Phish Scale – A new way of weighting phishing emails!

Phishing is the most common attack vector currently used by hackers. Phishing refers to the sending of e-mails that are intended to intercept sensitive information. For this purpose, these e-mails are disguised as if they come from a trusted person. Since phishing is a well-known problem, many companies train their employees with phishing campaigns. A US institute has now created a new form of evaluation, the so-called Phish Scale, which is intended to help to better understand the results of such phishing campaigns.

Phish Scale – How to categorize a Phishing Mail

One of the major problems that the NIST (National Institute of Standards and Technology) criticizes in conventional phishing campaigns is that of evaluating the results. A “normal” phishing campaign usually looks like that selected employees receive a self-created phishing mail. Subsequently, it is analyzed how many employees have clicked on a link in the phishing mail. Thus, only the numbers were used to estimate how well trained employees are in dealing with phishing.

The Phish Scale not only looks at the pure click rate but also tries to weight the phishing mail in advance. For each phishing mail, a rating is carried out in which different parts of the phishing mail are analyzed and assessed. As an example, the subject of the e-mail can be mentioned here. If it is an irrelevant subject that does not contain any information from current situations, this mail is rated weaker than a mail that uses a subject that fits the current situation very well. Exactly which criteria are used can be found in the publication of NIST.

A video, which is embedded in the NIST website, gives a good overview of how the Phish Scale works.

Use the new categorization

The advantage of the Phish Scale is not directly visible at first sight. Basically, we get the same results for phishing campaigns with and without Phish Scale weighting. The result still includes the click rate. However, with Phish Scale it is now possible to see which department, for example, did not recognize the weakest phishing emails.

By prior classification of the phishing messages, the results can be viewed in more detail. This detailed view can be used for targeted training, so that certain departments can use the results to receive other phishing messages where they have had particular problems.

Phishing is one of the biggest areas of current IT security, as people are becoming increasingly popular as a security vulnerability. Recently, a research team, of which Matteo Große-Kampmann is a member, published a study on phishing.