Amer Owaida, Security Writer for ESET discusses the availability of a new tool developed by US National Institute of Standards and Technology that can help organizations improve the testing of their employees’ phish-spotting prowess
Researchers at the US National Institute of Standards and Technology (NIST) have devised a new method that could be used to accurately assess why employees click on certain phishing emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and quality of phishing attacks to help organizations comprehend where their (human) vulnerabilities lie.
Here’s a quick refresher: in its simplest form, phishing is an unsolicited email or any other form of electronic communication where cybercriminals impersonate a trusted organization and attempt to pilfer your data. Information such as access credentials can be then abused for further attacks or sold on the dark web and used to commit fraud or identity theft.
Therefore, any company or organization that takes its cybersecurity seriously conducts regular phishing training exercises to see if its employees can distinguish between real and phishing emails. These trainings aim to increase employee vigilance as well as teach them to spot signs of phishing attacks masquerading as legitimate emails, which in turn, prevents them from getting hooked and protects their organizations from monetary and reputational damage.
These exercises are usually overseen by Chief Information Security Officers (CISOs), who evaluate the success or failure of these exercises based on click rates – how often employees click on a phishing email. However, the results are not emblematic of the whole problem.
What’s NIST’s Phish Scale?
“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” said NIST researcher Michelle Steves in the press release announcing the new tool.
It looks at two main elements when assessing how difficult it is to detect a potential phishing email. The first variable the tool evaluates is ‘phishing email cues’ – observable signs, such as spelling mistakes, using personal email addresses rather than work emails, or using time-pressuring techniques.
Meanwhile, the second ‘alignment of the email’s context to the user’ leverages a rating system to evaluate if the context is relevant to the target – the more relevant it is, the harder it becomes to identify it as a phishing email. Based on a combination of these factors, Phishing Scale categorizes the difficulty of spotting the phish into three categories: least, moderate, and very difficult.
These can provide valuable insight into the phishing attacks themselves, as well as help ascertain why people are more or less likely to click on these emails.
Phish Scale aims to provide CISOs with a better comprehension of their click-rate data, so they don’t solely rely on the number output. “A low click rate for a particular phishing email can have several causes: The phishing training emails are too easy or do not provide relevant context to the user, or the phishing email is similar to a previous exercise. Data like this can create a false sense of security if click rates are analyzed on their own without understanding the phishing email’s difficulty,” NIST said.
While all data that was fed to the Phish Scale has originated from NIST, the institute hopes to test the tool on other organizations and companies to see if it performs up to standard.