Less than 5% of Cybercrime reported

pah

Less than 1 in 20 instances of cyber crime reported to Gardaí.

Why the low figures I wonder? The low reporting does not seem restricted to Ireland. I imagine GDPR will have some effect on these figures this year. If companies and businesses are reporting breaches they will surely follow up with an official report to Gardaí also.

https://www.irishtimes.com/news/crime-and-law/less-than-5-of-cyber-crime-reported-to-garda%C3%AD-1.3353433

LoLth

depends on what they consider a reportable cybercrime. would you go to the guards to report a credit card transaction that had to be refunded by your credit card company because the seller never sent the items bought? do you report spearphishing attempts? do you report fake websites when you find them? what about ads for obviously illegal goods and services?

There is also the possibility of course that crimes are being reported (like recognised stolen goods being sold online) but the Garda that it is reported to does not see it as a cybercrime or something he can do anything about because its online.

Not sure how much of these will fall under the GDPR umbrella so I don't know what difference it will make as that is more for data management rather than actual crimes.

pah

I've only skimmed the surface of GDPR but my main take away was the obligation to report a data breach within 72 hours. I know it's not something happening everyday but for compliance purposes I can see it being reported to Gardaí also if it happens.

In terms of what should be reported - Credit card refunds and even EFT where a seller does not send the goods are already reported as the banks fraud team will often insist on it when they are investigating the case. Is this reported or classified as cybercrime? I don't know but I think it should be as it is a cyber-enabled crime given that advertising and transfer of money would have taken place online.

I attended the cyber fraud seminar mentioned in the article above and the importance of reporting crime was emphasised by the Gardaí. Let's say for instance you are subjected to a spear phishing attack and your staff almost fell foul to an invoice redirect scam where a "contractor" that bills you tries to change the payment account from AIB to BOI. There's a phone call, a follow up email - even confirmation from a 3rd party stakeholder that it's all legit but something doesn't add up and you figure out what's going on.

The company, the board, IT will all be happy that this was caught in time and take steps to address it - notify suppliers, contractors etc, move on with a lesson well learned. If it's not reported then the account the money was supposed to be redirected to is still live and still being used as part of the criminals campaign allowing some other business to fall foul of these guys. Reporting the incident can and has allowed the Gardaí to freeze accounts or set up sting operations and make arrests, build intelligence and profiles of threats and so on.

I think a lot of people, individuals and businesses feel there's no point reporting as the suspects are often in another country or are too difficult to identify. It can be hard to visualise a real person behind a virtual crime. If someone gets their bag dipped in the middle of the city centre where they've walked a few streets and been through a dozen stores the chances of getting it back or identifying a suspect are slim to none but that doesn't stop people reporting the crime anyway.

BaronVon

Most of it would be recorded as fraud, because essentially that's what it is. The cyber element is the means to effect the fraud. And the average Guard is going to know very little about how to record it properly, and to investigate it correctly.

Blowfish

pah wrote: »

I think a lot of people, individuals and businesses feel there's no point reporting as the suspects are often in another country or are too difficult to identify. It can be hard to visualise a real person behind a virtual crime. If someone gets their bag dipped in the middle of the city centre where they've walked a few streets and been through a dozen stores the chances of getting it back or identifying a suspect are slim to none but that doesn't stop people reporting the crime anyway.

Sure, it's a nice ideal, but in the real world, it's utterly pointless due to the sheer scale of it.

If we were to report every single spear phishing, vishing, spam mail etc attempt. we simply wouldn't ever get any actual work done. Likewise, if every company reported everything, the Gardaí simply wouldn't have the capacity to look at any of it.

Reporting where it's actually successful makes sense, for the rest, there's just no point.

janeparker

Awareness of cybercrime is pretty low among professional & corporate users. We should consider all safety rules.