How Bad is Cybercrime – A Crime Statistics Approach
Published 8th April 2025
Cyber Security

When we want to know how bad crime is, in traditional crime statistics methods, we state the number of reported crimes per 100,000 people. For example, in the October to December 2024 period in South Africa, the murder rate was 11.1 murders per 100,000 people.

We often read, hear, or watch stories about how bad cybercrime is. So much of the data out there is provided by the vendors of various cybersecurity tools or services, and while much of the data provided is useful, it must be treated with a certain degree of critical thinking. Most of these reports have an inherent bias, which has the ultimate aim of justifying why purchasing tools or services that the authors of these reports provide, is necessary. Again, depending on the author of the report, data will be presented through a certain lens which is often biased towards the ultimate purpose of the report. What is clear through all these vendor reports, is that the cybercrime situation is bad, throughout the world. But this data may not represent the true objective picture of the overall problem.

So how would we objectively determine the size and scope of the cybercrime problem? We could make use of official government crime statistics. But here is where the problem comes in, do we actually have reliable and accurate statistics in this regard. In South Africa the current cybercrime offences are defined by the Cybercrimes Act 19 of 2020, which replaced the cybercrime offences defined in the Electronic Communications and Transactions Act 25 of 2002. I have investigated many cybercrimes under both statutes and have registered case dockets with the South African Police Service. Even though clear statutory cybercrimes were committed, many of these cases ended up being registered on the South African Police Service Crime Administration System as other crimes such as fraud, theft or extortion. This creates a problem that from a crime statistics point of view that the data is not accurate.

In research that I conducted, I requested the South African Police Service to provide crime statistics for offences committed in terms of the Electronic Communications and Transactions Act 25 of 2002, and this data was simply not forthcoming. I also tried to get data from the National Prosecuting Authority about the number of prosecutions initiated in terms of the Electronic Communications and Transactions Act 25 of 2002, and this was also not forthcoming. Even in official crime statistics released by the South African Police Service, cybercrime has not been specifically dealt with a specific crime category. Unfortunately, that means that official statistics on cybercrime, at least in South Africa, are lacking. Hopefully this will change with the new Cybercrimes Act as Section 54(3)(b)(i) states that the Minister of Police must report to Parliament at the end of each financial year that number of cybercrime offences defined in the Cybercrime Act to the South African Police Service.

But does that mean that scientifically we cannot determine what the probable cybercrime rate is. Lets address this question by using the offence of cyber fraud which is defined under Section 8 Cybercrimes Act 19 of 2020. Using Section 8(1)(a), one way cyber fraud is committed is when a person who unlawful and with intention to defraud make a misrepresentation by means of data or a computer program which causes actual or potential prejudice to a person. Now what is key to understand here is that there does not have to be actual harm done to the victim, merely the potential that harm could be done if the victim had acted on the misrepresentation.

In the last three years, I have spoken at various public events in South Africa where I have asked the audience at each a very specific question. Who has been a victim of a cybercrime. In almost every instance a small percentage of the audience will raise their hands. But then I ask another question. Who has received a phishing email, or instant message, and without fail every single hand in the audience is raised. It does not matter if they fell for them or not, the fact that they received them meant that there was the potential for them to have fallen for it. When one considers that phishing is clearly a contravention of Section 8(1)(a), then objectively the crime rate is 100% or expressed in traditional crime statistic format a crime rate of 100,000 out of 100,000.

I am planning to conduct a formal academic study on this phenomenon later this year using full research rigour, to either confirm or refute my hypothesis, which is simply this. As cybercrime is currently defined in South Africa, it has a close to 100 percent crime rate. So, when someone asks how bad cybercrime is, think about this. I think it is the most prevalent and prominent crime in modern society, with a close to 100 percent victim rate.ea dictumst.