CybersecurityThe Phish Scale: NIST’s New Tool Lets IT Staff See Why Users Click on Fraudulent Emails

Researchers at the National Institute of Standards and Technology (NIST) have developed a new tool called the Phish Scale that could help organizations better train their employees to avoid a particularly dangerous form of cyberattack known as phishing.

By 2021, global cybercrime damages will cost $6 trillion annually, up from $3 trillion in 2015, according to estimates from the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures. 

One of the more prevalent types of cybercrime is phishing, a practice where hackers send emails that appear to be from an acquaintance or trustworthy institution. A phishing email (or phish) can tempt users with a variety of scenarios, from the promise of free gift cards to urgent alerts from upper management. If users click on links in a phishing email, the links can take them to websites that could deposit dangerous malware into the organization’s computers.  

Many organizations have phishing training programs in which employees receive fake phishing emails generated by the employees’ own organization to teach them to be vigilant and to recognize the characteristics of actual phishing emails. Chief information security officers (CISOs), who often oversee these phishing awareness programs, then look at the click rates, or how often users click on the emails, to determine if their phishing training is working. Higher click rates are generally seen as bad because it means users failed to notice the email was a phish, while low click rates are often seen as good.

However, numbers alone don’t tell the whole story. “The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves. The tool can help explain why click rates are high or low.

The Phish Scale uses a rating system that is based on the message content in a phishing email. This can consist of cues that should tip users off about the legitimacy of the email and the premise of the scenario for the target audience, meaning whichever tactics the email uses would be effective for that audience. These groups can vary widely, including universities, business institutions, hospitals and government agencies.