Phishing is still an extremely common attack vector directed at individuals and organizations alike. Employees can be targeted specifically in the hopes of acquiring their credentials for company portals, VPNs, or systems. Phishing emails are generally disguised as free prizes, legitimate services (e.g. a bank), or even messages from colleagues/acquaintances.
All it takes is opening the suspicious email and clicking a link or attachment. Malicious packages in the form of trojans, ransomware, worms, etc. can then be downloaded or run on the compromised device. If this device is company property or plugged into the company network, the malware can propagate unchecked.
Because it’s directed at individuals, can be entirely random, and makes use of tactics like social engineering, it’s difficult to prevent phishing on a software level.
It’s clear that individual education and responsibility within an organization plays a major role in countering this particular threat. That’s exactly what Phish Scale aims to do by providing in-depth insights for phishing awareness programs.
What’s Missing in Current Phishing Training Programs?
Phishing awareness and avoidance training are not new within organizations. These programs are usually supervised by CISOs (chief information security officers) to determine how savvy employees are at identifying and responding to phishing attempts.
Training usually involves sending fake emails created by the organization’s security personnel to imitate real-life phishing attempts. Then a very straightforward analysis is done by measuring the click rates of phishing emails. Higher click rates mean employees were on average more likely to fall for a phishing scam. Lower click rates proved the opposite.
While this methodology is simple and effective, it doesn’t provide insight into why individuals are more likely to fall for certain phishing attempts. Knowing ‘Why’ can help develop more effective training and awareness programs by addressing particular blind spots.
Studies also suggest phishing training is only effective for a limited period. As attacks change and become more sophisticated, it constantly needs to be updated and improved.
What is Phish Scale?
Phish Scale is an initiative by the NIST (National Institute of Standards and Technology). Phish Scale uses a ranking system that rates the difficulty of identifying typical cues in phishing emails. These cues are clues or signs that an email is probably a phishing attempt and themselves consist of five different types.
These markers can be mixed and matched in test emails and an overall score calculated to determine its challenge level. This gives researchers/testers the ability to tailor phishing tests to their particular audience.
Now, if participants score too high, it might be a sign that the test is not rigorous enough. If scores are too low, it provides the opportunity to ask why individuals missed certain cues.
“The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect,” according to NIST researcher, Michelle Steves.
The data extracted from these exercises are extra valuable because they come from an operational setting rather than a lab setting. In other words, the circumstances are much closer to real-life situations than in highly controlled laboratory settings. Using these results, CISOs and other security stakeholders can adjust future phishing programs to address problem areas.
As Steves puts it: “As soon as you put people into a laboratory setting, they know. They’re outside of their regular context, their regular work setting, and their regular work responsibilities. That is artificial already. Our data did not come from there.”
The major benefit Phish Scale presents CISOs is deeper insights into how and why employees interact with phishing attacks. It helps inform future decision-making to continuously improve awareness and security practices within the organization.
While current Phish Scale data is all based on internal information from the NIST, organizations can collect their own data with time. The more iterations, the more programs can be improved and customized to fit their particular risk profile. This will help improve employee response to future phishing attacks.