NIST’s Phish Scale – Helping Educate Users and Prevent Potential Phishing Attacks in Real Time

 

In today’s world, nearly everyone is aware of the potential dangers of unsafe emails, website scripts, and text/SMS messages which attempt to compromise your personal information via a multitude of tactics. One of the most common and effective methods used by today’s cybercriminals to steal your confidential information is phishing. Cybercriminals often employ phishing tactics by impersonating known entities –  pretending to be a person or entity you are most likely to provide sensitive information. Cybercriminals will provide links to hidden malware or con you to send bank account information, usernames, passwords, and other sensitive data. The volume of phishing attacks have drastically increased over the course of the COVID-19 pandemic, as have the complexity of the attacks. Preying on public fear and curiosity, criminals masked as charitable organizations and government agencies such as Red Cross, World Health Organization and the Department of Health and Human Services, seem as though they cannot stoop low enough when attempting to steal your information.

In addition to following proven security measures and tips, such as those listed in QED National’s previous phishing article, the National Institute of Standards and Technology’s (“NIST”) tool “Phish Scale” rates the potential danger of emails. This framework classifies emails based on their susceptibility of being hidden attacks and helps organization’s by providing data into user decision-making when clicking or interacting with unsafe emails. NIST’s Phish Scale is defined in two dimensions and evaluates some common red flags to be aware of, listed below:

1 – Cues of Phishing Email

  • Abundant misspellings
  • Using personal rather than work email
  • Use of threats or time pressure
  • Generic greetings
  • Alignment of email’s context to the user

2 – Alignment of email’s context to the user

  • Rating system where each item has a point value
  • Relevant content
  • Aligns to with current situations or events
  • Highlights consequences for NOT clicking

For example, an email from a colleague asking you to make a purchase of gift cards before the end of the day when that is neither your responsibility nor the duty of the alleged person contacting you, will score “high” on the Phish Scale, registering its likelihood of being fraud. On the opposing spectrum, if you’re receiving an email from the same colleague about a task you normally perform which does not require any financial transaction or revelation of sensitive personal information, then it will likely have a “low” Phish Scale rating and register as safe correspondence.

The first line of defense in warding off phishing attacks is education. Organizations and individuals must be able to identify key warning signs in order to avoid the lure of a phishing attack. That’s why credible authorities such as NIST have developed tools like the Phish Scale to help further educate users and organizations on this persistent threat.

For more information on Phish Scale, please feel free to visit NIST.gov.