Can your employees catch a Phish? Find out with the NIST Phish scale

Virgil

Virgil

Feb 02, 2025
NIST Phish scale

82% incident rate. 10.3 Billion dollars in losses. 30% uptick in phishing attempts. Need we say more? Phishing is more prevalent and harmful than we think. Yet, our attempts to curb it stay limited to one-off training and tracking vanity metrics to gauge phishing resilience. 

Enter the NIST Phish scale — a simple yet effective approach to understanding why some employees fall for phishing attacks, why some don’t, and how you, as a security leader, can use these learnings to make better training programs, track the right metrics to measure org-wide resilience against phishing attacks and deploy effective playbooks to stop phishing in their tracks. 

Excited? So are we. Let’s get started:

TL;DR

The NIST Phishing Scale upgrades phishing defenses by integrating complex criteria like context and difficulty, optimizing training programs and resilience metrics.
The scale focuses on psychological influences and contextual triggers, helping identify why sophisticated phishing attacks deceive even vigilant employees.
It encourages a strategic, real-world approach to phishing simulations and continuous security training enhancements, improving organizational phishing resilience.

What is the NIST Phish scale?

Unlike the rudimentary “click-rate” approach most organizations rely on to track the success of their security training, the NIST Phish Scale introduces critical dimensions – context and difficulty. It helps you rate your phishing simulations against factors like technical cues, social engineering, and the reality of your employees. It also helps you correctly identify what kind of phishing attacks your organization is most vulnerable to and exactly where to plug the gaps in training. 

“The way most organizations measure phishing awareness is fundamentally broken. If your security team is still chasing low click rates instead of meaningful behavioral insights, you’re doing more harm than good. The NIST Phish Scale is the wake-up call the industry needs, and yet, few are listening. Let’s cut through the noise and talk about why your phishing metrics need a revolution.

Rachna Dutta, Infosecurity Consultant, Sprinto

Why does the NIST Phish Scale matter now?

A study that surveyed 1,400 organizations revealed that 26% experienced an uptick in phishing attempts over the last year, and 88% of these organizations fell victim to ransomware in some capacity—underscoring a relation between phishing and dire consequences for the business. 

The common denominator? Phishing training that operates in a vacuum. Not all phishing emails are created equal. Some are brilliantly engineered and tailored for a particular group of people, while others are generic and easy to spot. Tracking success rates of simulations without testing against complex techniques like social engineering and contextual traps that threat actors use builds a false sense of resilience. 

Here’s an example: A poorly crafted phishing email with obvious spelling errors might fool only a handful of users. Meanwhile, a polished, highly contextual email that mimics legitimate internal communication might trip up even your most security-aware employees. Both click rates could be the same, but the lessons learned are vastly different.

The Phish Scale isn’t just about measuring user performance and contextualizing it. It forces organizations to ask tougher questions:

  • Was the email truly challenging?
  • Did users fall for it because of its sophistication or gaps in training?
  • How do environmental factors, like timing or stress, play into their decision-making?