• United States




Why Internet crime goes unpunished

Jan 10, 20124 mins
CybercrimeData and Information Security

Until we make the Internet secure, cyber criminals will continue to pull off high-value, low-risk offenses

For cyber criminals, the idiom “crime doesn’t pay” is laughable. Internet crime is worse than ever, and the reasons are clear: It’s highly lucrative and far less risky than, say, an old-fashioned bank heist. Until we take the necessary steps to increase the risk and lower the value of cyber crimes, we won’t be able to stop them.

To fully appreciate the risks and rewards of cyber crimes versus traditional crimes, consider the following statistics from the FBI: In 2010, bank robbers pulled off 5,628 heists and ran off with $43 million. (These numbers held steady in the first and second quarters of 2011.) The average robbery netted $7,643.

[ Learn why Roger A. Grimes deemed 2011 as the year of the cyber criminal. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Further, the loot was recovered in 22 percent of cases. Often, the thieves wielded guns, so when caught, they faced long mandatory jail times. Injuries, death, and hostage situations occurred, though they constitute the minority of cases. I’m not an expert on how well U.S. bank robbers do as compared to non-U.S. counterparts, but let’s assume roughly the same stats apply.

Overall, physical bank robberies are high risk. Except in rare cases, you won’t strike it rich as a criminal, and you have a strong chance of getting caught and sentenced to jail.

Let’s compare that to Internet crime statistics. Per an FBI 2011 report, 300,000 people were victimized over the Internet to the tune of $1.1 billion. Although that averages out to only $3,666 per victim, the typical Internet hacker commits thousands to hundreds of thousands of these crimes and almost never gets caught. Those who get nabbed are unlikely to spend any time in jail, and when they do, they’ll probably serve, at most, a few years in a low-security facility.

In contrast, identity thieves almost never get caught. For instance, from 2003 to 2006 (the years for which I can find trend data), the FBI was able to arrest between only 1,200 and 1,600 identity thieves, and about a third of those cases resulted in convictions, much less jail time. To put this in further perspective, these crimes affected 8.3 million victims, nearly 4 percent of the entire U.S. adult population. This means that one identity thief was convicted for every 20,750 victims.

The conviction rate in 2010 was even worse. According to FBI’s 2010 Internet Crime Report, from 303,809 complaints, 1,420 prepared criminal cases resulted in a mere six convictions. That’s one jailed cyber criminal for every 50,635 victims, and these are just the cases significant enough to be reported to the FBI.

To sum up: Rob a bank and face a one-in-four or one-in-five chance of doing hard time. Steal someone’s identity and your odds of being caught are almost infinitesimal. Consider, too, that identity theft comprises only 9.8 percent of all Internet crime, not including the likes of intellectual property theft. Factor in all Internet crime, and the numbers are likely to be far, far worse — which is saying a lot.

I don’t blame the FBI nor any other law enforcement agency. Discovering and prosecuting cyber crimes is possibly harder than any other area of law enforcement. Rules of evidence requirements, as well as cross-national boundaries, make Internet crime especially difficult to track and prosecute.

As I’ve preached time and again in this blog, we can fight Internet crime by making the Internet significantly safer. We have the protocols and the tools to make it harder for online crime to exist. We just have to decide to deploy them.

This story, “Why Internet crime goes unpunished,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author