A scene from the movie Ocean’s 8 provides a surprisingly useful lesson on cybersecurity. 

The character played by Rihanna needs to hack into a security person’s computer. She looks up his social media to find he loves corgis. The Rihanna character sends him a phishing email featuring corgis, and he can’t help but click on it. 

With one click of a mouse, someone can accidentally give away their company’s secrets, their bank account information, or an organization’s medical records. 

I thought this movie scene was interesting because it is a depiction of the importance of my work as a cybersecurity researcher at NIST. It shows just how easy it can be to fall victim to one of these schemes. 

And many people don’t realize that you (yes, you!) can be personally targeted by someone looking to get into your computer or your employer’s. It’s easy for a hacker to find out about you and your job and write a convincing email. 

Why Phishing Is Effective 

Organizations do everything they can to keep phishing emails away from their employees, but even the best spam filters can’t catch all of these messages. That means the workforce is the last line of defense against phishing. If just one person clicks on one of the messages that get through, it can be disastrous. 

In short, the hackers only have to be “right” one time. We have to spot and avoid phishing attempts every time. The stakes are very high. 

That’s why so many employers conduct simulated phishing awareness training exercises. 

If your job involves a computer, you may have experienced this kind of training. In these exercises, organizations  create a fake email with a link and send it out to the workforce. They track who clicks and who reports the email as a phishing attempt. If you clicked, you may have had to do some extra cybersecurity training. If you reported the phish, you may have even received some type of reward.

Building the Phish Scale 

Our colleagues at NIST asked for some help contextualizing the results of our own phishing training, and that’s how our research project, a method known as the NIST Phish Scale, began. Through years of research, we’ve found that there are two major sets of factors that determine whether someone clicks on a phishing email — observable cues and user context. 

The observable cues are in the message itself. Users are generally good at spotting red flags, such as typos, a personal email address instead of a business one, a generic greeting, and more. We’ve identified 23 of these cues that can help users decide if a message is legitimate.

The user context has to do with you and your job. I’m a researcher, so if someone sent me an email to pay an invoice, I could easily spot that as a phish. That’s not my job. But if you sent that same email to someone in accounts receivable who pays invoices, it might be harder for them to detect. 

We call this concept premise alignment. If the premise of the email matches the recipient’s user context, it’s much harder to recognize it as a phishing attempt. 

Premise alignment isn’t just about your job. It can also have to do with seasons or what’s going on in the world. If you sent me an email today, in October, about Valentine’s Day, I would immediately be suspicious. But if you sent that in February, I might be less concerned about it, at least initially. 

A phishing email doesn’t have to be crafted perfectly for everyone to be effective; it just has to be perfectly crafted for just one person. 

In doing our research, we realized this information would be useful for organizations other than NIST. So, we’ve made a method based on our research, the Phish Scale, available for organizations conducting phishing awareness training.

The NIST Phish Scale is free to use for academic purposes. For any commercial use, companies will need to reach out to our partnership office for a license.

Our Phish Scale helps organizations understand the results of their phishing training. Maybe a phishing test had a very low click rate, like 5%. That’s a 95% success rate of people recognizing the phish. But if the phishing email was extremely obvious, does that really say how well users would respond to a more sophisticated attempt?

It’s like school. If teachers give a very easy test, they expect the class will do well. If the test is much harder, they don’t expect such high grades.

The Phish Scale helps organizations add important context to these results, and they can use that context to improve their training. They can learn things such as just how hard that phishing email was to spot or what context employees are most likely to fall for. 

By analyzing their results with the Phish Scale, and adapting their training accordingly, organizations can help their workforce be savvier about phishing and less likely to fall victim to it. 

Human-Centered Computing 

My background is in human-centered design and human-centered computing. I did my Ph.D. work in this area and have done related research at NIST, including in voting and public safety communications. 

While technology can do amazing things, the stories of people who have lost money or personal information to phishing are just heartbreaking to me. That motivates me to keep doing this research; I hope people will benefit from what I’m learning and take the necessary steps to protect themselves. 

In fact, one of my family members nearly fell victim to a phishing scam recently. Thankfully, she realized what was going on before giving away her bank account information. But it was a close call, and many others are not so lucky and lose money to these scams every day. 

While my research is focused on organizations training their employees to spot and avoid phishing, I hope employees will use these skills in their personal lives as well. You can be targeted both at work and at home. 

Future of the Phish Scale

Phishers’ tactics are always changing, so we have to keep researching to make sure the Phish Scale is as updated and effective as possible. 

My team is continuing to research this concept of premise alignment to learn as much as we can to help trainers. We’re planning to release an updated version of the Phish Scale in the near future. 

I’m also working to expand this research with a broader set of data. So far, we’ve worked with data primarily from simulated phishing awareness training exercises internal to NIST. Because so many different types of jobs require phishing training, we’re looking to expand this research to other organizations to see what else we can learn. 

Phishing may seem like an overwhelming problem, but there’s so much we can do to be vigilant and protect ourselves. So in this Cybersecurity Awareness Month, make sure you understand how phishing works and how to protect yourself.