Cybercrime as a Public Health Crisis

The impact of fraud on a victim's health and well-being can be more painful than the financial loss.

If you've ever been defrauded, you may have found it hard to deal with. I know I did, not just financially, but also emotionally and psychologically. For weeks and months, even years after the event, I would find myself wrestling with a whole range of unpleasant emotions and dark thoughts. These lingered once I recovered the bulk of the money and saw the perpetrator sent to prison.

Even before cybercrime was a word, criminologists were aware that the impact of fraud on a victim's health and well-being could be more painful to them than the financial losses they suffered. Today, some researchers are working to quantify this "non-financial impact," and they're finding that it may be even greater for online or digitally enabled scams and cons, a form of criminal activity hitting crisis levels.

While "crisis level" sounds alarmist, folks in the counter-cybercrime community with whom I've spoken recently — from law enforcement to cybersecurity pros to victim support groups — say "crisis" is an apt term for the current situation. The general public tends to agree. A recent study of Americans aged 18 and older by the American Association of Retired Persons (AARP) concluded, "Scams — and seemingly constant scam attempts by phone, email and text — have grown so pervasive, two-thirds of Americans say they're at a crisis level."

I am aware, and have written about, the fact that efforts to measure the scale and scope of crime don't have a great track record. However, I think this chart of the annual reports of financial losses reported to the FBI's Internet Crime and Complaint Center is a fair representation of the general trend.

Internet crime losses reported to IC3/FBI, 2001 to 2022 (in US$)
Source: The author, from public domain sources

Note that annual losses broke through the $1 billion mark in 2015 and soared past $10 billion in 2022. That's bad enough in itself, but there's reason to believe the value of the impact of these crimes on victim health and well-being could be more than four times that amount.

Research carried out in the UK in 2021 used the social science concept of "subjective well-being" to calculate a "life satisfaction" cost for being victimized by scammers and fraudsters. It came to £2,509 ($3,200) per year, per victim for fraud in general. If the fraud was online, this rose to £3,684 ($4,650) per year.

The "Scams and Subjective Wellbeing" study by the UK Consumers Association known as Which? clearly established that being a scam victim is associated with significantly lower levels of life satisfaction, lower levels of happiness, and higher levels of anxiety. It is also associated with "people self-reporting worse general health."

The Which? findings were based on official statistics showing that the average monetary loss suffered by 4.5 million fraud victims in England and Wales in the financial year 2021–22 was £600. That adds up to £2.7 billion, less than one-quarter of the £11.3 billion hit to subjective well-being (based on the costs noted above and weighted for cyber and non-cyber cases). It is on this basis that I see merit in declaring cybercrime in general, and digitally enabled fraud in particular, a public health crisis, impacting millions of people in the US, the UK, and many other countries.

Clearly, we need more research, but it is important to know that the Which? findings are consistent with the pioneering 2015 study by Modic and Anderson. They convincingly demonstrated that "Internet fraud's emotional impact is a major component of victimization … participants consistently reported emotional impact as more severe than financial impact across all fraud types." Modic and Anderson also noted, "With the new cybercrimes, the pattern is much more like robbery, where only £109 is stolen but the additional costs include £483 for health services, £1,011 for lost output, and a whopping £3,048 for distress."

I would love to see more cybersecurity researchers exploring this aspect of cybercrime because the potential payoffs are huge. For example, the Which? research was used by lobbyists for increased corporate action to prevent fraud. The UK Parliament is now enacting a "failure to prevent fraud offence … to hold companies to account for fraud occurring on their systems and encourage better corporate behaviours."

And how about this: A metropolitan borough of about 300,000 people in England used research on the health impacts of fraud to successfully pitch for funding from the National Health Service to jump-start a regional anti-scam campaign. The team reckons that in the past 12 months it prevented £1 million from being stolen, with total savings of £9 million since the campaign began in late 2017. (The NHS Better Care Fund backs projects "to support people to live healthy, independent and dignified lives.")

In summary: Cybercrimes like phishing, fraud, and scams, hurt people in ways that have serious implications for public health policy. Targeted spending on cybercrime prevention and response can be justified as a public health measure. Reducing digitally enabled crimes against individuals should be part of every nation's population health management policy, strategy, and budget. Companies and third-sector entities should seek to fund, research, develop, and implement novel interdisciplinary approaches to reducing cybercrime and alleviating its harm to victims, both financial and non-financial.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading