Cyber crimes seem to be going down at last. With a recorded 17% drop last month, the Cyber Threat Intelligence Report from NCC Group tracked 651 incidents in January, compared with 696 in January 2025. When you read at first, it looks like progress.
But the situation is more complicated than that. In the report’s executive summary, NCC Group recorded 741 ransomware listings in the month before excluding suspected scam operations, which accounted for 12% of claimed attacks. Those suspected scams were removed from the final statistics.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “While ransomware attacks were lower than December, activity closely mirrors January 2025, when 696 incidents were recorded. Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk.”
The company also reported that Industrials accounted for 32% of ransomware attacks in January 2026. North America was victim to 54% of global activity, followed by Europe with 22%. Qilin was responsible for 17% of attacks in the month, making it the most active group.
Are Criminals Changing Their Tactics?
The data shows activity went down in January, but the methods used by attackers are evolving. The report explains that messaging platforms are increasingly used as entry points to phishing, malware delivery and account takeover.
Hull said: “The ransomware landscape is not getting any easier. Threat actors are constantly evolving, leveraging every tool and tactic to exploit vulnerabilities and maximise impact. Messaging platforms and the rise of AI add further complexity and widen attack surfaces. This creates more ways for attackers to target individuals and organisations. It’s never been more important for organisations to remain vigilant and strengthen their security posture to stay ahead of these evolving threats.”
More from News
- How Are UK Shopping Habits Changing In 2026?
- What Is The Tech Industry Doing To Ensure Responsible AI Training?
- Tech Leaders Reveal Their Biggest Data Centre Concerns In 2026
- Why Are Trusted British High Street Brands Vanishing?
- Is Stripe Buying PayPal?
- Trump Imposes 10% Global Tariff After Supreme Court Ruling – What Does This Mean For SMEs Operating Internationally?
- Chelsea FC Hop Onboard The AI Train: How Big Brands Are Partnering With AI Companies
- Agentic Commerce Is Making Unwanted Purchases For Shoppers: Have AI Agents Gone Too Far?
The report also describes how platforms such as WhatsApp, Telegram, Discord and Signal are being misused. Attackers use malicious QR codes, fake group invites and device linking tactics to gain access to accounts. In 2025, WhatsApp removed over 6.8 million accounts linked to global scam networks.
Mobile devices are also under attack, because the Group reports a 29% increase in Android device attacks during 2025. Many of these used messaging deliveries to distribute malware and steal credentials. The use of personal devices at work makes exposure worse, especially where security controls are weaker.
These tactics mean criminals are not necessarily going away. It just seems like they are finding different ways to reach victims, often through trusted communication tools instead of traditional email.
Overall, the data indicates that lower monthly totals do not mean criminals are retreating. Activity levels in January are similar to those of the previous year. Attackers are experimenting with messaging apps, mobile malware and AI assisted social engineering. At the same time, the way incidents are counted leaves room for blind spots.
Businesses need to treat the fall in reported cases carefully and not take it as a sign to relax. The methods are changing, and the numbers aren’t showing us all that’s happening elsewhere. Its important to stay alert and manage risks.
