This module is a resource for lecturers

Cybercrime trends

Regional and international law enforcement agencies (e.g., Europol and INTERPOL), and regional organizations (e.g., the African Union and Organization of American States) publish information about cybercrime and cybersecurity trends. Cybercrime trends can also be identified from annual reports on and/or data analysed from various official crime measurement tools and victimization surveys: for example, the National Incident-Based Reporting System (e.g., the United States); General Social Survey (Canada); Crime Survey for England and Wales (England and Wales). These crime measurement tools and victimization surveys vary based on the types of cybercrime data collected and analysed, and the methods used in collecting and analysing data.

Did you know?

The African Union, the United States, and Symantec are part of the Global Forum for Cybersecurity Expertise (GFCE) Initiative, which published its first cybercrime and cybersecurity trends report in 2017.

Find out more.

Other agencies also publish reports on cybercrime and cybersecurity trends, for example, see Europol, Trends and Routes.

Cybersecurity businesses and other private organizations that focus on security, business risk and and/or threat analysis around the world publish cybercrime and/or cybersecurity trend reports based on historical cybersecurity incidents, and their types, frequency and impact. For example, in 2018, ransomware was identified as a cybercrime trend by TrendMicro (TrendMicro, 2018). With this form of cybercrime, computer systems are infected with malicious code ( malware) and the data within them are made unavailable and inaccessible to owners and/or legitimate users until a fee is paid to the cybercriminal. While ransomware attacks are not new, the number, frequency, intensity, and reach of these attacks has increased. Perpetrators of this type of cybercrime initially targeted individuals and requested small sums of money, then began to target businesses, companies, and organizations, and ultimately, others in the private and public sectors that provide critical services (e.g., hospitals). An example of the latter is the 2017 WannaCry ransomware attack that affected approximately 150 countries (Reuters, 2017), including more than 80 NHS [(National Health Service)] "organisations in England alone, resulting in almost 20,000 cancelled appointments, 600 GP surgeries having to return to pen and paper, and five hospitals simply diverting ambulances, unable to handle any more emergency cases" (Hern, 2017). Europol's 2017 Internet Organised Crime Threat Assessment also identified ransomware as a cybercrime trend.


The reliability of the data used to identify trends also varies by agency and organization. A conflict of interest may exist in the reporting on trends if companies sell cybersecurity products that could be used by the public to protect against the cybercrimes identified as trends.

With the advent of new technologies (e.g., Internet of things, drones, robots, self-driving cars), new cybercrime trends will be identified. What is more, as the 2017 Internet Organised Crime Threat Assessment by Europol revealed, law enforcement and security measures impact cybercrime and the tactics, tools and targets of cybercriminals. These measures, therefore, will also influence and impact future cybercrime trends.

Technical Challenges

There are several technical reasons that make fighting cybercrime difficult. The first is attribution (for further information, see Cybercrime Module 5 on Cybercrime Investigation). Any computer that is connected to the Internet can communicate with any other computer connected to the Internet. Normally, we can see a computer's public IP address (Cisco, 2016) when that computer connects to our computer. The IP address is a generally globally-unique number that lets us identify which country and Internet service provider the computer is connecting from. The problem is that there are many ways for an attacker to hide their IP address, or even pretend to be connecting from a different IP address. What is more, criminals can use a variety of tools to evade detection by law enforcement agencies and obscure access and hide darknet sites (for more information about these tools and the darknet, see Cybercrime Module 5 on Cybercrime Investigation).

The second technical issue deals with software. Computer programmes are software. The apps on your phone or tablet are software. The services you connect to on the Internet, like a website, is also software. Very often software has vulnerabilities (Securelist, 2018). A vulnerability could be a problem in a programme or a misconfiguration that allows an attacker to do something they should not be able to do (like downloading customer credit card information).

Software companies may not easily detect vulnerabilities, especially those involving large software projects that change often. Sometimes attackers find a vulnerability before the company that makes the software (i.e., a zero-day vulnerability; for more information, see Zetter, 2014). According to Bilge and Dumitras (2012), "while the vulnerability remains unknown, the software affected cannot be patched and anti-virus products cannot detect the attack through signature-based scanning" (p. 1). The company becomes aware of this type of vulnerability when it is exploited by cybercriminals to attack the confidentiality, integrity or availability of software, and users of the software.

In 2017, Equifax - a US credit reporting service - lost "sensitive personal data" on 143 million Americans because of a software vulnerability (Timberg, et al., 2017). This vulnerability was exploited for three months, until it was fixed. Vulnerabilities leading to data loss are relatively common, even for major organizations because it is difficult to properly create, configure and secure digital systems (these difficulties are explored in Cybercrime Module 9 on Cybersecurity and Cybercrime Prevention: Practical Applications and Measures).

Another technical challenge is virtualized information technology infrastructure (e.g., cloud). When an organization's infrastructure is moved into a cloud, it implies that

  • The company shifts part of the cybersecurity responsibility to the cloud provider (e.g., physical system security, data centre security);
  • When breaches happen, the company has to work with the cloud provider to investigate the incidents, which may further lead to technical and legal challenges (legal challenges of cloud data are explored in greater detail in Cybercrime Module 7 on International Cooperation against Cybercrime).

Legal Challenges

Cybercrime is a transnational crime and perpetrators and victims can be located anywhere in the world with an Internet connection. Because of this, cybercrime investigators often require access to and the sharing of data across borders. This can be accomplished if the data sought is retained by service providers and existing measures are in place that enable law enforcement agencies to access data. The main legal challenges to investigating cybercrime and prosecuting cybercriminals are: the different legal systems between countries; variations in national cybercrime laws; differences in the rules of evidence and criminal procedure (e.g., the process by which law enforcement authorities can access digital evidence; for example, with or without a legal order, such as a search warrant); variations in the scope and geographic applicability of regional and multilateral cybercrime treaties; and differences in approaches to data protection and respect for human rights. These legal challenges are explored in greater detail in Cybercrime Module 3 on Legal Frameworks and Human Rights and Cybercrime Module 10 on Privacy and Data Protection.

Ethical Challenges

Law enforcement agencies (discussed in Cybercrime Module 5 on Cybercrime Investigations) should legally and ethically investigate crime (and cybercrime) handle, analyse, and interpret evidence (see Cybercrime Module 6 on Practical Aspects of Cybercrime Investigations and Digital Forensics). Beyond law enforcement, ethical challenges arise in individuals, groups, companies, organizations, and governments' use of information and communication technology (ICT). For example, ethical conduct using ICT involves refraining from harming others, systems, and data, and respecting the rule of law and human rights (for more information on the importance of integrity and ethics, please see also the Module Series on Integrity and Ethics). The Cambridge Analytica revelations brought home the lesson that attention needed to be paid to ethical issues involving data collection and use on social media platforms. Specifically, the media revealed that the data firm Cambridge Analytica

paid to acquire Facebook users' personal information through an outside researcher, Aleksandr Kogan, who created a data-harvesting personality quiz app that told users (in fine print) that it was collecting the information for academic purposes - a claim Facebook did not verify and was not true. Although only 305,000 people participated in the quiz and consented to having their data harvested, their friends also had their profiles scraped, bringing the estimated number of those affected to 87 million (AMA, 2018).

The Cambridge Analytica incident revealed unethical behaviour on the part of those responsible for the copious amounts of data harvested on individuals and used in a manner unanticipated by users who agreed to provide (some) information and in unauthorized ways for those who never consented to have any of their information collected and used in the first place. Even if what Cambridge Analytica and others involved did is not considered illegal, their actions are unethical (for information about differences and relationship between ethics and law, please see Module 12 on Integrity, Ethics and Law of the Module Series on Integrity and Ethics).

Operational Challenges

One key operational challenge with cybercrime investigations is related to cooperation with other countries. International cooperation on cybercrime investigations require harmonized laws between cooperating countries (for additional information, please see Module 11 of the UNODC Teaching Module Series on Organized Crime).Tools such as mutual legal assistance treaties (i.e., agreements whereby parties agree to cooperate in investigations and prosecutions of offences criminalized under their national laws; Garcia & Doyle 2010; Maras, 2016) can be used to make formal requests for assistance from one country to another. However, requests for international support can take a long time, and may not produce usable results, such as preventing the crime or producing evidence for use in court. Operational challenges are explored in further detail in Cybercrime Module 7 on International Cooperation against Cybercrime. Operational challenges are also present due to the deficit in national capacity (especially from a developing country perspective) to deal with cybercrime (see Cybercrime Module 5 on Cybercrime Investigation, Cybercrime Module 7 on International Cooperation against Cybercrime, and Module 8 on Cybersecurity and Cybercrime Prevention: Strategies, Policies and Programmes).

Next: Cybercrime prevention
Back to top