover a wide range of activities, such as the unauthorised use of another's intellectual property, through the manufacture, use, sale/import of the property without prior permission.

Most intellectual property crime falls under the umbrella of counterfeiting goods, where trademarks are wilfully infringed (see below) and breaches of copyrights, which are usually termed as piracy, and the development of technology to enable such offences to be committed.

Piracy is the unauthorised copying of an original recording for profit. Pirated products will often have different packaging to the genuine product and may often take the form of newly created compilations.

The internet may be used to distribute, share or make available pirated music, films, games or other items in the following ways:

  • Use of legitimate file sharing technologies to share copies of music and films e without permission of the intellectual property right holder;
  • Posting protected content on a webpage without permission, for example, uploading a copy of a new cinema release;
  • Streaming live sports matches, or concerts, out to audiences directly over the internet, without permission; and
  • Putting protected content, like a video game, into a cyber- locker, or online storage system, and providing the details on how to access the content on the internet, or a specific group of people.

Counterfeiting is when money or currency is forged but may also relate to goods if they are not manufactured or produced by the designated manufacturer or producer given on the label or flagged by the trademark symbol. The internet may be used as a way of counterfeiting goods, and physical copies of pirated media through:

  • offering items, either billed as genuine, or clearly fake, for sale through online shops and auction sites, or on social networking sites;
  • Setting up and running sophisticated websites, for example which purport to be genuine retail outlets; and
  • Using easily available technology to set up websites offering fake goods, either billed as genuine, or clearly fake.

Forgery involves making a false object or document with the intention to induce somebody to accept it as genuine and thereby act to his own or another's prejudice. Computers (including computer files), mobile phones, social networking and internet sites can all be used in the creation and transmission of forged or falsified instruments or documents. Moreover, the documents or instruments created can also be used for further offending.

Relevant Offences and Legislation

Cyber piracy of music/films/e-books and other items is copyright infringement and is an offence under the Copyright Designs and Patents Act 1988. Counterfeiting goods is a trade mark infringement and is an offence under the Trade Marks Act 1994.

Consideration should also be given to the Counterfeiting and Forgery Act 1981, Video Recordings Act 2010, the Registered Designs Act 1949.

As well the predicate intellectual property offences governed by the relevant legislation, general statutory offences under the Fraud Act 2006 and money laundering offences under Part 7 of POCA 2002 should also be considered.

For instance, if an individual offers a fake item for sale online, which they falsely represent to be a genuine article, prosecution under the Forgery and Counterfeiting Act 1981 should be considered, alongside offences under the Fraud Act 2006 and POCA 2002.

In instances where an individual offers fake identity documents online, prosecution should also be considered under the Identity Documents Act 2010, where the document is one prescribed under section 7.

For further guidance see the prosecution guidance Forgery and Counterfeiting.

Online Marketplaces for Illegal Items

Online marketplaces are used by criminals to not just to trade cyber skills, tools and techniques, but to trade and sell other illegal items, such as stolen credit card details, drugs and firearms. These marketplaces are often 'hidden' online, and facilitated by individuals coordinating the trading of these goods.

Where more than one individual is collectively running such a website, a charge of conspiracy against those doing so, under section 1(1) of the Criminal Law Act 1977, may be considered.

However, when considering a case involving the trading of illegal goods online, it is advisable to consider charges against individuals 'selling', or facilitating the selling of objects online, as distinct from those who are 'buying'. Each case must be considered on its merits, but in many instances, there may not be sufficient evidence to demonstrate a large conspiracy between multiple users of one marketplace, where a number of seemingly distinct transactions have been made.

If an individual is selling or facilitating the trading of illegal goods online, consideration should be given to charges of encouraging or assisting an offence, under section 46 of the Serious Crime Act 2007. It can be charged where the defendant does an act capable of encouraging or assisting the commission of one or more of a number of offences, believing one or more will be committed.

Where individuals are suspected of purchasing illegal goods online, consideration should be given to charges of attempting to commit an offence, such as one under the Fraud Act 2006, Misuse of Drugs Act 1971, or Firearms Act 1968, where it can be proved the suspect has gone beyond the preparatory stage of doing so. A charge of conspiracy under section 1(1) of the Criminal Law Act 1977, or the common law offence of conspiracy to defraud, may also be appropriate.

Dark Web

The dark web comprises of internet sites and content that are, intentionally hidden and inaccessible through standard web browsers. The dark web is used to facilitate criminal activity across a wide range of threats and can be used by criminals to create so-called “safe spaces” for conspiring to commit offences, such as child sexual exploitation or the sale and purchase of illegal items (such as drugs or firearms).

Malicious and Offensive Communications

Every day millions of communications are sent via the internet and online platforms such as social media and photo sharing sites. Some individuals use these online forums to send abusive, threatening, indecent, offensive and false messages that could be capable of committing a criminal offence.

Electronic Communications

When considering whether an offence might be committed by electronic communication, including via social media, prosecutors should make an initial assessment of the content of the communications and the conduct in question to distinguish between those which:

  1. are a credible threat (violence to the person or damage to property);
  2. specifically target an individual or individuals and which may constitute harassment or stalking, controlling or coercive behaviour, disclosing private sexual images without consent, an offence under the Sexual Offences Act 2003, blackmail or another offence;
  3. are breaches of court orders or a statutory provision; and
  4. are grossly offensive, indecent, obscene or false.

Relevant Offences and Legislation

Before the commencement on 30 January 2024 of the communications offences in Part 10 of the Online Safety Act 2023 (‘OSA 2023’), specific communications offences available to prosecutors were

the summary offences under section 127 of the Communications Act 2003(‘CA 2003’)

the either-way offences under section 1 of the Malicious Communications Act 1988 (‘MCA 198’) [which became either-way offences from 13 April 2015, under section 2 Criminal Justice and Courts Act 2015]; and

the either-way offence of ‘revenge pornography’ under section 33 of the Criminal Justice and Courts Act 2015 (‘CJA 2015’)

For communications offences committed prior to 30 January 2024, the offences in section 127 CA 2003 (subject to the extended summary time limit in section 127(5) CA 2003), and section 1 MCA 1988 continue to remain available.

For communications offences committed on or after 30 January 2024, the OSA 2023 has repealed:

The either-way offence of sending a threatening communication under section 1(1)(a)(ii) MCA 1988;

The offences of sending false messages under section 127 of the Communications Act 2003 and s.1 of the Malicious Communications Act 1988; and

The either-way offence of Revenge Pornography under s.33 of the Criminal Justice and Courts Act 2015.

Part 10 of the OSA 2023, in force from 30 January 2024, has introduced a series of new communications offences, including:

  • A false communications offence under Section 179 OSA 2023
  • A threatening communications offence under Section 181 OSA 2023
  • An offence of sending/showing flashing images electronically (also known as epilepsy trolling) under Section 183 OSA 2023
  • An offence of sending photographs or film of genitals (also known as cyber-flashing) under a newSection 66A of the Sexual Offences Act 2003 [as inserted by Section 187 OSA 2023]
  • An offence of encouraging or assisting serious self-harm, under Section 184 OSA 2023
  • Offences of sharing or threatening to share intimate photographs or film, under a new Section 66B(1)-(4) and Section 66C of the Sexual Offences Act 2003 [as inserted by Section 188 OSA 2023]

Prosecutors should be careful to apply the provisions which were in force at the date an offence was committed.

Cyber-Bullying/Trolling

Cyber bullying is bullying that takes place using communications technology, such as social media, but also text messages, apps, chats, emails and other forms of communication. Depending on the nature of the bullying, it may also constitute criminal activity and prosecutors should apply the principles outlined in the prosecution guidance on communications Offences when considering allegations of this nature. For example, cyber bullying might involve harassment, threatening behaviour, sending false information about someone, impersonation, cyber stalking or grossly offensive messages.

It is important to remember that evidence of bullying online may be indicative of bullying and possible further offences offline too.

Virtual Mobbing

Virtual mobbing occurs when a number of individuals use social media or messaging to make comments about another individual, usually because they are opposed to that person's opinions. As above, the principles outlined in the prosecution guidance on communications sent by social media should be applied. In cases where certain individuals encourage others to send such messages, prosecutors should consider offences of encouraging or assisting crime under sections 44-46 under the Serious Crime Act 2007.

False accounts

Setting up a false social networking accounts or aliases could amount to criminal offences under the Fraud Act 2006 if there was a financial gain. Under section 8 possession or making or supplying articles for use in frauds includes any program or data held in electronic form. Some social networking sites may disable false accounts when they became aware of them.

Offences that specifically target Individuals (including Cyber-Enabled VAWG)

Developments in technology have also created a new landscape for controlling, sexually-motivated or other forms of interpersonal relationship offending. Disclosing private sexual images without consent, cyber stalking and harassment, and coercive and controlling behaviour crimes are predominately but not exclusively perpetrated against women and girls, with online activity being used to humiliate, control and threaten as well plan and orchestrate acts of violence.

Such crimes are often part of a wider pattern of behaviour and incidents should be viewed within this wider context which can encapsulate both online and offline activity, including physical abuse. All VAWG related charging decisions should consider the context of the crime including the potential use of social media to exert power and control. For example, in cases of 'honour' based violence and forced marriage, threats to post personal information on social media can be used to bring shame on victims in order to silence and coerce.

Offences under the CMA 1990, such as unauthorised access to computer material with the intent to commit further offences or to impair the operation of a computer, are also often part of a wider pattern of coercive and controlling offending or stalking and harassment. For example, a stalking victim may have their bank or social media accounts compromised or private intimate photographs copied from their computer hard drive, leading to a range of harm from theft and defamation to a physical attack.

As with online romance fraud, offenders may use online dating sites or social media to facilitate offending under the Sexual Offences Act 2003, by arranging to meet a victim with a view to committing rape or other sexual offences. See the prosecution guidance on Rape and Sexual Offences for further information.

Disclosing private sexual images without consent ('revenge pornography')

Having been repealed by the OSA 2023, the offence under section 33 CJCA 2015 remains available for offences committed on or after 13 April 2015 and prior to the date of commencement of Part 10 OSA 2023 on 30 January 2024. Initially limited to offences of ‘disclosing’, the offence was extended from 29 June 2021 to include ‘threatening’ to disclose private photos/film.

Section 33 of the Criminal Justice and Courts Act 2015 provides for an offence of disclosing (or threatening to disclose) private sexual photographs or films without the consent of an individual who appears in them and with intent to cause that individual distress.

The legislation specifies the offence as "photographs or films which show a person engaged in sexual activity or depicted in a sexual way where part or all of their genitals or pubic area is exposed, and where what is shown would not usually be seen in public".

The offence is known colloquially as "revenge pornography", which is a broad term that usually refers to the actions of an ex-partner, who uploads a sexually intimate photograph or a video where a person is engaged in a sexual activity on to the internet, or shares by text or email, with the intent of causing the victim humiliation or embarrassment as revenge for the breakup of their relationship. For further information, see the Communications Offences prosecution guidance.

Cyberstalking and online harassment

Generally, cyberstalking is described as a threatening behaviour or unwanted advances directed at another, using forms of online communications. Cyberstalking and harassment are often combined with other forms of 'traditional' stalking, such as being followed or, receiving unsolicited phone calls or letters, as well as 'traditional' forms of harassment. Examples of cyberstalking may include:

  • threatening or obscene emails or text messages;
  • spamming (where the offender sends the victim multiple junk emails);
  • live chat harassment or flaming (a form of online verbal abuse);
  • leaving improper messages on online forums or message boards;
  • trolling or cyber bullying;
  • sending electronic viruses;
  • sending unsolicited email; and
  • cyber identity theft.

In such cases the gathering of data from electronic storage devices and social networking sites will be vital for case building. For further guidance, see the prosecution guidance on Stalking and Harassment and Social Media.

Coercion and Control

The Serious Crime Act 2015 introduced a domestic abuse offence to capture coercive and controlling behaviour in intimate and familial relationships. This offence closed a gap in the law around patterns of coercive and controlling behaviour in an on-going relationship between intimate partners or family members. The pattern of behaviour and access to resources that the victim has must be considered when contemplating this offence. The use of the internet, social media, spyware and software to track and monitor the whereabouts of a victim and control their contact with others must be taken into account. For further guidance see the prosecution guidance Controlling or Coercive Behaviour in an Intimate or Family Relationship, Domestic Abuse andStalking and Harassment.

Child Sexual Offences and Indecent Images of Children

The rapid growth of cyberspace has given perpetrators of child sexual abuse, and those who create and disseminate indecent images, a range of new tools to facilitate their offending. These crimes can be perpetrated through various social media, such as chat rooms, social networking sites, gaming devices that connect to the internet, as well as through direct email addresses or mobile numbers belonging to victims.

Child Sexual Abuse

Cyberspace has the potential to allow offenders to target hundreds of children at a time and once initial contact with a child is made, the children may be subjected to threats and intimidation. The online abuse can be an end in itself without any contact offences taking place. However, contact offences may occur through arranging to meet up with the child, or persuading them to engage in sexual activity whilst they are filmed or photographed. Further offending may also occur through the dissemination of these films or photographs.

Offenders for example may use various control elements as a tool to stop a victim reporting the sexual abuse (the control might take the form of threatening to publish photographs or recordings of them, including images of the victim being naked or being abused).

Charges under the Sexual Offences Act 2003, Sexual Offences Act 1956 and Indecency with Children Act 1960 may all be considered. Note that section 69 of the Serious Crime Act 2015 created the offence of possessing a paedophile manual or any item that contains advice or guidance about abusing children sexually. This offence captures material giving advice on how to entrap or groom a child, commit other child abuse offences and escape capture. For further guidance, see the prosecution guidance on Child Sexual Abuse and Rape and Sexual Offences.

Online grooming

Predatory individuals may access internet sites that children and young people visit in order to search for potential victims by location or interest. Children and young people may often reveal personal information online, such as where they live or go to school, or their family name, which is used by groomers to manipulate behaviours and build relationships with their victims. Information may be published through a number of different online platforms which are accessible to others, including social networking sites, multi-player gaming portals and other web-based forums.

Section 36 of the Criminal Justice and Courts Act 2015 amends section 15 of the Sexual Offences Act 2003 (the offence of meeting a child following sexual grooming etc.) so that the number of initial occasions on which the defendant must meet or communicate with the child in question in order to commit the offence is reduced from two to one.

Following any initial communication or meeting, the defendant must intentionally meet, arrange to meet or travel with the intention of meeting the child, or the child must travel with the intention of meeting the defendant; and the defendant must intend to do something to or in respect of the child during or after any meeting which would, if done in England and Wales, amount to an offence under Part 1 of the Sexual Offences Act 2003.

Section 36 came into force on 13 April 2015. The offence can only be committed as amended (i.e. by proof of a single initial communication or meeting) if that communication or meeting took place on or after 13 April 2015.

For further guidance, see the prosecution guidance on Child Sexual Abuse.

Indecent Images of Children (IIOC)

The use of cyberspace and the variety of digital tools available has further facilitated the taking, making, showing and distribution of indecent images of children. Advances in digital programs, technological solutions and enhanced computer graphics have also made it easier to create 'pseudo-photographs' of children.

It is an offence for a person to take, make, distribute or advertise indecent images of children. The main offences for consideration when dealing with this type of offending fall within:

  • Section 1 of the Protection of Children Act 1978 (‘PCA’)
  • Section 160 of the Criminal Justice Act 1988 (‘CJA’)

These are either way offences, but offences under the PCA are likely to be the appropriate charges in the majority of cases, as the charge of 'making' under section 1(1)(a) has been developed to cover activities such as opening attachments to emails and downloading or simply viewing images on the internet (as a copy of the image will automatically be created on the device in question's hard drive). By contrast, the same conduct often cannot lead to a possession charge contrary section160 of the CJA.

The decision of whether to charge 'making' under section 1(1)(a) of the PCA, or 'possessing' contrary to section 160 of the CJA will often depend how the images came to be located on a device and how accessible they are.

Section 1 of the PCA has a maximum sentence of 10 years' imprisonment. Section 160 of the CJA carries a maximum sentence of 5 years' imprisonment.

For further guidance on this and cases involving non-photographic images, such as computer generated images (CGI's), cartoons, manga images and drawings, see the prosecution guidance on Indecent and Prohibited Images of Children.

Extreme Pornography and Obscene Publications

Whilst the creation of extreme pornography, obscene publications and prohibited images are offences in their own right, cyber-enabled dissemination, usually on a large scale, may also be occurring and should be considered by prosecutors. Dissemination can be via various avenues such as chat rooms, social networking sites, gaming devices that connect to the internet, as well as through a direct email address or mobile number.

Extreme Pornography

When considering what may be classified as extreme pornography, it should be borne in mind that all extreme pornography is obscene as defined by the Obscene Publications Act 1959; however, not all obscene material is extreme.

The offence of possessing extreme pornographic images, under section 63 of the Criminal Justice and Immigration Act 2008, requires the consent of the DPP to institute proceedings and should be sought at the earliest opportunity. Consent cannot be implied by the fact that the CPS is conducting proceedings.

Obscene Publications

The Obscene Publications Act 1959 (‘OPA’) was amended to deal with electrically stored data or the transmission of that data. Transmitting comments to another person in the context of an internet relay chat is publication, even if there is just one recipient and one likely reader of the article. If the publication is obscene, prosecution under the OPA can be considered. For further guidance, prosecutors should refer to the prosecution guidance Obscene Publications.

Casework Handling

Digital Evidence Gathering

Computer systems and their components can provide valuable evidence. The hardware and software together with items stored on the computer itself, such as documents, photos, image files, photographs, emails and attachments, databases, financial information, internet browsing history, chat logs, event logs etc. can all be used as potential sources of evidence.

Games consoles connected to the internet may also provide a source of electronic evidence. Some devices will contain on-board or removable flash storage which allows the user to not only play games, but to also visit websites and store videos, photos, messages etc.

Many mobile phones have multimedia functionality, allowing internet access and access to email, in addition to sending text messages and photographs. Different phones will have varying capabilities and often require specialist equipment to capture the information effectively whilst retaining the integrity of the evidence. Portable media players (such as tablets or music players) may also be used to store and play digital media.

Digital evidence and communications data can also be obtained directly from Communication Service Providers (‘CSPs’) as well as from computers and digital storage devices. Investigators have the power to serve orders on CSPs that oblige them to disclose communications data. Many CSPs are based in the US and may be obtained through Mutual Legal Assistance (‘MLA’, see below).

Verifying the origin and use of some digital evidence can be challenging as it may have been created using complex codes and data, but this should not be seen as a barrier to presenting digital evidence in court. It is important to stress that digital evidence is no different to other evidence, however it is worth noting that:

  • digital evidence can be easily altered by a user and may sometimes be hard to detect;
  • some digital evidence may need to be interpreted by a specialist;
  • some evidence may be altered or destroyed through normal use (for example, saving a document alters its properties); and
  • the nature and source of digital evidence is constantly evolving as the technology advance

It is important that evidence is handled in an appropriate way from the moment it is identified.

See also to the ACPO (now NPCC) Good Practice Guide for Computer-Based Electronic Evidence.

When presenting communications data in court, careful consideration must be given to the way in which it will be presented to the jury and make it as simple to understand as possible.

Disclosure Management

A complex cybercrime case is likely to have voluminous electronic data, including communications data and other computer downloads, GPS data, memory or cloud storage, banking evidence and digital tachographs. The disclosure of unused electronic data must be carried out in accordance with the Criminal Procedure and Investigations Act 1996 (CPIA). The normal rules of disclosure apply to material in electronic form and prosecutors are responsible for serving evidence as is appropriate to prove the case for the prosecution, in accordance with the Criminal Procedure Rules. Bulk electronic material should not be served wholesale without consideration of this overriding principle.

For further information, see guidance on Disclosure - Guidelines on Communications Evidence and Disclosure - A guide to "reasonable lines of enquiry" and communications evidence.

Jurisdiction

Where jurisdiction is challenged, the courts look at where the site is hosted, its intended audience, the material posted, the nationality of the webmaster and where the information was created and downloaded, applying the 'substantial measure' principle set out in R v Smith (Wallace Duncan) (no.4) (2004) 2 Cr App R 17, which states:

"The English Courts … seek … to apply the English criminal law where a substantial measure of the activities constituting the crime take place in England, and restricts its application in such circumstances solely to cases where it can seriously be argued on a reasonable view that these activities should on the basis of international comity not be dealt with by another country."

R v Sheppard and Whittle (2010) EWCA Crim 65, Sheppard posted racially inflammatory material to a website, registered in his name and operated by him, but based in California. Once the material reached the server in California, it was posted online and made available on the internet to all those visiting the website, including people in the jurisdiction of England and Wales. The court came to the conclusion that jurisdiction was governed by the substantial measure principle enunciated by the court in R v Smith (supra). Everything in the case related to England and Wales except for the server being in California.

International Enquiries

MLA is a method of cooperation between states for obtaining assistance in the investigation or prosecution of criminal offences. MLA is generally used for obtaining material that cannot be obtained on a police cooperation basis, particularly enquiries that require coercive means. Requests are made by a formal international Letter of Request (LOR), usually on the basis of a bilateral treaty or multilateral convention. In cases where the requirement of information may be for only traffic or communications data (rather than content), then an LOR is unlikely to be required; some information could be sought directly from the CSP. For further guidance, see the prosecution guidance on International Enquiries.

Note that when the relevant provisions are commenced, the Crime (Overseas Production Order) Act 2019 will provide an alternative approach to obtaining material from CSPs overseas.

Joint Investigation Teams

Complex cybercrime investigations often span several jurisdictions. Investigators and prosecutors need to be able to co-ordinate their approach and respond quickly to developments and opportunities to disrupt or prevent illegal activity, obtain evidence and make arrests. Consideration should be given as to whether a Joint Investigation Team (‘JIT’) is appropriate.

A JIT is a team set up between two or more countries, under judicial supervision, for the purpose of investigating specific serious cross-border crime and with a limited duration. The legal basis of a JIT is under Article 13 of the EU Convention on Mutual Legal Assistance in Criminal Matters 2000, Article 20 of the Second Additional Protocol to Council of Europe Convention on Mutual Assistance in Criminal Matters 1959, the UN Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances 1988, UN Convention against Transnational Organised Crime 2000, or the UN Convention against Corruption 2003.

There are a number of advantages in considering a JIT for a complex case. For example, it allows JIT members to:

  • share information directly / request investigative measures without the need for MLA;
    • be present at house searches, interviews, etc;
    • co-ordinate efforts on the spot;
    • informally exchange specialised knowledge;
  • build mutual trust between practitioners from different jurisdictions working together and deciding on investigative and prosecution strategies; and
  • enable Eurojust and Europol to be involved with direct support and assistance.

Eurojust can assist when considering the creation of a JIT, or when dealing with jurisdictional and logistical issues where offending occurs in more than one country. It provides a neutral venue for meetings where prosecutors and investigators from two or more Member States can review such cases and agree future actions. Early consultation with the UK desk at Eurojust when dealing with transnational crime is recommended, particularly if the offending occurs in three or more EU Member States.

The aim of a JIT is to encourage and modernise co-operation between judicial and law enforcement agencies in EU Member States.

Further assistance

The Global Prosecutors E-Crime Network (‘GPEN’) was launched in 2008 with the aim of assisting countries to establish a safe and secure online environment, by ensuring prosecutors have the tools to deal effectively with cybercrime. Under the umbrella of the International Association of Prosecutors (‘IAP’) each organisational member nominates at least one prosecutor to be registered as the GPEN national contact point. The GPEN network provides a:

  • database of nominated e-crime prosecutors from around the world;
  • forum for the exchange of expertise, queries and advice;
  • collection of e-crime prosecution resource material, for example; national legislation and prosecution guidance;
  • virtual Global E-Crime Prosecutors' College, a database of e-crime training courses and presentations; and
  • global community of e-crime prosecutors sharing expertise and experience.

GPEN was the initiative of the CPS and since its inception the CPS has promoted GPEN both nationally and internationally, has contributed training material to the GPEN library and has assisted in capacity building in a number of countries. To access GPEN please contact IJOCD Policy.

Annex A: Cybercrime types and related Cyber-Dependent Offences

Hacking
OffencesGuidance
  • Section 1 of the Criminal Law Act 1977
  • Sections 1-3ZA CMA
  • Section 1 IPA 2016
  • Sections 44-46 Serious Crime Act 2007
  • Part 7 POCA 2002
  • Section 170 of the DPA
  • Computer Misuse Act 1990
  • Covert Law Enforcement Manual
  • Proceeds of Crime
  • Fraud
Manufacture and/or distribution of virus software, Trojans, malware and Worms
OffencesGuidance
  • Sections 1 - 3ZA CMA
  • Section 7 Fraud Act 2006
  • Sections 44-46 Serious Crime Act 2007
  • Section 6 Fraud Act 2006
  • Section 7 Fraud Act 2006
  • Part 7 POCA 2002
  • Computer Misuse Act
  • Proceeds of Crime
  • Fraud
Manufacture and use of Spyware
OffencesGuidance
  • Sections 1 - 3ZA CMA
  • Sections 6 - 7 Fraud Act 2006
  • Section 45 Serious Crime Act 2007
  • Sections 44-46 Serious Crime Act 2007
  • Part 7 POCA 2002
  • Section 170 DPA
  • Computer Misuse Act
  • Proceeds of Crime
  • Fraud

 

Annex B: Cybercrime types and related Cyber-Enabled Offences

Fraudulent sales through online auction/retail sites; Scams and mass-marketing frauds; Phishing scams
OffencesGuidance
  • Section 2-3 of CMA 1990
  • Sections 1–2 Fraud Act 2006
  • Section 6 Fraud Act 2006
  • Theft Act 1968 and Theft Act 1978
  • Section 1 Criminal Law Act 1977
  • Part 7 POCA 2002
  • Forgery and Counterfeiting Act 1981
  • Section 170 DPA 2018
Online Romances / Persuasive Tactics with Intent to Deceive / Defraud
OffencesGuidance
  • Sections 1–2 Fraud Act 2006
  • Fraud
Intellectual Property
OffencesGuidance
  • Sections 107, 198, 296ZB and 297 Copyright Designs and Patents Act 1988
  • Section 92 Trade Marks Act 1994
  • Sections 9-14 Video Recordings Act 2010
  • Fraud Act 2006
  • Part 7 POCA 2002
  • Video Recording Act 2010
  • Not available
Forgery and Counterfeiting
OffencesGuidance
  • Sections 1-5 Forgery and Counterfeiting Act 1981
  • Sections 4-6 Identity Document Act 2010
  • Forgery and Counterfeiting
Selling Illegal Goods Online
OffencesGuidance
  • Section 1 Criminal Law Act 1977
  • Section 46 Serious Crime Act 2007
  • Not available
Purchasing Illegal Goods Online
OffencesGuidance
  • Section 1 Criminal Law Act 1971
  • Predicate offences, under, for example, the Fraud Act 2006, Misuse of Drugs Act 1971, or the Firearms Act 1968
  • Fraud
  • Drug Offences
  • Firearms
Malicious Communications
OffencesGuidance
  • Section 1 Malicious Communications Act 1988 (NB repealed in part by OSA 2023)
  • Section 127 Communications Act 2003 (NB repealed in part by OSA 2023 from 30/01/2024)
  • Section 179 OSA 2023 (available from 30/01/2024)
  • Section 181 OSA 2023 (available from 30/01/2024)
  • Communications Offences
Cyber Bullying/Trolling
OffencesGuidance
  • Sections 125-127 Communications Act 2003 (NB s.127 repealed in part by OSA 2023 from 20/01/2024)
  • Section 183 OSA 2023 (available from 30/01/2024)
  • Section 184 OSA 2023 (available from 30/01/2024)
  • Sections 2-5 Protection from Harassment Act 1997
  • Sections 44-46 Serious Crime Act 2007
  • Communications Offences
  • Stalking and Harassment
Disclosing Private Sexual Images without Consent
OffencesGuidance
  • Sections 33-35 and Schedule 8 of the Criminal Justice and Courts Act 2015 (NB repealed by OSA 2023 with effect from 30/01/2024)
  • Section 66B(1)-(4) and Section 66C Sexual Offences Act 2023 (available from 30/01/2024)
  • Sections 2-5 Protection from Harassment Act 1997
  • Section 1 PCA 1978 (where the image was taken before the subject was 18)
  • Section 1 CMA 1990 (where the images have been obtained through computer hacking)
  • Section 21 Theft Act 1968
  • Communications Offences
  • Stalking and Harassment
Cyber-Stalking and Online Harassment
OffencesGuidance
  • Sections 2-5 Protection from Harassment Act 1997
  • Sections 125-127 Communications Act 2003 (NB s.127 repealed in part by OSA 2023 from 30/01/2024)
  • Section 1 Malicious Communications Act 1988 (NB repealed in part by OSA 2023 from 30/01/2024)
  • Section 179 OSA 2023 (available from 30/01/2024)
  • Section 181 OSA 2023 (available from 30/01/2024)
  • Stalking and Harassment
  • Communications Offences
Coercion and Control
OffencesGuidance
  • Section 76 Serious Crime Act 2015
  • Sections 2-5 Protection from Harassment Act 1997
  • Sections 125-127 Communications Act 2003 (NB s.127 repealed in part by OSA 2023 from 30/01/2024)
  • Section 1 Malicious Communications Act 1988 (NB s/127 repealed in part by OSA 2023 from 30/01/2024)
  • Sections 33-35 and Schedule 8 of the Criminal Justice and Courts Act 2015
  • Stalking and Harassment
  • Communications Offences
  • Domestic Abuse
Child Sexual Offences and Indecent Images of Children (IIOC)
OffencesGuidance
  • Sections 12, 14 and 15 Sexual Offences Act 2003
  • Section 66B(1)-(4) and Section 66C of the Sexual Offences Act 2003 (available frim 30/01/2024)
  • Child Sexual Abuse
  • Communications Offences
Prohibited and Indecent Images of Children; Sexual Offences
OffencesGuidance
  • Sections 1- 7 PCA 1978
  • Section 160 Criminal Justice Act 1988
  • Section 62 (for non-photographic images) Coroners and Justice Act 2009
  • Indecent Images of Children (IIOC)
  • Child Sexual Abuse
  • Prohibited Images of Children
Extreme Pornography
OffencesGuidance
  • Section 63 Criminal Justice and Immigration Act 2008
  • Not available
Obscene Pornography
OffencesGuidance
  • Section 2 Obscene Publications Act 1959
  • Obscene Publications

Annex C: Abbreviations and Glossary

This glossary has been created in order to assist juries in Cyber-crime cases. It has provided basic definitions of Cyber terms that may come up throughout the course of the trial.

The definitions included have been obtained from a variety of sources including the NCSC 2021 Glossary, the NCSC 2020 Glossary and the NCA Glossary.

Account (or user) Identifier

A Username is a special name given to a person to uniquely identify them on a computer network. Also called account names, login IDs, or user IDs, usernames are given to a person by the network administrator or they are selected by the user.

Address

An Internet address or Internet Protocol (IP) address is a unique computer (host) location on the Internet.

A Web page address is the defining directory path to the file on a particular server. A Web page address is also called a Uniform Resource Locator (URL).

An e-mail address is the location of an e-mail user.

Algorithm

An algorithm is a procedure used for solving a problem or performing a computation. Algorithms act as an exact list of instructions that conduct specified actions step by step in either hardware-based or software-based routines. Algorithms are widely used throughout all areas of IT.

Anonymisation

Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.

Antivirus

Software that is designed to detect, stop and remove viruses and other kinds of malicious software.

App

Short for Application, typically refers to a software program for a smartphone or tablet.

Application

An application, also referred to as an application program or application software, is a computer software package that performs a specific function directly for an end user or, in some cases, for another application. An application can be self-contained or a group of programs.

Archive file

An archive is a collection of data moved to a repository for long-term retention, to be kept separate for compliance reasons or for moving off primary storage media.

Artefacts (and artifacts)

Artifacts are residual traces left behind by the actions of attackers or malicious actors within a computer system or network. These artifacts can include log files, event records, system logs, network traffic captures, timestamps, registry entries, and more.

AI (Artificial Intelligence)

Artificial intelligence is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systems, natural language processing, speech recognition and machine vision.

Bandwidth

Bandwidth specifically refers to the capacity at which a network can transmit data. For example, if the bandwidth of a network is 40 Mbps, it implies that the network cannot transmit data faster than 40 Mbps in any given case.

Basic subscriber information (bsi)

Basic Subscriber Information means: (A) Name, (B) address, (C) local and long distance telephone connection records or records of session times and durations, (D) length of service, including start date, and types of services utilized, (E) telephone or instrument number or other subscriber number or identity, including any assigned Internet protocol address, and (F) means and source of payment for such service, including any credit card or bank account number.

Bitcoin (BTC)

Bitcoin is a digital currency which operates free of any central control or the oversight of banks or governments. Instead, it relies on peer-to-peer software and cryptography. A public ledger records all bitcoin transactions and copies are held on servers around the world.

Bot/s

“Bot” is short for robot. Criminals distribute malicious software (malware), this can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without your knowledge. Criminals typically use bots to infect large numbers of computers. These computers then form a network, or a botnet. Botnets will also be used to send spam emails, spread viruses, attack computers, servers, and commit other crimes and fraud.

Botnet

A network of infected devices, connected to the Internet, used to commit coordinated cyber attacks without their owner’s knowledge.

Bring your own device (BYOD)

An organisation’s strategy or policy that allows employees to use their own personal device for work purposes.

Browser

A software application which presents information and services from the web.

Brute force attack

The act of attempting to crack passwords in order to gain access to a computer system by testing them against every possible arrangement of upper case and lower case letters, numbers, punctuation marks and other characters. Also known as an “exhaustive key search” - essentially it consists of systematically checking all possible keys or passwords until the correct one is found.

Bruteforcing (Brute Force Attack)

Using a computational power to automatically enter a huge number of combination of values, usually in order to discover passwords and gain access.

Byte

A byte is a unit of data that is eight binary digits long. A byte is the unit most computers use to represent a character such as a letter, number or typographic symbol. Each byte can hold a string of bits that need to be used in a larger unit for application purposes.

Cache

A cache is hardware or software that is used to store something, usually data, temporarily in a computing environment. It is a small amount of faster, more expensive memory used to improve the performance of recently or frequently accessed data.

Checkout

Checkout is the point in the shopping process where consumers finalize their purchases and pay a business for certain products or services. As the world market for ecommerce continues to grow, this term has become increasingly associated with digital payments, typically made via a dedicated, secure webpage.

Cloud

Cloud computing is the use of various services over the internet, such as software development platforms, servers, storage, and software, often referred to as the cloud. It relies on sharing computer resources rather than having local servers or personal devices to handle applications.

Cloud Backup (or Managed Backup Service or Backup-as-a-Service)

Cloud backup is a service in which the data and applications on a business's servers are backed up and stored on a remote server. Businesses opt to back up to the cloud to keep files and data readily available in the event of a system failure, outage or natural disaster.

Cloud computing

Cloud computing is the delivery of computing services, including servers, storage, databases, networking, software, analytics, and intelligence over the internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change.

Cloud Storage Service (or File Hosting Service, Online File Storage Provider or Cyberlocker)

Cloud Storage is a mode of computer data storage in which digital data is stored on servers in off-site locations. The servers are maintained by a third-party provider who is responsible for hosting, managing, and securing data stored on its infrastructure.

Coding

Coding is used to write computer programmes or software. Highly-skilled coders are able to write sophisticated programmes (using 'scripts') to facilitate unauthorised access to networks or data.

Computer network

A computer network is a group of interconnected nodes or computing devices that exchange data and resources with each other. A network connection between these devices can be established using cable or wireless media.

Cookies

A cookie is a small piece of data sent from a website and stored in the user’s browser while the user browses that site. The cookie is sent back to the server to tell them what the user was previously browsing. Cookies store information for the site to use during the user’s current and possibly subsequent visits. Cookie information also provides targeted pop-up advertising.

Credentials

A user’s authentication information used to verify identity – typically one, or more, of passwords, taken, certificate.

Cryptocurrency (aka virtual currency)

A cryptocurrency is a digital currency, which is an alternative form of payment created using encryption algorithms. The use of encryption technologies means that cryptocurrencies function both as a currency and as a virtual accounting system. To use cryptocurrencies, you need a cryptocurrency wallet.

Cryptolocker

Specific ransomware software sending emails with attachments infected with the virus, once activated the malware infected the system offering to decrypt data for payment.

Crypto Wars

Crypto Wars is an unofficial name for attempts by the governments of the United States and allied governments to limit public and foreign nations' access to strong crypto to resist decryption by national intelligence agencies.

Cyber warfare

Offensive Cyber attacks between two nations.

Darknet/Darkweb

The dark web, also referred to as the darknet, is an encrypted portion of the internet that is not indexed by search engines and requires specific configuration or authorization to access.

Database

A database is an organized collection of structured information, or data, typically stored electronically in a computer system.

DDOS/Distributed Denial of Services

An assault on a network flooding it with so many bogus data requests that regular traffic is slowed or completely interrupted. The flood of incoming messages to the target system by thousands of separate computers (usually part of a botnet) essentially force a network to shut down, thereby denying service to the system to legitimate users. DDoS attacks have been used by extortionists who threaten a site with offline removal unless a ransom is paid.

Deep fake

Deepfakes are synthetic media that have been digitally manipulated to replace one person's likeness, either through imagery or over voice, convincingly with that of another.

Deleted files

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

Domain name

A domain name is an internet resource that is universally understood by web servers and online organisation. It provides all pertinent destination information and is used to access an organisation’s web-based service. In general, a domain name represents an IP resource. The top level domain (TLD) is the part of a URL which follows the dot, e.g. ‘com, net’.

Dox service/doxxed/doxxing

The word “doxing” (also spelled "doxxing") is derived from the term “dropping dox,” or “documents.” Doxing is a form of cyberbullying that uses sensitive or secret information, statements, or records for the harassment, exposure, financial harm, or other exploitation of targeted individuals.

Dynamic IP address

A dynamic IP address is an IP address that an ISP lets you use temporarily. If a dynamic address is not in use, it can be automatically assigned to a different device.

Encrypt/encryption

A mathematical function that protects information by making it unreadable by everyone except those with the key to decode it.

End user device (EUD)

Collective term to describe modern smartphones, laptops and tablets that connect to an organisation’s network.

End-to-end Encryption (E2EE)

End-to-end encryption (E2EE) is a method of secure communication that prevents third parties from accessing data while it's transferred from one end system or device to another. In E2EE, the data is encrypted on the sender's system or device, and only the intended recipient can decrypt it.

Exploit

May refer to software or data that takes advantage of a vulnerability in a system to cause unintended consequences.

Exploit kits

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used.

Firewall

A software programme or feature built into hardware, sitting between a user’s computer or private network and net. A firewall filters incoming and outbound traffic, and therefore keeps computers secure from intruders.

Forum

A web application for holding discussions and posting user generated content. Forums are commonly referred to as web forums, message boards, discussion boards, groups, forums, bulletin boards, or simply forums. The terms “forum” and “board” may refer to the entire community or to a specific sub-forum dealing with a specific topic.

GB – Gigabyte

A gigabyte (GB) is a unit of data storage capacity that is roughly equivalent to 1 billion bytes.

Hack

Hacking in cyber security refers to the misuse of devices like computers, smartphones, tablets, and networks to cause damage to or corrupt systems, gather information on users, steal data and documents, or disrupt data-related activity.

Hack forums

A hack forum is an online forum providing stolen personal data used to facilitate criminal activity.

Hacker

An individual skilled with computer systems and software, who pushes the limits of software or hardware. Some hackers originate good ideas and share their thoughts to make computing more efficient (white hats). However, some intentionally use their expertise for malicious ends, (black hats).

Hacking

Hacking is the act of compromising digital devices and networks by gaining unauthorized access to an account or computer system.

Hacktivism

Hacktivism is the act of hacking, or breaking into a computer system, for politically or socially motivated purposes.

Hard drive/hard disk

A hard disk drive (HDD) is an internal or external computer component that stores data, such as the operating system, applications, and user files. HDDs are “non-volatile” storage devices, meaning they retain stored data even when power isn't being supplied.

Hash value

Hash values can be thought of as fingerprints for files. The contents of a file are processed through a cryptographic algorithm, and a unique numerical value – the hash value - is produced that identifies the contents of the file.

Host

A computer acting as a server for other computers on a network. It can be a Web server, an e-mail server, or an FTP server, etc. For example, a Web host provides the content of Web pages to the computers that access it.

Hosting

A host is a computer or other device that communicates with other hosts on a network. Also known as network hosts, hosts include clients and servers that send or receive data, services and applications.

Html – Hypertext Markup Language

The language used to create documents on the World Wide Web. HTML defines the structure and layout of a Web document/page by using a variety of tags and attributes. Hundreds of tags are used to format and layout the information in a Web page. Tags are also used to specify hypertext links. These allow Web developers to direct users to other Web pages with only a click of the mouse on either an image or word(s).

Http – Hypertext Transfer Protocol

The protocol used to transfer data over the World Wide Web. This is why all web site addresses begin with “http://”. Whenever you type a URL into your browser and hit Enter, your computer sends an HTTP request to the appropriate Web server. The Web server, which is designed to handle HTTP requests, then sends you to the requested HTML page.

Https – Hypertext Transfer Protocol Secure

The same as HTTP but uses a secure socket layer (SSL) for security purposes. Examples of sites using HTTPS include banking and investment websites, e-commerce websites, and most websites requiring a log in. Websites using the standard HTTP protocol transmit and receive data in an unsecured manner. Therefore, it is possible for someone to eavesdrop on the data being transferred between the user and the Web server. While this is unlikely, it is a possibility that someone may be capturing your credit card number or other personal information you enter on a website. Therefore, secure websites use the HTTPS protocol to encrypt the data being sent back and forth with SSL encryption. If someone were to capture the data being transferred via HTTPS, it would be unrecognizable. You can tell if a website is secure by viewing the URL in the address field of your Web browser. If the Web address starts with https://, you are accessing a secure website. Most browsers will also display a lock icon along the edge of the window to indicate the site you are visiting is secure. You can click the lock icon to view the secure certificate that authenticates the website.

Hyperlink

This refers to data the reader can follow directly either by clicking or hovering. It is usually underlined and coloured. When you move your mouse over a hyperlink or live link, the mouse arrow will turn into a pointing finger, which indicates you can click the link.

Instant messaging

Instant messaging, or “IMing,” as frequent users call it, has become a popular way to communicate over the net. Two people with the same IM client software can type messages back and forth in a private online chat session. IM software allows users to build a list of friends, or “buddies” and show other users online. Once seeing who is online, the user may open up chat sessions with as many other people as they wish. Instant messaging can be a far more effective way to communicate - rather than sending multiple e-mails back and forth.

Internet of things (IoT)

Refers to the ability of everyday objects (rather than computers and devices) to connect to the Internet. Examples include kettles, fridges and televisions.

IP address – Internet Protocol Address

An Internet Protocol (IP) address is a numerical address that is assigned to any computer, printer, switch, router or device that is part of a TCP/IP based network. It is the core component on which networking architecture is built – no network exists without it. It uniquely identifies every node in the network. An IP address is logical and can change; the numerals are divided into two parts which specify which network the address belongs to and the pinpoint of the exact location.

IRC – internet relay chat

A form of real-time Internet chat (text chat system). Its main purpose is to facilitate group communication in discussion forums called channels. However, it also allows one-to-one communication and data transfers via private message. It is essentially a virtual meeting place where people from all over the world can meet and talk about a variety of interests, ideas and issues. Participants can take part in group discussions on one of the many thousands of IRC channels, or just talk in private wherever they may be in the world.

ISP – internet service provider

An ISP provides services for accessing, using, or participating in the internet.

Keyloggers

Keyloggers, or keystroke loggers, are tools that record what a person types on a device. While there are legitimate and legal uses for keyloggers, many uses for keyloggers are malicious. In a keylogger attack, the keylogger software records every keystroke on the victim's device and sends it to the attacker.

Keylogging

Keystroke logging (keylogging or keyloggers); the action of tracking (or logging) the keys struck on a keyboard, typically conducted in a covert manner so the person using the keyboard is unaware their actions are being monitored. Criminals use this to obtain information including passwords and banking data for fraudulent purposes.

Kilobyte (KB)

A kilobyte is a collection of about 1,000 bytes. In the metric system, kilo is 1,000, and in some cases a kilobyte is defined as 1,000 bytes. This definition is commonly used by storage medium companies and to measure data transfer speeds.

Login

A login is a set of credentials used to access an area requiring proper authorization. Logins grant access to and control of computers, networks, and bulletin boards, and online accounts and other services or devices.

Logs

A log file is a computer-generated data file that contains information about usage patterns, activities, and operations within an operating system, application, server or another device.

Malware

“MALicious softWARE”. This is an umbrella term covering a variety of malicious codes including viruses, Trojan horses, spyware and worms. It covers code created deliberately to have destructive or unwanted effects on a computer.

Media access control (mac) address

In computer networking, a Media Access Control address (MAC address) is a unique identifier.

Megabyte (MB)

A megabyte is a collection of about 1,000,000 bytes, which is around 1,000 kilobytes.

Metadata

Metadata describes how, when and by whom a particular set of data was collected, and how the data is formatted. Metadata is created when files are created and when edited. This information can contain revisions, comments, template information, file properties and summary information.

Netflow data

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow. By analyzing NetFlow data, you can get a picture of network traffic flow and volume.

Network

A system of devices connected through either cable or wireless signals, that are able to communicate with each other and share resources. It also allows computers to collaborate, transfer data and access shared information – such as files, emails and printers – from one device to another.

Password

A protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.

Pharming

An attack redirecting a website’s traffic to another, bogus site. It is a type of social engineering attack in which a fraudulent website is used to trick a user into giving out their sensitive personal information, such as their banking or e-mail account details. Pharming attacks are normally used to steal login credentials for online banking sites and massive multiplayer online role playing games (MMORPGs). They can also be used to steal any type of sensitive personal or financial information, such as names, addresses, birthdays, social security numbers etc.

Phishing

The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an e-communication. Communications purporting to be from popular social web sites, auction sites, financial institutions, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and often directs users to enter details at a fake website where the look and feel are almost identical to the legitimate one.

Private key

A cryptographic key that is used with an asymmetric (public key) cryptographic algorithm. For digital signatures, the private key is uniquely associated with the owner and is not made public. The private key is used to compute a digital signature that may be verified by the corresponding public key.

Proxy server

A proxy server verifies and forwards incoming client requests to other servers for further communication. A proxy server is located between the two, such as a web browser and a web server. The proxy server’s most important role is providing security.

RAM

RAM is a common computing acronym that stands for random-access memory. RAM is your computer or laptop's short-term memory. It's where the data is stored that your computer processor needs to run your applications and open your files.

Ransomware

A cyber-extortion scheme in which thieves use malware to encrypt data on an individual’s computer. Payment is demanded from the victim before they will un-encrypt the data. They may also take control of a computer and demand payment to return control. For businesses, the presence of ransomware on company databases can result in huge financial losses.

RAT – remote administration tool

A RAT or remote administration tool, is software that gives a person full control of a tech device, remotely. The RAT gives the user access to your system, just as if they had physical access to your device. With this access, the person can access your files, use your camera, and even turn on/off your device.

Resolution

Resolution indicates the number of pixels that are displayed per inch for an image (or pixels per centimeter). Most computer monitors display at resolutions of 72 pixels per inch or 96 pixels per inch.

Router

A network device which sends data packets from one network to another based on the destination address. May also be called a gateway.

Scripts

A sequence of instructions, ranging from a simple list of operating system commands to full-blown programming language statements, which can be executed automatically by an interpreter.

Search engine

A search engine is a software program that helps people find the information they are looking for online using keywords or phrases. Search engines are able to return results quickly, even with millions of websites online, by scanning the Internet continuously and indexing every page they find.

Server

A large data storage device. A server is a system responding to requests across a computer network to provide, or help to provide, a network service.

Service provider (SP)

A provider of basic services or value-added services for operation of a network; generally refers to public carriers and other commercial enterprises.

Smishing

Phishing via SMS: mass text messages sent to users asking for sensitive information (e.g. bank details) or encouraging them to visit a fake website.

Spear-phishing

A more targeted form of phishing, where the email is designed to look like it's from a person the recipient knows and/or trusts.

Spoofing

A spoofing attack is a situation in which a person or program successfully masquerades as another by falsifying data and then gaining an illegitimate advantage. An example from the science of encryption is the man-in-the-middle attack – where an attacker spoofs Alice into believing the attacker is Bob, and spoofs Bob into believing the attacker is Alice, thus gaining access to all messages in both directions without the trouble of any cryptoanalytic effort.

Spyware

A computer software installed on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.

Static IP address

A static IP address is simply an address that doesn't change. Once your device is assigned a static IP address, that number typically stays the same until the device is decommissioned or your network architecture changes. Static IP addresses generally are used by servers or other important equipment.

Stresser

An IP stresser is a tool designed to test a network or server for robustness. The administrator may run a stress test in order to determine whether the existing resources (bandwidth, CPU, etc.) are sufficient to handle additional load.

Swatting

Swatting is a criminal harassment act of deceiving an emergency service into sending a police or emergency service response team to another person's address.

Terabyte (TB)

A terabyte (TB) is a unit of digital data that is equal to about 1 trillion bytes.

TOR

TOR, short for the Onion Routing project, is an open-source privacy network that enables anonymous web browsing. The worldwide Tor computer network uses secure, encrypted protocols to ensure that users' online privacy is protected. Tor users' digital data and communications are shielded using a layered approach that resembles the nested layers of an onion.

Trojan

A type of program or message appearing benign but concealing a malicious payload. Many of the attachments on virus-bearing e-mail messages carry Trojans. It is a computer program that hides or disguises another program usually designed to harm the system on which it runs e.g. a number of games apps for phones and tablets conceal spyware or adware, which then run in the background after the app is installed.

Trojan Horse

A Trojan Horse is a type of malware that disguises itself as legitimate code or software. Once inside the network, attackers are able to carry out any action that a legitimate user could perform, such as exporting files, modifying data, deleting files or otherwise altering the contents of the device.

Two-factor authentication (2FA)

The use of two different components to verify a user's claimed identity. Also known as multi-factor authentication.

URL – uniform resource locator

The address of a website, or part of a website. Typically this can be seen on every internet page. For example, http://www.google.co.uk/ is the URL for Google.

Virtual private network (VPN)

VPN is “tunnelled” through a wide area network (WAN) such as the Internet. This means the network does not have to be located in one physical location like a local area network (LAN). However, by using encryption and other security measures, a VPN can scramble all the data sent through the wide area network, so the network is “virtually” private. Businesses often use VPNs to communicate across multiple locations. For example, a large company having offices in several cities may need to send data to the different locations via the net. To secure the information, the company may set up a VPN with an encrypted connection. (Similar to having a secure intranet over the net). On a smaller scale, individual users may have a VPN account with their company, allowing them to connect to their office computer from their home or another location.

Virus

A computer virus is a program that spreads by first infecting files or the system areas of a computer or network router's hard drive and then making copies of itself. Some viruses are harmless, others may damage data files, and some may destroy files.

Vishing

The criminal practice of using social engineering and Voice over IP (VoIP) to gain access to private personal and financial information from the public for the purpose of financial reward.

Voice over IP - VOIP

Voice over Internet Protocol (VoIP), is a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line.

Web hosting

The method of storing and launching a website content through a server, a necessary service to the WWW. This hosting server delivers website data to the net for computers worldwide to access the Web 24/7. The hosting services range from a personal server on a private computer, to shared hosting, dedicated hosting, re-seller and many more types of hosting.

Whitelisting

Authorising approved applications for use within organisations in order to protect systems from potentially harmful applications.

Worm

A worm is a type of malware or malicious software that can replicate rapidly and spread across devices within a network. As it spreads, a worm consumes bandwidth, overloading infected systems and making them unreliable or unavailable. Worms can also change and delete files or introduce other malware.

Zero-day

A zero-day vulnerability is one not yet experienced by the public or security companies. As such, it has not been patched or corrected, and security software will not be able to protect computers. Zero-day vulnerabilities are considered very valuable to both cyber criminals and security companies, and an underground market exists that facilitates the trade in 0-days.

Zombie

A zombie is a computer connected to a network that has been compromised by a hacker, a virus or a Trojan. It can be used remotely for malicious tasks. Most owners of zombie computers do not realize that their system is being used in this way.

Further reading

Scroll to top