Neowin reports cybercrime statistics could be vastly exaggerated, as most of this data originates from surveys of consumers and businesses, and not from any real, hard data.
Most of these statistics come from surveys of consumers and businesses, as opposed to any real, hard data. Literally, the data comes from asking a relatively small number of people about their experiences with cybercrime, then scaling whatever data they come up with to cover the entire population.
Not only is the data probably not representative of the whole population to begin with, but scaling the results up to fit the whole population causes the errors to get bigger and bigger. For instance, back in 2006 the FTC did a survey on identity theft. The answers of two people added $37 billion to the estimate – hardly representative of 'everyone.'
Basically, it's almost impossible to come up with accurate statistics when it comes to 'real' crime, let alone cybercrime. The fact that a lot of cybercrime victims don't even realize that they've been hacked doesn't do much to help the problem.