Police recorded cyber-crime in Scotland
This chapter presents an estimate of how many cyber-crimes were recorded in Scotland during 2021-22.
The information provided below relates to cyber-crimes which have come to the attention of the police. It does not provide information on the characteristics of all cyber-crime committed in society, as not all of these crimes are reported to the police.
Defining cyber-crime is complex, with no agreed upon definition of the term. The main debate centres around the extent to which cyber technology needs to be involved for the crime to be termed ‘cyber-crime’. For the purposes of recorded crime (as defined in the Scottish Crime Recording Standard), a broad definition of cyber-crime is adopted that includes crimes in which cyber technology is in any way involved. This ranges from crimes where a digital system, infrastructure or Information and Communication Technology (ICT) device is the target as well as the principal or sole method of attack, known as ‘cyber-dependent’ crimes (such as the spreading of computer viruses), to ‘traditional’ crimes where the internet has been used as a means to commit the crime, known as ‘cyber-enabled’ crimes (such as online fraud or sexual crime). Throughout this chapter, both ‘cyber-dependent’ and ‘cyber-enabled’ crimes are referred to collectively as ‘cyber-crimes’.
The estimates provided in this chapter are based on a review of crime records, whereby a random sample of cases was drawn across Scotland for those types of crime that could in theory involve a cyber-element. The review considered which proportion, by crime type, actually were cyber-crimes in 2021-22.
As this analysis is based on a sample of police records (rather than all police records), it should be seen as providing a broad estimate of the volume and type of cyber-crime recorded in Scotland, rather than an exact count. The exception to this are crimes under the Computer Misuse Act 1990 (within the Damage and reckless behaviour crime group), where all crimes were reviewed due to the relatively low volume recorded.
Estimated volume of cyber-crimes
In 2021-22, an estimated 14,280 cyber-crimes were recorded by the police in Scotland. This is similar to the estimated 14,860 cyber-crimes recorded in 2020-21, but remains a large increase compared to the estimated 7,710 cyber-crimes recorded in 2019-20.
Part of the increase seen over the past two years may be due to the significant impact of the COVID-19 pandemic and government instructions to limit social contact. For example, in their ‘Crime in England and Wales: year ending December 2021’ release, the Office for National Statistics noted that an increase in fraud offences could reflect perpetrators taking advantage of behavioural changes during the pandemic, such as increased online shopping.
A procedural change to the recording of international crime made in April 2020 has also likely led to some additional cases, but relatively few when compared to the overall increase. This is discussed further in the previous Recorded Crime in Scotland bulletin.
We estimate that at least 5% of crimes recorded by the police in Scotland in 2021-22 were cyber-crimes. This includes an estimated 28% of Sexual crimes, 9% of Crimes of dishonesty, 3% of Non-sexual crimes of violence and less than 1% of Damage and reckless behaviour.
It is important to note that whilst the sample of crime records reviewed for this analysis was designed to capture the main types of crime that could involve a cyber-element, this may not have included every relevant type of crime. As such, these figures should be taken as estimates. Going forward statisticians will continue to keep the types of crime reviewed for this chapter under consideration, to ensure any additional types (beyond those discussed below) that may involve a cyber-element are included. For example, we widened the pool of crimes reviewed this year, to include some additional types such as stalking and those related to the proceeds of crime. We also re-visited the two previous years on the same basis, with revised estimated figures for recorded cyber-crime in 2019-20 and 2020-21 published in this bulletin.
Table A10 in the 'Supporting documents' Excel workbook provides estimates of the number of cyber-crimes split by crime type from 2019-20 to 2021-22.
Cyber-crimes within Non-sexual crimes of violence
This analysis looked specifically at crimes of (i) Threats and extortion (ii) those recorded under the Domestic Abuse (Scotland) Act 2018 and (iii) Stalking.
In 2021-22, an estimated 1,260 crimes of Threats and extortion were cyber-crimes, an increase of 73% from the estimated 730 recorded in 2020-21. In the latest year, 90% of recorded Threats and extortion were cyber-crimes. Most of these cases relate to ‘sextortion’, most commonly where the perpetrator threatens to reveal evidence of the victim’s online sexual activity unless they receive some form of monetary payment.
As part of the analysis we looked at the confirmed and suspected location of the perpetrators of cyber-crimes. This analysis was based on the information recorded at the point which the cases were reviewed. Amongst the cases we sampled, for Threats and extortion the location of perpetrators was unknown for around 6 out of 10 cyber-crimes (59%), and confirmed or suspected to be outside Scotland in a further third of cases (33%).
Table A12 in the 'Supporting documents' Excel workbook provides estimates of the location of perpetrators of cyber-crimes in 2021-22.
Crimes recorded under the Domestic Abuse (Scotland) Act 2018 and Stalking are course of conduct type offences. Within this research, any crime that occurred wholly online, or included a mix of in-person and online activity as part of the course of conduct, has been classified as a cyber-crime. In 2021-22, an estimated 200 crimes under the Domestic Abuse (Scotland) Act 2018 and 400 crimes of Stalking were cyber-crimes. This represented an estimated 11% of crimes recorded under the Domestic Abuse (Scotland) Act 2018 and around half (48%) of crimes of Stalking.
Cyber-crime within Sexual crimes
This analysis looked specifically at those types of sexual crimes that could have a cyber-element. For example, crimes of Communicating indecently, Cause to view sexual activity or images, Indecent photos of children, Disclosing or threatening to disclose intimate images and Voyeurism.
In 2021-22, an estimated 4,210 Sexual crimes (28%) recorded by the police were cyber-crimes, similar to the estimate of 4,630 in 2020-21. The estimated volume of Sexual crimes that were cyber-crimes has gradually increased over the longer term from 1,100 in 2013-14. Part of the increase after 2017-18 will likely relate to new crimes of Disclosing or threatening to disclose intimate images being recorded under the Abusive Behaviour and Sexual Harm (Scotland) Act 2016, which was implemented on 3 July 2017. However, the clear majority of this increase will be due to other factors.
The analysis also suggests an estimated 1,950 Sexual crimes recorded in 2021-22 were both cyber-crimes and had a victim under the age of 16.
We found that, for around half (48%) of the records examined perpetrators of Sexual crimes which were cyber-crimes were either confirmed or suspected to be located in Scotland. Whilst the location of a perpetrators was unknown in a further third (37%) of records.
Cyber-crime within Crimes of dishonesty
This analysis predominately covers the crimes of Fraud, as well as Money laundering and proceeds of crime.
Fraud includes a wide range of criminal activity such as bank card fraud, failure to pay for goods and services (either online or in person such as taxi fares and meals at restaurants), fraudulent sales, bogus workmen, phishing, banking scams etc.
In 2021-22, almost half (48%) or an estimated 8,010 recorded frauds were estimated to have been cyber-crimes. This is similar to the estimated 8,630 cyber frauds recorded in 2020-21, but has more than doubled from the estimated 3,450 recorded in 2019-20.
Whilst the number of frauds that were cyber-crimes has remained relatively stable over the past year, the number of estimated frauds that were not cyber-crimes has increased to 8,530 from 6,450 in 2020-21 (returning these to a similar level seen in 2019-20).
Table A11 in the 'Supporting documents' Excel workbook provides estimates of volumes and proportions of Cyber Fraud from 2018-19 to 2021-22.
We found that for half (48%) of the records we examined, the location of perpetrators of Fraud cyber-crimes was unknown. For a further third (35%) of records, perpetrators were either suspected or confirmed to be located outside of Scotland.
In 2021-22 an estimated 160 cases of Money laundering and proceeds of crime were cyber-crimes (representing around two-thirds, or 64%, of all recorded cases).
Cyber-crime within Damage and reckless behaviour
This analysis looked at crimes recorded under the Computer Misuse Act 1990 (causing damage). Because of the relatively low volumes of crimes recorded, each record was reviewed and accounted for 40 cyber-crimes.
There is a problem
Thanks for your feedback