Fewer Victims, More Fallout: What Australia’s 2025 Cybercrime Survey Really Shows

Imagine two neighbours in the same suburb. One runs a household budget, banks online, scrolls social media — and this year faces a slightly lower chance of being scammed, hacked, or harassed than last year. The other runs a small accounting firm from the spare room, and this year faces a much higher chance of legal headaches, staff turnover, and sleepless nights if a cyber incident hits. Both live under the same laws, use the same internet, and read the same headlines about falling cybercrime. Yet their experiences of risk are moving in opposite directions — and that split is not an accident. It's a signal of how digital protection is being rebuilt.

A small business owner reviewing cybersecurity alerts, illustrating how the cybercrime survey shifts risk toward SMBs

Australia’s newest cybercrime survey, published by the Australian Institute of Criminology, captured exactly this contradiction. Everyday Australians reported less cybercrime and fewer serious losses in 2025 than in 2024. At the same time, small and medium-sized business (SMB) owners reported sharply more legal trouble and staffing costs tied to cyber incidents. Understanding why both things can be true at once says a lot about how cybersecurity actually works in 2025 — and why "cybercrime is down" is not the same as "cyber risk is disappearing."

The consumer numbers look genuinely better

According to the AIC’s survey of 10,593 Australians, 45.1% reported being a victim of some form of cybercrime in 2025, down from 47.8% the year before. Most categories improved: online abuse and harassment eased from 27.1% to 24.6%, identity-related crimes from 22.1% to 20.4%, and financial account compromise from 17.7% to 15.8%. Financial damage, where it happened, tended to be modest — the large majority of victims lost less than AU$1,000. This builds on a longer-running pattern: the 2024 edition of the same survey had already shown victimisation stagnating at high levels with lagging safety habits, so a genuine year-on-year dip is a notable, if not yet conclusive, shift.

What makes the 2025 figures strange is that they arrived alongside a visible decline in personal cyber hygiene. Fewer people ran antivirus software or firewalls (down from 39.3% to 36.2%), fewer used spam filters, fewer used unique passwords across accounts, and fewer avoided clicking suspicious links. On paper, that combination shouldn’t work — less self-protection usually means more harm, not less.

Why doing less personally didn’t backfire

The explanation offered by industry security specialists is that protection has moved upstream, away from individual habits and into the infrastructure people use without thinking about it. "The bigger shift here is that a lot more of the protection now sits with the companies consumers use every day, not with the consumer personally," said Justin Allen, senior manager of security operations at Huntress, pointing to bank transaction monitoring, browser sandboxing, automatic patching, and industry frameworks like Australia’s Scam-Safe Accord as examples of safeguards enforced at scale rather than left to each user’s discipline. Brian Long, CEO of Adaptive Security, framed the same pattern as evidence that "protection is shifting upstream, into the platforms, telcos, and devices people already use every day".

This is a reasonable reading of the pattern, though it’s worth being careful about what the survey can and can’t prove. A year-over-year dip doesn’t establish a permanent trend, and the AIC data can’t isolate how much of the improvement comes from stronger institutional defences versus changes in what people report, how they’re asked, or how attackers are currently behaving. Multi-factor authentication, for instance — a second proof step layered on top of a password — is exactly the kind of control that platforms can now switch on by default, making account takeover harder even for someone who reuses passwords. When a bank or an operating system enforces that automatically, individual carelessness matters a little less than it used to. That doesn’t mean personal habits are obsolete; it means some of the load has been picked up elsewhere. Attackers, in turn, tend to redirect effort toward the weakest remaining link — which increasingly is a person being socially engineered rather than a system being technically breached.

Two categories bucked the improving trend entirely: fraud and scams rose from 9.7% to 11.1%, and ransomware climbed from 2.5% to 3.1%, echoing ransomware’s broader global resurgence. These are precisely the crime types that exploit human judgment rather than a technical flaw — a reminder that "upstream" defences have limits.

Where the bill actually lands

For SMB owners and managers, the story is less reassuring. One in four business owners or managers reported that cybercrime hurt their business in 2025, most commonly through operational disruption. But the sharper increases were in legal issues, up from 5.1% to 7.9%, and staffing costs, up from 5.9% to 10% — categories tied to consequence and accountability rather than the initial attack itself.

Part of the pressure comes from how incident response is now scrutinised after the fact. A landmark Federal Court case stemming from the 2022 Medibank breach found that internal post-incident reports could not automatically be shielded from disclosure as legal advice, since regulators and courts examine the real purpose behind how such reviews were commissioned and communicated. Layer that onto tightening reporting expectations — some ransomware incidents may trigger reporting duties, and privacy law reforms raise the potential penalties for mishandled data — and boards face rising incentive to demonstrate they acted diligently, even though the exact obligations vary by business size, sector, and incident. That scrutiny "rolls downhill into compliance work, reporting overhead, internal stress, and blame shifting," Allen noted, adding that some leaders now see the personal risk of running an SMB through a cyber incident as no longer worth it.

The same environment, different burdens

The table below sketches how responsibility for each stage of a cyber incident has redistributed — not eliminated, just relocated.

Stage Individual user Bank / platform / device SMB owner
Prevention Passwords, caution with links (habits declining) Automatic patching, MFA defaults, transaction monitoring, sandboxing Policy-setting, staff training, vendor security choices
Detection Notices unusual activity occasionally Fraud/anomaly monitoring at scale, real-time alerts Must monitor own systems and interpret alerts
Fallout handling Limited — mostly reversing a single transaction or account Refunds, account resets, built-in remediation tools Legal review, regulator contact, insurer notification, staffing decisions, reputational management

Read across the row, and the pattern is clear: platforms have absorbed much of the routine prevention and detection work that used to sit with individuals, but almost none of the fallout work has moved anywhere except onto the business itself.

What the numbers don’t settle

None of this means Australian cybercrime is solved, or that ordinary users can safely ignore basic precautions — the survey shows a decline in one year’s snapshot, not proof that the pattern will hold. It also doesn’t mean every SMB carries more risk than every consumer in every situation; the data speaks to aggregate trends, not individual cases. And the exact legal duties triggered by any specific breach — whether under privacy law, ransomware reporting rules, or sector-specific regulation — depend on details the survey doesn’t cover.

What the 2025 figures do suggest is a structural shift worth watching: as banks, device makers, and platforms get better at absorbing everyday attacks at scale, the residual risk doesn’t vanish — it concentrates wherever institutional-grade defences don’t reach and legal accountability does. Right now, that place is increasingly the small business owner’s desk, not the household inbox.

Sources

  1. Aussies Face Reduced Cybercrime Risk, as Pressure Shifts to SMBs
  2. Nearly half of Australians fall victim to cybercrime
  3. Privilege claims put to the test: Dominant purpose unmasked | Gilchrist Connell
Scroll to Top