Imagine…the worst-case scenario has occurred. You have walked into the office, switched on a computer, and you see a message on the screen “Your files are encrypted…pay $$$ in bitcoin within 5 days to receive a decryption code or lose your files forever!”.
Cybercrime happens. And scenarios like the one above or others that involve large sums of money being stolen or IT networks being wrecked, are common. But what happens after the crime has occurred? How is cybercrime investigated?
Who Do You Report a Cybercrime To?
Cybercrime covers a wide spectrum of crimes that are enabled using technology. But if you find yourself a victim of a cybercrime, where and to whom do you turn to?
In the UK, reporting a cybercrime can be done via:
National Crime Agency (NCA)
The NCA works on general crime as well as critical cybercrime incidents. Because cybercrime is often a global phenomenon, NCA often collaborates with other, international organisations, including the EU’s Europol and the U.S. FBI cybercrime division. 
ActionFraud (National Fraud and Cybercrime Reporting Centre)
The NCA works alongside ActionFraud who handles the public reporting of cybercrimes. Both businesses and individuals can use the ActionFraud online service or phone hotline to report cybercrimes. The online form (shown below) asks for the details of the cybercrime taking you through wizard-like screens to report the details of the cyber-attack.
ActionFraud covers Wales and England. At the time of writing, citizens living in Scotland are dealt with by Police Scotland or by calling 101 to report a cyber-attack.
For those in Northern Ireland, the Police Service of Northern Ireland handles cybercrime reports.
How Cybercrime is Investigated?
Investigating a cybercrime incident requires specialist knowledge. The investigation itself is also dependent on the type of cyber-incident: is it a Distributed denial of Service (DDoS), a hacked database, a phishing campaign, business scam, identity theft, and so on.
The investigation itself can be dealt with both by a public entity such as the NCA in the UK and/or privately, by the company itself or a specialist firm who deals with cybercrime investigations.
The investigation of a cybercrime involves:
- Assessment phase: Looking at the details of the cyber-attack. The assessment of the crime will be used to help in the next stages in the initial investigation and gathering key evidence.
- Who, what, where: What happened, what type of crime, who was affected, what resources were impacted, where can evidence be gathered? This initial stage is about setting out the crime scene to prepare for a deeper analysis.
- Evidence gathering exercises: This involves collecting any items that may contain information pertaining to the cybercrime. This could be mobile devices, laptops, gaming consoles, event logs, databases, messages, emails, and so on. Digital evidence can be obtained from Communication Service Providers. The Association of Chief Police Officers published a guide in 2012, “ACPO Good Practise Guide for Digital Evidence” with guidance on how to collect cyber-enabled attack evidence.
- Honeypots: Sometimes, depending on the type of cybercrime, the investigator may set up a “honeypot”. This is a ‘victim’, which may be a piece of specialist software, that can entice a cybercriminal into performing a cyber-attack.
- Secure devices. Some devices may need to be secured for further investigation. Subpoenas may need to be obtained to do this.
- Digital forensics. A specialist cybercrime investigator will look at all of the data gathered and may use specialist tools to look into the mechanism of the cybercrime. If the crime is part of a larger cyber-attack, for example, such as the international WannaCry ransomware attack, this may involve multinational bodies that work together to analyse the cybercrime data.
What is the Punishment for Cybercrime?
If a cybercrime investigation is able to gather enough evidence to prosecute an individual or group of cybercriminals, then justice can be served.
Analysis by ‘The Register’ on UK cybercrime convictions between 2007-2018, shows the conviction rate was 90% if the perpetrator(s) are brought to court. The research also found that 16% were given custodial sentences and 45% suspended sentences.
Source: The Register
Some examples of punishments issued for cyber-attacks include:
National Lottery Cyber-Attack
A cyber-attack that affected the UK’s National Lottery back in 2016, resulted in jail terms for the cybercriminals behind the attack. The breach resulted in the potential exposure of around 10 million lottery customers. The two cybercriminals behind the attack only ended up stealing £13 but received 8 months and 5 months jail sentences, respectively.
Alphabay, Darknet Marketplace
The moderator of the darknet marketplace, Alphabay, was imprisoned for 20 years. The site was a playground for cybercriminals and their tools. Europol found listings for over 100,000 stolen and fake ID documents, malware, hacking tools amongst other contraband.
The young man behind the TalkTalk hack back in 2015, was jailed for 4 years. As well as carrying out the cyber-attack against TalkTalk, he also was found guilty of selling stolen personal data and extortion.
Many cybercriminals may not end up doing prison time; the type of crime and impact determining the sentence. The current sentencing for fraud in the UK depends on the financial harm and victim impact suffered. The UK’s Sentencing Council sets out the limits on committing fraud, the maximum sentence for “Conspiracy to defraud and supplying items for fraudulent use” being 10 years. However, the 2014 “Serious Crime Bill: Computer Misuse Act” can increase sentencing depending on the seriousness of the attack. In doing so, life sentences can be issued to those who attack, for example, critical infrastructures, like the National Grid, the legislation stating:
“The maximum sentence on indictment is 14 years, unless the offence caused or created a significant risk of serious damage to human welfare or national security, as defined in Section 3 (a) and (b), in which case a person guilty of the offence is liable to imprisonment for life.”
On a final note: In the U.S. the FBI have a regular ‘wall of shame’ showing the most wanted for cybercrimes in the USA: https://www.fbi.gov/investigate/cyber/most-wanted – you might want to check out this motley crew as you never know if you might come across one of them over in the UK.
 ACPO Good Practise Guide: http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf
 Sentencing Council: https://www.sentencingcouncil.org.uk/offences/magistrates-court/item/fraud/
 CPS: Computer Misuse Act: https://www.cps.gov.uk/legal-guidance/computer-misuse-act