Woman sitting at computer

4 Things to Know About the NIST Phish Scale

When you think of a security risk or vulnerability, what’s the first thing that comes to mind? Often, people think only of networks, applications, and databases that someone can hack and then exploit. While that can most certainly be the case, it’s not the whole story.

Humans must also be considered as a significant attack surface due to our unpredictable and trusting nature. Increases in social engineering sophistication and recent high-visibility phishing attacks have taught us that any organization can be just one click away from a massive breach. Even the most conscientious employee can fall victim to a phishing scheme, and a key part of defending against attacks is understanding why users click.

Enter the NIST Phish Scale. Born out of an extensive research study, the Phish Scale helps CISOs interpret their click data to truly understand their organizational risk profiles in a more meaningful way.  This blog will dive into what NIST Phish Scale is, and how it can help those looking to defend against these attacks.  

1. What is the NIST Phish Scale, and what is the purpose? 

The NIST Phish Scale was created by The National Institute of Standards and Technology (NIST) and released in 2020. With real-life phishing attacks on the rise, the release of the NIST Phish Scale could not have come at a better time. So what is the NIST Phish Scale?  At its most basic level, NIST Phish Scale is a method by which CISOs can rate and categorize the detection difficulty of the templates used in their phishing simulations. By quantifying the number of “cues” present and adding that to the ever-important element of user “context,” click rate data from training simulations instantly becomes more meaningful. A 25% click rate isn’t necessarily a failure, and a 1% click rate doesn’t necessarily indicate low risk.  

Suppose a template has an abundance of ‘cues’ like misspellings and poor grammar and has absolutely no alignment with common workplace practices or significant external events. In that case, user detection should be much less difficult, so very low click rates would be the expected outcome. Conversely, suppose a CISO observes high click rates on this same lower difficulty campaign. In that case, it could indicate low organizational awareness and high risk within that group of targets, and remedial training would be warranted. Simulation training campaigns can and should be developed across the full spectrum of detection difficulties to prevent potential targets from becoming complacent. The Phish Scale is key to this planning and to analyzing the subsequent results. 

2. What are phishing cues? 

The NIST Phish Scale uses two different metrics when evaluating an electronic phishing communication. The first of these two is called “cues". According to the scale, the more cues that exist in the communication (i.e., email, text, phone call), the easier it is for the human receiving those phishing attacks to recognize it as such and refrain from clicking. Some of the most common cues that we think of when it comes to phishing are misspellings and grammatical errors. For example, if you were to receive an urgent email from your HR team asking you to re-enter your direct deposit information, and every other word in the email was spelled incorrectly and poorly written, you would probably get suspicious because this is not typically how they communicate. This example also highlights another cue identified by the NIST Phish Scale research — a sense of urgency. Remember that the more cues an email has, the easier it should be for someone to recognize it as a phishing attempt. On the other end of that, a perfectly written and non-urgent request might make you less likely to suspect a phishing attack when an attempted attack could actually be taking place. Users must always remain vigilant and suspicious of every request for action or information, no matter how inconspicuous or innocuous it may seem.

3. How does the NIST Phish Scale use context?  

The second metric that the scale uses is the alignment and context to the user. In other words, how relevant is this message to the actual receiver? When I first learned about this part of the NIST Phish Scale, it reminded me of an example Frank Abagnale gave in a talk that I attended:  

Essentially, a CFO of an organization had recently received a phishing attack from someone disguised as the organization’s CEO asking the CFO to donate some of their funds to a charitable organization. The CFO, thinking that the email was from the CEO, donated to the fake charity because the email used personal information and was extremely compelling. The attacker used knowledge about their personal lives, like events they would be attending and details on family members that they gathered from social media and other websites. In this case, the targeted email was highly relevant to the CFO and had a lot of context to the user. As shown from this example, the more alignment and  context a specific communication has to the user, the more likely they are to take the desired action from the attacker.  

The Phish Scale offers two methods for evaluating premise alignment and user context, one more formulaic and a more subjective method, giving the CISO the flexibility to choose which method best applies to their organization. 

4. Who can use the NIST Phish Scale? 

The NIST Phish Scale is for anyone who helps run a phishing training program within an organization. They can use information from the research study when showing employees how to identify cues and context to look out for in an email. It should also be used to help plan phishing simulations and when analyzing the results and identifying opportunities for additional employee training. This can then be used by someone in a senior-level like a CIO or CISO to inform decisions for their overarching security program. While the NIST Phish Scale can be used by anyone, initial research was heavily focused on government organizations. However, this looks to be changing in the foreseeable future to include commercial organizations as well. According to their website, NIST says that “The next step is to expand the pool and acquire data from other organizations, including nongovernmental ones, and to make sure the Phish Scale performs as it should over time and in different operational settings.” 


In conclusion, education and awareness is the key to preventing phishing attacks within your organization. A key component of any effective training defense program must include phishing simulations. This way, your organization can fully understand what types of attacks they are most vulnerable to, who in the organization might need additional phishing training, and additional best practices you can implement to improve your overall cybersecurity posture. 

MindPoint Group offers the following Phishing Defense services and solutions: 

We can help you understand the vulnerabilities your organization faces and identify areas for improvement BEFORE they become an issue! Contact us to learn more. 

Additional Resources 

Services: Vulnerability Management > 

Solution: Cybersecurity Transformation > 

More from Our Cybersecurity Experts