News site Timeslive has painted a grim picture of online crime in South Africa.
“South Africa has the third highest number of cybercrime victims worldwide, losing about R2.2-billion a year in cyber attacks,” it said in a June 2018 article on digital security.
It attributed this to the South African Banking Risk Information Centre (Sabric), an organisation that fights organised crime in banking.
Is using the internet this risky in South Africa? And do online attacks cost the country billions a year?
Figures contained in a 2013 report
Sabric “has never made a public statement about South Africa having the third highest cybercrime victims in the world, or that cybercrime victims in South Africa are losing about R2.2 billion a year to cyber attacks,” spokesperson Louise Tordiffe told Africa Check.
She said the organisation did not have enough information on the number of victims, as many crimes were not reported.
The Timeslive story was based on a press release by public relations firm I Heart PR. The firm provided four news articles as the source of its numbers.
All circled back to Sabric but one, by BizConnect, attributed the numbers to a report by digital security company Norton.
Report from online survey of 500 South Africans
Jennifer Duffourg, who oversees Norton’s annual reports on cyber security, shared a presentation of the firm’s 2013 report.
The report said 73% of South Africans were victims of cybercrime in 2013, the third highest rate in the world after Russia (85%) and China (77%). It estimated the cost of cybercrime in South Africa at US$300 million, or about R2.9 billion at 2013 exchange rates.
The data was collected from an online survey of 13,022 adults aged 18 to 64 in 24 countries, from 4 July 2013 to 1 August 2013. In South Africa, 500 people who owned at least one mobile device were polled, Duffourg said.
Identifying cybercrime experiences
The survey asked people to identify if they had experienced different types of online crime. The examples they were given included:
Computer viruses or malicious software appeared on my computer.
I responded to a forged, “spoofed” or fake email or website which captured my personal details such as passwords, credit card numbers, or bank account information thinking it was a legitimate request in order to access information or provide information to a legitimate organisation, such as my bank, etc.
I experienced identity theft.
I experienced online credit card fraud.
An app appeared on my smartphone that I didn’t download.
My smartphone was lost or stolen and someone found it and used it without my permission.
‘The field is moving too fast’
Duffourg noted that “this data would now be considered out of date as the survey was carried out five years ago”.
She said Norton’s most recent survey was from 2016. It showed “overall, 67% of South Africans have experienced some form of online crime – compared to 48% globally”. It raised the annual cost of online crime to R35.2 billion.
But South Africa was not ranked that year as it was surveyed six months after other countries, she said.
Reinhardt Botha, a professor in technology at Nelson Mandela University (NMU), told Africa Check it would be impossible to tell if the ranking were reliable without knowing the full methods the researchers used.
How the people in the survey were chosen would be significant, he said. “If approaches were made in places where victims of cybercrime, or even people interested in cyber crime, hang out, there may be a selection bias. If not done properly respondents can be primed to provide answers in a certain direction.”
“What I do know that even if is was 100% accurate in 2013, five years later it will not be accurate anymore – the field is just moving too fast.”
South Africa’s ranking ‘looks like an urban legend’
Arthur Goldstuck, managing director of technology research company World Wide Worx, referred Africa Check to a 2018 report by Symantec.
This ranked South Africa first for email phishing in 2017 and eighth for spam. But the country does not feature in the top 20 for overall cybercrime. (Note: While Symantec owns Norton, the 2018 report does not poll users directly and relies on data gathered remotely, Duffourg said.)
“Some [reports] cite the Federal Bureau of Investigation, but don’t offer a credible source, and also differ on the ranking,” Goldstuck said. “Ultimately, our third-placed ranking looks like an urban legend, which has been quoted often enough for people to assume it to be fact.”
What of the billions of rands in losses?
Sabric spokesperson Tordiffe said the R2.2-billion a year figure “was a misquote that occurred some years ago, and keeps being re-used”.
“Regrettably, once information is on the internet, it is there permanently, and Sabric has no control over this.”
Botha, the director of NMU’s Centre for Research in Information and Cyber Security, said that while the amount does not seem “completely out of the way”, it “is notoriously difficult to estimate … as disclosure of losses is not always made”.
“What is a fact is that cyber crime is growing and that we indeed need greater precautions.”
Conclusion: No reliable data on South Africa’s global cybercrime ranking or cost
A news site claimed South Africa had the third highest number of cybercrime victims worldwide and lost about R2.2 billion a year in cyber attacks.
The global ranking was traced to a report by digital security firm Norton which surveyed 24 countries. The R2.2 billion figure comes from an incorrect quote made years ago and repeated online.
As the money lost is not always disclosed, it’s difficult to know how much cybercrime costs South Africa.
While we rate this claim as unproven, analysts say the cost of online crime in the country is likely much higher.