Phishing blindsides businesses’ best defenses and takes a toll whose price tag still hasn’t been pinned down. Here’s one estimate: $441 million per attack, according to a recent study of the cybercrime’s effect on stock market data (market value, volume of shares traded, and stock volatility) of global firms. The authors use “event studies” techniques (i.e., analyzing the impact of specific types of events on companies’ market performance) to analyze nearly 2,000 phishing alerts (emails sent to customers of public companies, or warnings about phony websites trying to dupe customers) by 259 companies in 32 countries over a recent four-year period. (Two side notes: the study finds that phishing hits financial companies the worst, and that it takes a bigger toll on foreign companies’ stock prices than on U.S. companies’.)

The authors say their estimate may be on the low side because the study leaves out the targeted companies’ indirect costs: providing additional support to victims of the crime, dealing with angry customers, and losing potential customers because of bad publicity.

To counter phishing, the authors say, companies should:

• Use technology and systems that make it harder to clone their websites at all or that cause duplicates to be easy to spot (because their logos or other design elements will be of poorer quality).
• Use digital watermarks to validate the legitimacy of their emails and websites.
• Monitor website traffic.
• Scan the Internet for fraudulent websites.
• Join forces with the many anti-phishing organizations that have recently emerged.
• Work with other ISPs to take down phony sites as soon as possible.
• Educate their customers about dangers and warning signs of phishing attempts.
• Concerns about phishing can particularly dampen the demand for financially-oriented new gTLDs such as .BANK, .FINANCE, .INSURANCE, and for .Brands such as .BOFA and .FIDELITY. This wariness may have played a part in the dismal performance of the new gTLDs program.

For its part, the domain name industry should be more proactive in fighting phishing, especially schemes that involve typo domain names. For one thing, the Trademark Clearinghouse (TMCH) database can be expanded to include brand-name typos, whereby before a domain name’s registration is finalized, a warning is flashed that the desired name may be a trademark violation and that the mark holder may legally request that you surrender the domain name with no compensation. If the warning is ignored and the registration is completed, the mark owner is notified. Of course, such an automatic right for mark owners requires new legal authorization, but makes it more expensive for infringing registrants. However, the added cost of monitoring by mark owners will be negligible compared to their benefits.