Police recorded cyber-crime in Scotland
This chapter presents an estimate of how many cyber-crimes were recorded in Scotland during 2022-23.
The information provided below relates to cyber-crimes which have come to the attention of the police. It does not provide information on the characteristics of all cyber-crime committed in society, as not all of these crimes are reported to the police.
Defining cyber-crime is complex, with no agreed upon definition of the term. The main debate centres around the extent to which cyber technology needs to be involved for the crime to be termed 'cyber-crime'. For the purposes of recorded crime (as defined in the Scottish Crime Recording Standard), a broad definition of cyber-crime is adopted that includes crimes in which cyber technology is in any way involved. This ranges from crimes where a digital system, infrastructure or Information and Communication Technology (ICT) device is the target as well as the principal or sole method of attack, known as 'cyber-dependent' crimes (such as the spreading of computer viruses), to 'traditional' crimes where the internet has been used as a means to commit the crime, known as 'cyber-enabled' crimes (such as online fraud or sexual crime). Throughout this chapter, both 'cyber-dependent' and 'cyber-enabled' crimes are referred to collectively as 'cyber-crimes'.
The estimates provided in this chapter are based on a review of crime records, whereby a random sample of cases was drawn across Scotland for those types of crime that could in theory involve a cyber-element. The review considered which proportion, by crime type, actually were cyber-crimes in 2022-23.
As this analysis is based on a sample of police records (rather than all police records), it should be seen as providing a broad estimate of the volume and type of cyber-crime recorded in Scotland, rather than an exact count. Following previous reviews of crime records, we have assumed that all crimes under the Computer Misuse Act 1990 (within the Damage and reckless behaviour crime group) were cyber-crimes.
Estimated volume of cyber-crimes
In 2022-23, an estimated 14,890 cyber-crimes were recorded by the police in Scotland. This is similar to the estimated volume recorded for both 2020-21 and 2021-22 (14,860 and 14,280 respectively), but remains significantly above the pre-pandemic year of 2019-20 (with 7,710 cyber-crimes). Part of the increase seen in reported cyber-crimes may be due to the significant impact of the COVID-19 pandemic and government instructions to limit social contact. However the lifting of restrictions has not been accompanied by a reduction in the estimated volume of police recorded cyber-crime in 2022-23.
A procedural change to the recording of international crime made in April 2020 has also likely led to some additional cases, but relatively few when compared to the overall increase. This is discussed further in the 2020-21 Recorded Crime in Scotland bulletin.
We estimate that at least 5% of crimes recorded by the police in Scotland in 2022-23 were cyber-crimes. This includes an estimated 26% of Sexual crimes, 8% of Crimes of dishonesty, 3% of Non-sexual crimes of violence and less than 1% of Damage and reckless behaviour.
It is important to note that whilst the sample of crime records reviewed for this analysis was designed to capture the main types of crime that could involve a cyber-element, this may not have included every relevant type of crime. As such, these figures should be taken as estimates. Going forward statisticians will continue to keep the types of crime reviewed for this chapter under consideration, to ensure any additional types (beyond those discussed below) that may involve a cyber-element are included.
Table A12 in the 'Supporting documents' Excel workbook provides estimates of the number of cyber-crimes split by crime type from 2019-20 to 2022-23.
Cyber-crimes within Non-sexual crimes of violence
This analysis looked specifically at crimes of (i) Threats and extortion (ii) those recorded under the Domestic Abuse (Scotland) Act 2018 and (iii) Stalking.
In 2022-23, an estimated 1,830 crimes of Threats and extortion were cyber-crimes, an increase of 45% from the estimated 1,260 recorded in 2021-22 and a five-fold increase from the estimated 290 recorded in 2019-20. In the latest year, 91% of recorded Threats and extortion were cyber-crimes. Most of these cases relate to 'sextortion', most commonly where the perpetrator threatens to reveal evidence of the victim's online sexual activity unless they receive some form of monetary payment.
As part of the analysis we looked at the confirmed and suspected location of the perpetrators of cyber-crimes. This analysis was based on the information recorded at the point which the cases were reviewed. Amongst the cases we sampled, for Threats and extortion the location of perpetrators was confirmed or suspected to be outside Scotland in almost two-thirds of cyber-crimes (64%) and unknown for a further 1 in 3 cyber-crimes (34%).
Table A14 in the 'Supporting documents' Excel workbook provides estimates of the location of perpetrators of cyber-crimes in 2022-23.
Crimes recorded under the Domestic Abuse (Scotland) Act 2018 and Stalking are course of conduct type offences. Within this research, any crime that occurred wholly online, or included a mix of in-person and online activity as part of the course of conduct, has been classified as a cyber-crime. In 2022-23, an estimated 290 crimes under the Domestic Abuse (Scotland) Act 2018 and 270 crimes of Stalking were cyber-crimes. This represented an estimated 16% of crimes recorded under the Domestic Abuse (Scotland) Act 2018 and a third (33%) of crimes of Stalking.
Cyber-crime within Sexual crimes
This analysis looked specifically at those types of sexual crimes that could have a cyber-element. For example, crimes of Communicating indecently, Cause to view sexual activity or images, Indecent photos of children, Disclosing or threatening to disclose intimate images and Voyeurism.
In 2022-23, an estimated 3,830 Sexual crimes (26%) recorded by the police were cyber-crimes, compared to 4,210 in 2021-22. The estimated volume of Sexual crimes that were cyber-crimes has gradually increased over the longer term from 1,100 in 2013-14. Part of the increase after 2017-18 will likely relate to new crimes of Disclosing or threatening to disclose intimate images being recorded under the Abusive Behaviour and Sexual Harm (Scotland) Act 2016, which was implemented on 3 July 2017. However, the clear majority of this increase will be due to other factors.
The analysis also suggests an estimated 2,060 Sexual crimes recorded in 2022-23 were both cyber-crimes and had a victim under the age of 18.
We found that, for around two-thirds (64%) of the records examined perpetrators of Sexual crimes which were cyber-crimes were either confirmed or suspected to be located in Scotland. The location of perpetrators was unknown in a further fifth (22%) of records.
Cyber-crime within Crimes of dishonesty
This analysis predominately covers the crimes of Fraud, as well as Proceeds of crime.
Fraud includes a wide range of criminal activity such as bank card fraud, failure to pay for goods and services (either online or in person such as taxi fares and meals at restaurants), fraudulent sales, bogus workmen, phishing, banking scams etc.
In 2022-23, around half (51%) or 8,520 recorded frauds were estimated to have been cyber-crimes. This is similar to the estimated 8,010 cyber frauds recorded in 2021-22, but has more than doubled from the estimated 3,450 recorded in 2019-20.
Table A13 in the 'Supporting documents' Excel workbook provides estimates of volumes and proportions of Cyber Fraud from 2018-19 to 2022-23.
We found that for just over a third (37%) of the records we examined, the location of perpetrators of Fraud cyber-crimes was unknown. A further third (32%) of records had perpetrators who were either suspected or confirmed to be located outside of Scotland and a third (31%) were suspected or confirmed to be located in Scotland.
In 2022-23 an estimated 120 cases of Proceeds of crime were cyber-crimes (representing around 7 out of 10, or 70%, of all recorded cases).
Cyber-crime within Damage and reckless behaviour
As a result of analysis undertaken in previous years and the nature of the crime recorded, we have assumed that all 30 crimes recorded under the Computer Misuse Act 1990 (causing damage) were cyber-crimes.
There is a problem
Thanks for your feedback