THE cybercrime surveys we have examined exhibit exactly this pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals. In a 2006 survey of identity theft by the Federal Trade Commission, two respondents gave answers that would have added $37 billion to the estimate, dwarfing that of all other respondents combined.

This is not simply a failure to achieve perfection or a matter of a few percentage points; it is the rule, rather than the exception. Among dozens of surveys, from security vendors, industry analysts and government agencies, we have not found one that appears free of this upward bias. As a result, we have very little idea of the size of cybercrime losses.

A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.

Of course, this is not a zero-sum game: the difficulty of getting rich for bad guys doesn’t imply that the consequences are small for good guys. Profit estimates may be enormously exaggerated, but it would be a mistake not to consider cybercrime a serious problem.

Those who’ve had their computers infected with malware or had their e-mail passwords stolen know that cleaning up the mess dwarfs any benefit received by hackers. Many measures that tax the overall population, from baroque password policies to pop-up warnings to “prove you are human” tests, wouldn’t be necessary if cybercriminals weren’t constantly abusing the system.

Still, that doesn’t mean exaggerated loss estimates should be acceptable. Rather, there needs to be a new focus on how consumers and policy makers assess the problem.

The harm experienced by users rather than the (much smaller) gain achieved by hackers is the true measure of the cybercrime problem. Surveys that perpetuate the myth that cybercrime makes for easy money are harmful because they encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.