I had looked into this for a previous research project. For what it’s worth, I don’t think there are any perfect sources, but my own BOTECs led me to believe the number people are usually after is $10B-$100B ~$30B-$300B:
FBI IC3 (2023): Headline figures that it receives $5-10B/yr of reported losses across the globe. If you assume this mostly only covers US victims (say 4X because the US is 25% of world GDP) and some go unreported (say 2X by dollar value), then you get something like $50B-$100B/yr globally
Anderson et al. (2019): Suggest maybe “6% of us [UK citizens] are victims of a scam with an average take of $200”. If in the UK there are 67M people that totals $800M. If the UK is 2.3% of world GDP that’s maybe~$30B/yr globally. It seems plausible that mostly captures consumer, not business crime.
Chain Analysis (2023): Estimate illegal crypto transactions amount to $5B-$20B/yr (it fluctuated a lot during the pandemic). If you assume maybe a ~third of cybercime is done via crypto [as is the case for romance scams], then that gives you $15B-$60B/yr globally
I agree the eSentire >$3T number should be trusted very little. It doesn’t have any public methodology and got critcised soon after the original estimates came out in 2015 as part of companies trying to ‘one up’ each other:
In early 2015 Inga Beale, CEO at the British insurer Lloyd’s, claimed that cybercrime was costing businesses globally up to $400 billion a year. Several months later Juniper Research released a report which said cybercrime will cost businesses over $2 trillion by 2019. Microsoft CEO Satya Nadella stated $3 trillion of market value was destroyed in 2015 due to cybercrime….
The other ‘trillion dollar’ source that sometimes gets cited is McGuire (2018), who puts it at $1.5T. They do give a methodology of where this comes from, but...
$800B/yr is from illegal online markets, which is unclear to me where it comes from or if it should even be counted as ‘cybercrime’ in the way people normally mean
$500B/yr is corporate espionage—when, for reference, the NBR commission estimated that all US IP theft costs $225B – $600B/yr
$150B/yr is from stolen data, which comes from the author assuming {personal data is worth $200} * {600M records per year get stolen} -- when for reference the UN ODC (2010) put identity theft at $1B/yr
I had looked into this for a previous research project. For what it’s worth, I don’t think there are any perfect sources, but my own BOTECs led me to believe the number people are usually after is
$10B-$100B~$30B-$300B:FBI IC3 (2023): Headline figures that it receives $5-10B/yr of reported losses across the globe. If you assume this mostly only covers US victims (say 4X because the US is 25% of world GDP) and some go unreported (say 2X by dollar value), then you get something like $50B-$100B/yr globally
[New via JamieRV’s comment] The “2007 GAO report (GAO-07-705) cites a 2005 FBI survey putting the cost of computer crime in the US at $67bn.)” If you again multiply by 4X for US GDP and 2X for underreporting you get ~$540B/yr globally—although I’ve looked into this less
Anderson et al. (2019): Suggest maybe “6% of us [UK citizens] are victims of a scam with an average take of $200”. If in the UK there are 67M people that totals $800M. If the UK is 2.3% of world GDP that’s maybe ~$30B/yr globally. It seems plausible that mostly captures consumer, not business crime.
Chain Analysis (2023): Estimate illegal crypto transactions amount to $5B-$20B/yr (it fluctuated a lot during the pandemic). If you assume maybe a ~third of cybercime is done via crypto [as is the case for romance scams], then that gives you $15B-$60B/yr globally
I agree the eSentire >$3T number should be trusted very little. It doesn’t have any public methodology and got critcised soon after the original estimates came out in 2015 as part of companies trying to ‘one up’ each other:
The other ‘trillion dollar’ source that sometimes gets cited is McGuire (2018), who puts it at $1.5T. They do give a methodology of where this comes from, but...
$800B/yr is from illegal online markets, which is unclear to me where it comes from or if it should even be counted as ‘cybercrime’ in the way people normally mean
$500B/yr is corporate espionage—when, for reference, the NBR commission estimated that all US IP theft costs $225B – $600B/yr
$150B/yr is from stolen data, which comes from the author assuming {personal data is worth $200} * {600M records per year get stolen} -- when for reference the UN ODC (2010) put identity theft at $1B/yr