The recent publication of cybercrime statistics by the Bundeskriminalamt (BKA), the German Federal Criminal Office, raises almost as many questions as it answers. As with any official cybercrime statistics, perhaps they should be regarded as best endeavours in an imperfect world.
The BKA registered almost 50,000 cybercrime offences equating to a total loss of €39.4 million in 2014. Around 22,300 offences (45%) were classified as computer fraud, and almost 11,900 (24%) involved the hacking or interception of data. However, to what extent are the statistics a representation of the true state of cybercrime?
The cybercrime economy is by its very nature hidden and what becomes visible is only a fraction of the total. Unreported cybercrimes, as well as under-reporting in this area more generally, are a significant issue. The ‘black hole’ of unreported cybercrimes could be as high as 90%, according to a 2013 study completed by the German state of Lower Saxony.
Another study puts cybercrimes at 14.7 million totalling €3.4 billion pa in Germany, compared to the 50,000 offences registered by the BKA totalling €39.4 million. According to this representative study published in February 2015 by the German Institute for Economic Research (DIW), 84% of cases (12.3 million) were attributable to phishing, identity fraud and malware attacks.
The statistics highlight the further problem of methodologies and definitions. How is cybercrime defined? Is it physical world deceptions transferred online? Brand new scams for which the internet is a prerequisite? ‘Electronic’ crimes, such as hacking, phishing and distributed denial of service (DDoS) attacks? Or maybe all of the above?
In addition, the BKA has also changed the way it reports cybercrime figures. Up until 2013 the majority of federal states recorded offences which resulted losses in Germany, irrespective of whether the criminal act occurred in the country.
The new figures from 2014 only include offences if there was concrete evidence of a crime taking place within Germany. The definition of cybercrime within the BKA figures is now also more narrowly focused on offences against the internet, data networks, IT systems or data within them, making year-to-year comparisons impossible.
Counting the costs of cybercrime is as difficult as counting the crimes. There are direct costs, for example money withdrawn from victims’ accounts in the case of phishing scams, plus the time and effort to reset credentials and re-issue cards for both banks and consumers.
There are indirect costs of cybercrime to society at large. This includes loss of trust in online banking, and a reduction in take-up and a higher cost-to-serve using non-digital methods. It includes lost productivity and costs related to weakened competitiveness, higher insurance premiums and prevention and detection measures, such as antivirus and anti-spam.