Phishing simulations aren’t one size fits all. If it was, data gathered from them wouldn’t be particularly helpful.

That’s why CybSafe has assigned a detection difficulty rating to all our phishing templates: so you can more accurately assess your peoples’ security risk.

But it’s not quite as simple as labelling phishing simulations ‘Easy’ or ‘Hard’. If CybSafe is going to gather accurate, reliable data, we must have a reliable framework to do so. That’s where the National Institute of Standards and Technology (NIST) comes in.

In their paper Categorizing human phishing difficulty: a Phish Scale, the NIST developed the Phish scale, and illustrated its incomparable significance in harnessing data and alleviating human cyber risk.

To do this, they determined a means to quantify click rates and, more importantly, the factors that influence click rates. So, they worked backwards.

Phishing emails were assigned one of three detection difficulty ratings: very difficult, moderately difficult, and least difficult.

Each difficulty has an assumed click rate should all users interact with the email. Those with a detection difficulty rating of least difficult would have a click rate of less than 10%; moderately difficult between 11.6% and 18%; and very difficult 19% and above.

The paper then breaks down the factors that influence click rate: observable cues and alignment.

Alignment comes down to context.

There are five contexts that determine alignment:

Each context is then given a score between 0 and 8. The score is determined by how significant the context is within the scam:

8 = Extreme applicability, alignment, or relevancy

6 = Significant applicability, alignment, or relevancy

4 = Moderate applicability, alignment, or relevancy

2 = Low applicability, alignment, or relevancy

0 = Not applicable, no alignment, or no relevancy

The context scores are then added together to give the scam’s overall alignment: High (18+), Medium (11 to 17) or Low (10 or less).

Note: The only context which doesn’t abide by the rule is number 5, as this aids the recipient. To account for this, it is scored negatively from 0 to -8.

Observable cues are signals to the recipient that the phishing message is fake. The more observable cues, the easier it is to spot. This could be bad spelling, incorrect grammar, or pixelated logos.

Every email will have either Few (1 to 8), Some (9 to 14), or Many (15+) cues. Here’s a list of them:

Errors

Inconsistencies; spelling mistakes; and bad grammar.

Technical indicators

Types of attachment; sender display name and email address; URL hyperlinking; and domain spoofing.

Visual presentation indicators

No/minimal branding; logo imitation or out-of-date branding; unprofessional design or formatting; security indicators and icons.

Language and content

Legalese, copyright information and disclaimers; distracting detail; requests for sensitive information; sense of urgency; threatening language; generic greeting; and a lack of signer details.

Common tactics

Humanitarian appeals; too-good-to-be-true offers; charm offensives; limited-time offers; and posturing as a friend or colleague.

Once the alignment score and number of observable cues are determined, they are combined to produce the detection difficulty rating. Only, at CybSafe, we have transposed the detection difficulty rating for ease:

Very difficult = Hard

Moderately difficult = Medium

Least difficult = Easy

In doing so we have produced the NIST-inspired CybSafe Phish scale:

Want to find out more? Check out our Phishing science page. Or head over to our Phishing simulation library to preview some examples.

Ready to get stuck in? Go to the Campaigns tab to set up your own simulated phishing campaigns.

If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!