Is cybercrime as big as its foes fear?

BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice round number is the $1 trillion-worth of intellectual property that, one senator claimed earlier this year, cybercriminals snaffle annually.

It is hard to know what to make of these numbers. Online crooks, like their real-world brethren, do not file quarterly reports. In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.

A paper by two researchers at Microsoft, Dinei Florencio and Cormac Herley, shows why: because losses are unevenly distributed. Most people never have their bank accounts raided by cyber criminals, but an unfortunate few do, and lose a lot. This means that per capita losses, which the surveys calculate before extrapolating to a national figure, are dominated by a handful of big online heists. Errors in the reporting of such infrequent crimes have a huge effect on the headline figure. In a 1,000-person survey in America, for example, exaggerating the impact of a single crime by $50,000 would add $10 billion to the national figure.

Other data can be skewed this way too. But those who analyse it take precautions to protect their results. Few cybercrime surveys cite the methodology they used. Those that do expose their plumbing do not convince the Microsoft authors.

The few researchers who have observed cyber criminals in action are similarly sceptical about the industry’s estimates. In the latest instalment of a mammoth four-year exercise Chris Kanich of the University of California, San Diego, and colleagues tracked around 20 outfits that use spam to advertise illegal online pharmacies. First they secretly monitored the spammers’ payment systems. Then they obtained logs from one of the servers that power the illegal pharmaceutical sites. They even ordered (and—perhaps surprisingly—received) some of the non-prescription drugs on sale.

Their findings suggest that only two of the 20 or so operators bring in $1m or more per month. The criminals behind fake security software appear to reap similar rewards, say Brett Stone-Gross and colleagues at the University of California, Santa Barbara. Their study, due to be presented at next month’s eCrime 2011 conference in San Diego, puts the annual revenue of each criminal group at a few tens of millions of dollars. As with Mr Kanich’s study, it is not clear how much of this is profit.

Such hauls fall well short of extravagant claims from the security industry that some spammers make millions every day. Stefan Savage, Mr Kanich’s PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.

None of this means that the threat of cybercrime can be written off as pure invention, or that people should turn off their spam filters. But in the grand scheme of criminal threats, hacker kingpins do not appear to be on a par with Colombian drug lords—even if the security industry would wish it otherwise.