New tool helps companies assess why employees click
on phishing emails
NIST’s tool can help
organizations improve the testing of their employees’ phish-spotting prowess
Researchers at the US
National Institute of Standards and Technology (NIST) have devised a new method
that could be used to accurately assess why employees click on certain phishing
emails. The tool, dubbed Phish Scale, uses real data to evaluate the complexity and
quality of phishing attacks to help organizations comprehend where their
(human) vulnerabilities lie.
Here’s a quick refresher:
in its simplest form, phishing is an unsolicited email or any other form of electronic
communication where cybercriminals impersonate a trusted organization and
attempt to pilfer your data. Information such as access credentials can be then
abused for further attacks or sold on the dark web and used to commit fraud or
identity theft.
Therefore, any company or
organization that takes its cybersecurity seriously conducts regular phishing
training exercises to see if its employees can distinguish between real and
phishing emails. These trainings aim to increase employee vigilance as well as
teach them to spot signs of phishing attacks masquerading as legitimate emails, which in
turn, prevents them from getting hooked and protects their organizations
from monetary and reputational damage.
RELATED
READING: Would you get hooked by a phishing
scam? Test yourself
These exercises are usually
overseen by Chief Information Security Officers (CISOs), who evaluate the
success or failure of these exercises based on click rates – how often
employees click on a phishing email. However, the results are not emblematic of
the whole problem.
“The Phish Scale is
intended to help provide a deeper understanding of whether a particular
phishing email is harder or easier for a particular target audience to
detect,” said NIST researcher Michelle Steves in the press release announcing the new tool.
Phish Scale looks at two
main elements when assessing how difficult it is to detect a potential phishing
email. The first variable the tool evaluates is ‘phishing email cues’ –
observable signs, such as spelling mistakes, using personal email addresses
rather than work emails, or using time-pressuring techniques.
Meanwhile, the second
‘alignment of the email’s context to the user’ leverages a rating system to
evaluate if the context is relevant to the target – the more relevant it is,
the harder it becomes to identify it as a phishing email. Based on a
combination of these factors, Phishing Scale categorizes the difficulty of
spotting the phish into three categories: least, moderate, and very difficult.
These can provide valuable
insight into the phishing attacks themselves, as well as help ascertain why
people are more or less likely to click on these emails.
RELATED
READING: This test will tell you how likely
you are to fall for fraud
Phish Scale aims to provide
CISOs with a better comprehension of their click-rate data, so they don’t
solely rely on the number output. “A low click rate for a particular phishing
email can have several causes: The phishing training emails are too easy or do
not provide relevant context to the user, or the phishing email is similar to a
previous exercise. Data like this can create a false sense of security if click
rates are analysed on their own without understanding the phishing email’s
difficulty,” NIST said.
While all data that was fed
to the Phish Scale has originated from NIST, the institute hopes to test the
tool on other organizations and companies to see if it performs up to standard.
For further information on the tool and research behind it, you can delve into
the article, Categorizing human phishing
difficulty: a Phish Scale, published
by the researchers Michelle Steves, Kristen Greene, and Mary Theofanos.