To combat phishing attacks that could crumble an entire agency’s cybersecurity safeguards at one employee’s incorrect click, the National Institute of Standards and Technology (NIST) has launched a new method to understand why individuals fall for the malicious links.
By rating the content of an email to detect for phishing, Phish Scale works to help users understand if an email contains a malicious link. Emails are rated on a five-point scale based on several known cues of phishing attempts, including errors, technical indicators, visual presentation, language and content, and common tactics.
“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” NIST researcher Michelle Steves said.
Organizations across the Federal government, such as the Department of Education, use simulated attacks to test employee vulnerability to clicking on phishing emails. According to NIST, CISOs will look at how often users click on malicious links to see if phishing awareness programs are working. By analyzing why users click certain links, Phish Scale aims to explain to CISOs why a click rate is high or low.
For example, NIST wrote that a low click rate can give CISOs a false sense of security that their employees are vigilant against attack when the reality may be that the tests are just too easy.
As NIST continues to develop this capability, researchers said that more operational data will enhance Phish Scale capabilities. Data from a lab on phishing tactics is artificial because the subjects are outside of the regular work setting. All the data used to create Phish Scale came from NIST, but a larger data pool from other organizations would help ensure that the method can be used in different settings.
“We know that the phishing threat landscape continues to change,” NIST researcher Kristen Greene said. “Does the Phish Scale hold up against all the new phishing attacks? How can we improve it with new data?”
In an academic article released by NIST detailing its approach to Phish Scale, the agency encouraged other researchers and practitioners to apply the method to their own security efforts.