NIST Phish Scale Cues Descriptions

1. Inconsistency

Typically found in any part of the email overall. Inconsistent cues are items which would seem off or unexpected in a legitimate email, but are common in phishing emails. Inconsistencies in the email message can include a mismatch in the type of attachment sent and mentioned in the body of the email or a signature in the body of the email that does not match the sender in the ‘from’ line. 

See example below from NIST Phish Scale User Guide NIST TN 2276.

2. You're Special

The email has wording which suggests that something special is unexpected and offered only to the recipient (e.g., a valentine e-card, a special birthday coupon). 

See example below from NIST Phish Scale User Guide NIST TN 2276.

3. Mimics a Work or Business Process

This element evaluates how relevant the email’s premise is to the target audience’s processes or practices. Consider any typical processes or functions within their organisation when assessing this element.

For example, if the target audience usually receives official chat notifications through an app, an email about a missed chat message would have a lower applicability score. However, if email is the standard method for such notifications, it would receive a higher applicability score.

4. Has been the Subject of Targeted Training

This element highlights the impact of training on the target audience, including phishing-related organisational efforts to help employees recognise and report phishing emails. Employees with exposure to phishing-specific IT security training are expected to better identify phishing attempts (resulting in a higher applicability score) compared to those without such training (lower applicability score). Training is not limited to formal IT security programs; it includes any awareness materials or guidance provided to the audience. Examples of training include:

  • Formal cyber security awareness and training programs;
  • Educational materials or seminars on identifying phishing emails;
  • Organisational emails alerting employees to phishing threats or warning about specific types of attacks.