Bottom Line: The loss in stock value and trading volume for companies targeted by phishing scams proves that firms have plenty to lose from these high-tech attacks.
Among the different types of cybercrime, phishing poses a particularly nefarious risk to firms. Phishing is hard for firms to preempt: It’s an indirect threat, involving fraudsters who set up fake websites, send spam emails, or otherwise trick customers into forfeiting personal data they mistakenly believe they’re sharing with a trusted company. As a result, the true costs of such attacks—including the damage to firms’ reputations—have been difficult to pin down since they started in the mid-1990s.
Accordingly, the authors of a new study analyzed the impact of phishing on the market value and stock volatility of global firms. They tracked alerts released by anti-phishing watchdog organizations—either emails sent to customers of public companies or warnings about phony websites trying to dupe consumers—over a recent four-year period. In all, the authors tracked nearly 2,000 alerts involving 259 firms in 32 countries.
By calculating the fluctuations in stock price and trading volume that occurred in the two-day window after the publication of an alert, the authors provide compelling evidence that phishing significantly drives down affected companies’ market capitalization and makes investors far more leery about trading their stock. In fact, the authors found, each phishing alert led to a stock value drop of at least US$411 million. In some cases, they observed short-term losses of nearly $1 billion.
The volume of shares traded also dropped sharply, implying that investors become indecisive about the future prospects of firms targeted by phishing scams, taking a “wait-and-see” attitude with their shares. Investors, however, also appeared more ready to forgive U.S.-based companies; their stocks didn’t tumble or stagnate nearly as much as those of their foreign counterparts. Apparently, investors in the U.S. either are more used to hearing about phishing, and therefore don’t react as negatively, or trust in state and federal legislation to combat identity theft.
Still, investors have become less tolerant in recent years, the authors report, and as the seriousness of the threat has sunk in, so has the expectation that firms should be getting more sophisticated in their attempts to evade and counter phishing scams. The market reaction is also more negative when financial companies—frequent targets of phishing attacks—are involved.
The market reaction to phishing is more negative when financial companies are involved.
“The loss of market capitalization of the order of several hundred million US dollars, as estimated in this research, should be a clarion call to firms to improve on their [phishing] countermeasures,” the authors write, pointing out that the benefits of a high-tech defense likely justify the high cost of its adoption and implementation.
After all, the authors note, even their empirical estimate of the financial loss related to phishing could fall well short of the actual total. Companies must also incur the indirect costs of providing additional support for the victims of the scam, dealing with the fallout from angry customers, and losing the potential business of consumers scared away by the bad publicity.
To stem the tide of bad PR and slumping finances, the authors suggest companies investigate the use of technology and systems that either prohibit the cloning of their official websites or make any duplicates easy to spot because of their poorer quality or lack of specific fonts, logos, and other design elements. In the past few years, many companies have also started using encryption to safeguard their customer data or digital watermarks to validate the legitimacy of their official e-mails or websites. Other technologies that can help in the fight against phishing include programs that monitor website traffic flow and proactively scan the Internet for fraudulent websites.
Companies should also consider joining forces with one of the many anti-phishing organizations that have recently emerged, and should work closely with Internet service providers to take down phony websites as quickly as possible, the authors note. And firms can educate their customers about the dangers and warning signs associated with this brand of cybercrime that still gets far less attention than threats such as hacking.
Source: Do Phishing Alerts Impact Global Corporations? A Firm Value Analysis, by Indranil Bose (Indian Institute of Management, Calcutta) and Alvin Chung Man Leung (City University of Hong Kong), Decision Support Systems, Aug. 2014, vol. 64