Recorded Crime in Scotland, 2023-24

Police recorded cyber-crime in Scotland

This chapter presents an estimate of how many cyber-crimes were recorded in Scotland during 2023-24.

The information provided below relates to cyber-crimes which have come to the attention of the police. It does not provide information on the characteristics of all cyber-crime committed in society, as not all of these crimes are reported to the police.

Background

Defining cyber-crime is complex, with no agreed upon definition of the term. The main debate centres around the extent to which cyber technology needs to be involved for the crime to be termed ‘cyber-crime’. For the purposes of recorded crime (as defined in the Scottish Crime Recording Standard), a broad definition of cyber-crime is adopted that includes crimes in which cyber technology is in any way involved. This ranges from crimes where a digital system, infrastructure or Information and Communication Technology (ICT) device is the target as well as the principal or sole method of attack, known as ‘cyber-dependent’ crimes (such as the spreading of computer viruses), to ‘traditional’ crimes where the internet has been used as a means to commit the crime, known as ‘cyber-enabled’ crimes (such as online fraud or sexual crime). Throughout this chapter, both ‘cyber-dependent’ and ‘cyber-enabled’ crimes are referred to collectively as ‘cyber-crimes’.

The estimates provided in this chapter are based on a review of crime records, whereby a random sample of cases was drawn across Scotland for those types of crime that could in theory involve a cyber-element. The review considered which proportion, by crime type, actually were cyber-crimes in 2023-24.

As this analysis is based on a sample of police records (rather than all police records), it should be seen as providing a broad estimate of the volume and type of cyber-crime recorded in Scotland, rather than an exact count. Following previous reviews of crime records, we have assumed that all crimes under the Computer Misuse Act 1990 (within the Damage and reckless behaviour crime group) were cyber-crimes.

Estimated volume of cyber-crimes

In 2023-24, an estimated 16,910 cyber-crimes were recorded by the police in Scotland. This was an increase of around 2,000 crimes (or 14%) when compared to the estimated volume for 2022-23 (14,890). Levels also remain significantly above the pre-pandemic year of 2019-20 (with 7,710 cyber-crimes). Part of the increase seen in reported cyber-crimes may be due to the significant impact of the COVID-19 pandemic and government instructions to limit social contact. However, the lifting of restrictions has not been accompanied by a reduction in the estimated volume of police recorded cyber-crime since 2022-23. A procedural change to the recording of international crime made in April 2020 has also likely led to some additional cases, but relatively few when compared to the overall increase. This is discussed further in the 2020-21 Recorded Crime in Scotland bulletin.

We estimate that at least 6% of crimes recorded by the police in Scotland in 2023-24 were cyber-crimes. This includes an estimated 30% of Sexual crimes, 9% of Crimes of dishonesty, 4% of Non-sexual crimes of violence and less than 1% of Damage and reckless behaviour.

It is important to note that whilst the sample of crime records reviewed for this analysis was designed to capture the main types of crime that could involve a cyber-element, this may not have included every relevant type of crime. As such, these figures should be taken as estimates. Going forward statisticians will continue to keep the types of crime reviewed for this chapter under consideration, to ensure any additional types (beyond those discussed below) that may involve a cyber-element are included. One new crime and offence code has been introduced this year to reflect the passing of new legislation (Online Safety Act 2023), however the number of incidents recorded in 2023-24 for the new code is negligible.

Table A12 in the 'Supporting documents' Excel workbook provides estimates of the number of cyber-crimes split by crime type from 2019-20 to 2023-24.

Cyber-crimes within Non-sexual crimes of violence

This analysis looked specifically at crimes of (i) Threats and extortion (ii) those recorded under the Domestic Abuse (Scotland) Act 2018 and (iii) Stalking.

In 2023-24, an estimated 2,080 crimes of Threats and extortion were cyber-crimes, an increase of 14% from the estimated 1,830 recorded in 2022-23 and a six-fold increase from the estimated 290 recorded in 2019-20. In the latest year, 86% of recorded Threats and extortion were cyber-crimes. Most of these cases relate to ‘sextortion’, most commonly where the perpetrator threatens to reveal evidence of the victim’s online sexual activity unless they receive some form of monetary payment.

As part of the analysis, we looked at the confirmed and suspected location of the perpetrators of cyber-crimes. This analysis was based on the information recorded at the point which the cases were reviewed. Amongst the cases we sampled, for Threats and extortion the location of perpetrators was confirmed or suspected to be outside Scotland in more than half of cyber-crimes (56%) and unknown for more than a third (37%).

Table A14 in the 'Supporting documents' Excel workbook provides estimates of the location of perpetrators of cyber-crimes in 2023-24.

Crimes recorded under the Domestic Abuse (Scotland) Act 2018 and Stalking are course of conduct type offences. Within this research, any crime that occurred wholly online, or included a mix of in-person and online activity as part of the course of conduct, has been classified as a cyber-crime. In 2023-24, an estimated 230 crimes under the Domestic Abuse (Scotland) Act 2018 and 320 crimes of Stalking were cyber-crimes. This represented an estimated 11% of crimes recorded under the Domestic Abuse (Scotland) Act 2018 and just over a third (36%) of crimes of Stalking.

Cyber-crime within Sexual crimes

This analysis looked specifically at those types of sexual crimes that could have a cyber-element. For example, crimes of Communicating indecently, Cause to view sexual activity or images, Indecent photos of children, Disclosing or threatening to disclose intimate images and Voyeurism.

In 2023-24, an estimated 4,320 Sexual crimes (30%) recorded by the police were cyber-crimes, compared to 3,830 in 2022-23. The estimated volume of Sexual crimes that were cyber-crimes has gradually increased over the longer term from 1,100 in 2013-14^[5]. Part of the increase after 2017-18 will likely relate to new crimes of Disclosing or threatening to disclose intimate images being recorded under the Abusive Behaviour and Sexual Harm (Scotland) Act 2016, which was implemented on 3 July 2017. However, the clear majority of this increase will be due to other factors.

The analysis also suggests an estimated 1,710 Sexual crimes recorded in 2023-24 were both cyber-crimes and had a victim under the age of 18.

We found that, for around three-fifths (60%) of the records examined perpetrators of Sexual crimes which were cyber-crimes were either confirmed or suspected to be located in Scotland. The location of perpetrators was unknown in a further fifth (21%) of records.

Cyber-crime within Crimes of dishonesty

This analysis predominately covers the crimes of Fraud, as well as Proceeds of crime.

Fraud includes a wide range of criminal activity such as bank card fraud, failure to pay for goods and services (either online or in person such as taxi fares and meals at restaurants), fraudulent sales, bogus workmen, phishing, banking scams etc.

In 2023-24, more than half (59%) or 9,890 recorded frauds were estimated to have been cyber-crimes. This is an increase of 16% when compared to the estimated 8,520 cyber frauds recorded in 2022-23 and is almost three times the estimated 3,450 recorded in 2019-20.

Table A13 in the 'Supporting documents' Excel workbook provides estimates of volumes and proportions of Cyber Fraud from 2018-19 to 2023-24.

We found that for around half (49%) of the records we examined, the location of perpetrators of Fraud cyber-crimes was unknown. A further two in five (40%) of records had perpetrators who were either suspected or confirmed to be located outside of Scotland and around one in ten (11%) were suspected or confirmed to be located in Scotland.

In 2023-24 an estimated 40 cases of Proceeds of crime were cyber-crimes (representing around a quarter, or 24%, of all recorded cases).

Cyber-crime within Damage and reckless behaviour

As a result of analysis undertaken in previous years and the nature of the crime recorded, we have assumed that all 30 crimes recorded under the Computer Misuse Act 1990 (causing damage) were cyber-crimes.