Featured Product
This Week in Quality Digest Live
Risk Management Features
Jamie Fernandes
From design to inspection to supply chain management, AI is transforming manufacturing
James Chan
Start the transition to preventive maintenance
Erin Vogen
Eight steps to simplify the process
Matthew Barsalou
How failure modes and effects analysis became commonplace
Meg Sinclair
100% real, 100% anonymized, 100% scary

More Features

Risk Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Recognized among early adopters as a leading innovation for the life sciences industry
Handle document, audit, and concerns management more effectively
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance

More News

Shaneé Dawkins

Risk Management

My Research Can Help Protect You and Your Company From Hackers

Learn how to spot and avoid common phishing tactics

Published: Thursday, November 16, 2023 - 12:03

A scene from the movie Ocean’s 8 provides a surprisingly useful lesson on cybersecurity. The character played by Rihanna needs to hack into a security person’s computer. She looks up his social media to find he loves corgis. The Rihanna character sends him a phishing email featuring corgis, and he can’t help but click on it. 


With one click of a mouse, someone can accidentally give away their company’s secrets, their bank account information, or an organization’s medical records. 

I thought this movie scene was interesting because it’s a depiction of the importance of my work as a cybersecurity researcher at the National Institute of Standards and Technology (NIST). It shows just how easy it can be to fall victim to one of these schemes. 

Many people don’t realize that they (yes, looking at you!) can be personally targeted by someone looking to get into your computer or your employer’s. It’s that easy for a hacker to find out about you and your job and write a convincing email. 

Why phishing is effective 

Organizations do everything they can to keep phishing emails away from their employees, but even the best spam filters can’t catch all these messages. That means the workforce is the last line of defense against phishing. If just one person clicks on one of the messages that get through, it can be disastrous. 

Phishing doesn’t just happen via email anymore. You may also be targeted by text or phone. Credit: Tero Vesalainen/Shutterstock

In short, hackers only have to be “right” one time, but we have to spot and avoid phishing attempts every time. The stakes are very high. 

That’s why so many employers conduct simulated phishing-awareness training exercises. 

If your job involves a computer, you may have experienced this kind of training. In these exercises, organizations create a fake email with a link and send it out to the workforce. They track who clicks and who reports the email as a phishing attempt. If you clicked, you may have had to do some extra cybersecurity training. If you reported the phish, you may have even received some type of reward.

Building the Phish Scale 

Our colleagues at NIST asked for some help contextualizing the results of our own phishing training, and that’s how our research project, a method known as the NIST Phish Scale, began. Through years of research, we’ve found that there are two major sets of factors that determine whether someone clicks on a phishing email—observable cues and user context. 

The observable cues are in the message itself. Users are generally good at spotting red flags, such as typos, a personal email address instead of a business one, a generic greeting, and more. We’ve identified 23 of these cues that can help users decide if a message is legitimate.

The user context has to do with you and your job. I’m a researcher, so if someone sent me an email to pay an invoice, I could easily spot that as a phish. That’s not my job. But if you sent that same email to someone in accounts receivable who pays invoices, it might be harder for them to detect. 

We call this concept premise alignment. If the premise of the email matches the recipient’s user context, it’s much harder to recognize it as a phishing attempt. 

Premise alignment isn’t just about your job. It can also have to do with seasons or what’s going on in the world. If you sent me an email today about Valentine’s Day, I would immediately be suspicious. But if you sent that in February, I might be less concerned about it, at least initially. 

A phishing email doesn’t have to be crafted perfectly to be effective; it just has to be perfectly crafted for just one person. 

In doing our research, we realized this information would be useful for organizations other than NIST. So, we’ve made a method based on our research, the Phish Scale, available for organizations conducting phishing awareness training.

The NIST Phish Scale is free to use for academic purposes. For any commercial use, companies will need to reach out to our partnership office for a license.

Our Phish Scale helps organizations understand the results of their phishing training. Maybe a phishing test had a very low click rate, like 5%. That’s a 95% success rate of people recognizing the phish. But if the phishing email was extremely obvious, does that really say how well users would respond to a more sophisticated attempt?

It’s like school. If teachers give a very easy test, they expect the class will do well. If the test is much harder, they don’t expect such high grades.

The Phish Scale helps organizations add important context to these results, and they can use that context to improve their training. They can learn things such as just how hard that phishing email was to spot or what context employees are most likely to fall for. 

By analyzing their results with the Phish Scale, and adapting their training accordingly, organizations can help their workforce be savvier about phishing and less likely to fall victim to it. 

Human-centered computing 

My background is in human-centered design and human-centered computing. I did my Ph.D. work in this area and have done related research at NIST, including in voting and public safety communications. 

While technology can do amazing things, the stories of people who have lost money or personal information to phishing are just heartbreaking to me. That motivates me to keep doing this research; I hope people will benefit from what I’m learning and take the necessary steps to protect themselves. 

In fact, one of my family members nearly fell victim to a phishing scam recently. Thankfully, she realized what was going on before giving away her bank account information. But it was a close call; many others aren’t so lucky and lose money to these scams every day. 

Although my research is focused on organizations training their employees to spot and avoid phishing, I hope employees will use these skills in their personal lives as well. You can be targeted both at work and at home. 

Future of the Phish Scale

Phishers’ tactics are always changing, so we have to keep researching to make sure the Phish Scale is as updated and effective as possible. 

My team is continuing to research this concept of premise alignment to learn as much as we can to help trainers. We’re planning to release an updated version of the Phish Scale in the near future. 

I’m also working to expand this research with a broader set of data. So far, we’ve worked with data primarily from simulated phishing-awareness training exercises internal to NIST. Because so many different types of jobs require phishing training, we’re looking to expand this research to other organizations to see what else we can learn. 

Phishing may seem like an overwhelming problem, but there’s so much we can do to be vigilant and protect ourselves. So make sure you understand how phishing works and how to protect yourself.

Fight the phish: Follow these tips

Make sure you remember these important tips to keep your personal (or your employer’s) information safe: 
• Always remain vigilant. If you see something suspicious, report it right away. 
• When in doubt, don’t click. 
• Never call the number in a suspicious email. If the email is from a company or an organization, look its phone number up on its website and call that number to check whether something’s legitimate. 
• If you get a message from someone you think you know, especially if it’s asking for money, call them to verify they actually sent it. 
• Phishing isn’t just for email now. You can get phishing text messages on your phone (smishing) or fraudulent phone calls (vishing) that use similar tactics. Be vigilant in all areas of communication. 

Published Oct. 18, 2023, on the NIST Taking Measure blog.

Discuss

About The Author

Shaneé Dawkins’s picture

Shaneé Dawkins

Shaneé Dawkins is a computer scientist in the Visualization and Usability Group at the National Institute of Standards and Technology (NIST). At NIST since 2012, Shaneé performs research focusing on human-centered design and evaluation guidelines and standards. She is a part of the usable cybersecurity program, where she leads the phishing project. Shaneé also contributes to NIST’s public safety communication research (PSCR) efforts as a part of VUG’s PSCR usability team.

Shaneé received her master’s degree and Ph.D. in computer science at Auburn University, where her research focused on human computer interaction and human-centered design. She earned her bachelor’s in computer engineering at North Carolina A&T State University.