Why Isn’t Cybercrime Worse?

Bank robbers have a clear motivation for their crimes: money. It’s there for the taking; all you have to do is get to it. But there are a lot of inherent risks involved with robbing banks, and, as a new study shows, not a great deal of return. And yet people keep robbing banks. In cybercrime, the motivation is the same, the rewards are huge and the risk of being caught is far lower. So the question is, why isn’t cybercrime worse?

Bank robbers have a clear motivation for their crimes: money. It’s there for the taking; all you have to do is get to it. But there are a lot of inherent risks involved with robbing banks, and, as a new study shows, not a great deal of return. And yet people keep robbing banks. In cybercrime, the motivation is the same, the rewards are huge and the risk of being caught is far lower. So the question is, why isn’t cybercrime worse?

If you look at the relative difficulty of the crime, it’s unclear why anyone bothers to rob banks at all anymore. The security countermeasures deployed by banks today make life extremely difficult for the would-be bandit. Mantraps, motion sensors, time locks, silent alarms, custom-designed safes and armed guards present the attacker with a daunting set of obstacles. Getting to the money is not easy, and if you’re able to do that, it turns out that the haul from your misdeed is likely to be rather disappointing. A study published in a statistical journal this month shows that bank robbers in the U.K. pulled in the equivalent of about $19,800 per job. 

“A single bank raid, even a successful one, is not going to keep our would-be robber in a life of luxury. It is not going to keep him long in a life of any kind. Given that the average UK wage for those in full-time employment is around £26 000, it will give him a modest lifestyle for no more than 6 months,” the authors of the study, Barry Reilly, Neil Rickman and Robert Witt, wrote in their analysis in the journal Significance

So the returns on a bank robbery are relatively low, while the obstacles and potential for getting caught are relatively high. This likely helps explain why there are a small number of robberies and attempted robberies each year–just 106 in 2007 of the 10,500 bank branches in the U.K., as the authors note. It just doesn’t make economic sense to rob a bank.

“The interesting question, at least to me, is why anyone is a bank robber. Why do people do things that, by any rational economic analysis, are irrational?” Bruce Schneier wrote in a blog post on the study.

“The answer is that people are terrible at figuring this sort of stuff out. They’re terrible at estimating the probability that any of their endeavors will succeed, and they’re terrible at estimating what their reward will be if they do succeed.”

Cybercrime, on the other hand, offers the aspiring criminal the ideal combination of low risk and potentially very high reward. Reliable numbers of the amount of money lost to cybercrime each year are notoriously difficult to produce, thanks to the low rate of reporting and other factors, but global estimates are in the tens of billions of dollars. So the rewards for online criminals are potentially enormous, making it an attractive crime from an economic perspective. That takes care of motive.

For the budding cybercriminal, the next step is to develop the means to commit the crime. This used to be a difficult task. When attack tools, malware and vulnerability data were passed around among a small group in the hacking underground, regular citizens had no good way of accessing them. If you didn’t know someone, you likely were out of luck. Now, however, a few minutes of Googling is all that’s needed to find whatever tools you’re looking for. You can buy remote-access Trojans, rootkits, exploit kits, custom malware, botnets and whatever else your little black heart desires. Many of these tools are point-and-click and require little in the way of technical knowledge to use. 

All that leaves is opportunity, and if motive and means are easy to find, opportunity is hitting you square in the face. A bank robber needs to scout locations, look for escape routes and have a backup plan in case things go south. A cybercriminal simply needs to decide who to attack first. Take phishing as an online analog to bank robbery. Attackers can rent botnets cheaply to send the phishing emails, register dozens of domains for a few dollars and buy templates for their fake sites. The only decision is which bank to go after first.

The one missing piece here is the risk of being caught. For cybercriminals, this risk is vanishingly small. When a botnet operator, large-scale carded or successful phisher is caught, it’s major news. These successes for law enforcement are rare relative to the volume of cybercrime.

So, given the ease of getting into the game, the low risk of detection and the huge upside in terms of financial return, why isn’t cybercrime worse?

One answer is likely that people in general are good and don’t resort to crime if they have other options. Another answer might be that some potential cybercriminals aren’t aware of how easy and profitable this kind of crime is. They just haven’t been exposed to information about it, don’t know that the tools are readily available and haven’t had the chance to get involved. There are likely lots of other answers out there, but it will be interesting to note as time goes on whether cybercrime rates continue to increase as tools and techniques become even more widespread or whether law enforcement will begin to turn the tide with stricter statutes and harsher penalties for the bad guys.

For now, at least, the smart money is on the criminals.

Suggested articles


  • Anonymous on

    So basically you are telling any potential criminals reading this article how easy it is.

  • Anonymous on

    We need some type of DNA footprint for cybercrime, like human DNA.

  • Anonymous on

    Well, if they read your blog or hear about it, I'm sure they do know now how easy it is!


  • AK on

    One more possible reason -for your question in the last paragraph- is that, at a certain stage of the cybercrime, the criminal will need to switch from cyberworld to the real physical world (usually this is one of the final stages, where the criminal get the actual benefit), especailly if the goal behind the crime is financial. At that stage, the cybercriminal is no longer "cyber", and he/she can be caught using traditional methods.

  • AB on

    People with the skills to be able to commit cybercrime are able to make a nice living and have something to lose. Many criminals have few skills, few options, and out of desperation commit petty crime. If you have the skills and the criminal mindset - there's always politics or wall street

  • Allan Friedman on

    Dennis - Interesting piece, but I think there are a few things you overlook. Large estimates of loss don't equal huge gains for most actors. This is true in much of crime: whether you count direct losses (a stolen camera doesn't net the replacement cost for the thief due to all kinds of friction) and indirect losses (harms to community from drug violence > value of local drug trade). Reports of convicted cybercriminals (an admitted sample bias, since thay got caught) reveal profits on the hundreds-of-thousands of dollars level, which is hardly lucrative for skilled security experts. 

    Second, you have to look at cybercrime in an evolutionary context, with defenders and attackers iteratively  playing and adapting. Much of the costs of current crime is borne by financial institutions, who treat fraud as a cost of business. If crime grew dramatically, the incentive to invest in a range of defenses would increase. 

    I'd be happy to chat more about the economics of cybercrime more offline--it's a fascinating and rapidly growing area of research.

  • Anonymous on

    If you grew up in a world where guns are common, but you have never really been exposed to computers, which do you think would seems simpler, robbing a bank or cybercrime?

    Its probably about demographics, some people don't have the opportunities required to consider cybercrime. You will probably also finr that the vast majority of cyber crime is petty, as you don't have to be very clever to get into that game. The limited size of the crime also helps not get caught. If you are too far down the list few resources will be spent trying to catch you.

  • Agarax on

    The answer is quite simple.  That hard part of computer crime is turning virtual loot into phsyical loot (you need to fence the comrpomised accounts, launder the money, ect).  Robbing a bank or a liquor store results in a large pile of cash that is easier to spend and harder to track.

  • Anonymous on

    One thing you can take to the bank:  Criminals of all sorts are lazy, both mentally and physically.  If you have to learn something to do it, you do something else.

  • Anonymous on

    cyber crime attracting teenagers towards it well there are many reason for it mainly they need a good lifestyle that everyone wants

    goverment should try to do something that they are not motivated to this wrong field

    only caughting them is not the solution

  • NordenNoob on

    I love "caughting"people.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.