header banner
Default

My research can assist in defending you and your business against hackers attempting to steal your personal data and money


Person holding a cell phone in front of a laptop computer

Phishing doesn’t just happen via email anymore. You may also be targeted by text or phone.

Credit: Tero Vesalainen/Shutterstock

A scene from the movie Ocean’s 8 provides a surprisingly useful lesson on cybersecurity. 

The character played by Rihanna needs to hack into a security person’s computer. She looks up his social media to find he loves corgis. The Rihanna character sends him a phishing email featuring corgis, and he can’t help but click on it. 

With one click of a mouse, someone can accidentally give away their company’s secrets, their bank account information, or an organization’s medical records. 

I thought this movie scene was interesting because it is a depiction of the importance of my work as a cybersecurity researcher at NIST. It shows just how easy it can be to fall victim to one of these schemes. 

And many people don’t realize that you (yes, you!) can be personally targeted by someone looking to get into your computer or your employer’s. It’s easy for a hacker to find out about you and your job and write a convincing email. 

Why Phishing Is Effective 

VIDEO: Hacker Explains 5 Simple Things To Protect Yourself From Cyber Attack
Shawn Ryan Clips

Organizations do everything they can to keep phishing emails away from their employees, but even the best spam filters can’t catch all of these messages. That means the workforce is the last line of defense against phishing. If just one person clicks on one of the messages that get through, it can be disastrous. 

In short, the hackers only have to be “right” one time. We have to spot and avoid phishing attempts every time. The stakes are very high. 

That’s why so many employers conduct simulated phishing awareness training exercises. 

If your job involves a computer, you may have experienced this kind of training. In these exercises, organizations  create a fake email with a link and send it out to the workforce. They track who clicks and who reports the email as a phishing attempt. If you clicked, you may have had to do some extra cybersecurity training. If you reported the phish, you may have even received some type of reward.

Building the Phish Scale 

VIDEO: Former NSA Hacker Reveals 5 Ways To Protect Yourself Online
Insider Tech

Our colleagues at NIST asked for some help contextualizing the results of our own phishing training, and that’s how our research project, a method known as the NIST Phish Scale, began. Through years of research, we’ve found that there are two major sets of factors that determine whether someone clicks on a phishing email — observable cues and user context. 

The observable cues are in the message itself. Users are generally good at spotting red flags, such as typos, a personal email address instead of a business one, a generic greeting, and more. We’ve identified 23 of these cues that can help users decide if a message is legitimate.

The user context has to do with you and your job. I’m a researcher, so if someone sent me an email to pay an invoice, I could easily spot that as a phish. That’s not my job. But if you sent that same email to someone in accounts receivable who pays invoices, it might be harder for them to detect. 

We call this concept premise alignment. If the premise of the email matches the recipient’s user context, it’s much harder to recognize it as a phishing attempt. 

Premise alignment isn’t just about your job. It can also have to do with seasons or what’s going on in the world. If you sent me an email today, in October, about Valentine’s Day, I would immediately be suspicious. But if you sent that in February, I might be less concerned about it, at least initially. 

A phishing email doesn’t have to be crafted perfectly for everyone to be effective; it just has to be perfectly crafted for just one person. 

In doing our research, we realized this information would be useful for organizations other than NIST. So, we’ve made a method based on our research, the Phish Scale, available for organizations conducting phishing awareness training.

The NIST Phish Scale is free to use for academic purposes. For any commercial use, companies will need to reach out to our partnership office for a license.

Our Phish Scale helps organizations understand the results of their phishing training. Maybe a phishing test had a very low click rate, like 5%. That’s a 95% success rate of people recognizing the phish. But if the phishing email was extremely obvious, does that really say how well users would respond to a more sophisticated attempt?

It’s like school. If teachers give a very easy test, they expect the class will do well. If the test is much harder, they don’t expect such high grades.

The Phish Scale helps organizations add important context to these results, and they can use that context to improve their training. They can learn things such as just how hard that phishing email was to spot or what context employees are most likely to fall for. 

By analyzing their results with the Phish Scale, and adapting their training accordingly, organizations can help their workforce be savvier about phishing and less likely to fall victim to it. 

Human-Centered Computing 

VIDEO: Watch this hacker break into a company
CNN Business
NIST researcher Shanee Dawkins headshot

Credit: B. Hayes/NIST

My background is in human-centered design and human-centered computing. I did my Ph.D. work in this area and have done related research at NIST, including in voting and public safety communications. 

While technology can do amazing things, the stories of people who have lost money or personal information to phishing are just heartbreaking to me. That motivates me to keep doing this research; I hope people will benefit from what I’m learning and take the necessary steps to protect themselves. 

In fact, one of my family members nearly fell victim to a phishing scam recently. Thankfully, she realized what was going on before giving away her bank account information. But it was a close call, and many others are not so lucky and lose money to these scams every day. 

While my research is focused on organizations training their employees to spot and avoid phishing, I hope employees will use these skills in their personal lives as well. You can be targeted both at work and at home. 

Future of the Phish Scale

VIDEO: HACKING | Protect Yourself From Hackers | The Dr Binocs Show | Peekaboo Kidz
Peekaboo Kidz

Phishers’ tactics are always changing, so we have to keep researching to make sure the Phish Scale is as updated and effective as possible. 

My team is continuing to research this concept of premise alignment to learn as much as we can to help trainers. We’re planning to release an updated version of the Phish Scale in the near future. 

I’m also working to expand this research with a broader set of data. So far, we’ve worked with data primarily from simulated phishing awareness training exercises internal to NIST. Because so many different types of jobs require phishing training, we’re looking to expand this research to other organizations to see what else we can learn. 

Phishing may seem like an overwhelming problem, but there’s so much we can do to be vigilant and protect ourselves. So in this Cybersecurity Awareness Month, make sure you understand how phishing works and how to protect yourself.

Fight the Phish: Follow These Tips

VIDEO: 5 Crucial Cybersecurity Tips with Ryan Montgomery: Protect Yourself from Hackers NOW! #ShawnRyanShow
KaikoMedia

It’s Cybersecurity Awareness Month, and while you’re enjoying all things pumpkin and autumn, make sure you remember these important tips to keep your personal (or your employer’s) information safe: 

  • Always remain vigilant. If you see something suspicious, report it right away. 
  • When in doubt, don’t click. 
  • Never call the number in a suspicious email. If the email is from a company or an organization, look its phone number up on its website and call that number to check if something’s legitimate. 
  • If you get a message from someone you think you know, especially if it’s asking for money, call them to verify they actually sent it. 
  • Phishing isn’t just for email now. You can get phishing text messages on your phone (smishing) or fraudulent phone calls (vishing) that use similar tactics. Be vigilant in all areas of communication. 

Sources


Article information

Author: Kelly Hall

Last Updated: 1700331722

Views: 1588

Rating: 4.1 / 5 (83 voted)

Reviews: 98% of readers found this page helpful

Author information

Name: Kelly Hall

Birthday: 1948-09-10

Address: 073 Chambers Glen Suite 354, Lake Mauriceland, FL 19785

Phone: +3952295224364219

Job: Orthodontist

Hobby: Sewing, Motorcycling, Beekeeping, Billiards, Hiking, Arduino, Bird Watching

Introduction: My name is Kelly Hall, I am a unguarded, strong-willed, treasured, persistent, Precious, resolved, vibrant person who loves writing and wants to share my knowledge and understanding with you.