NIST Phishing Difficulty Calculator

Use our online calculator to apply the NIST Phish Scale to a phishing email.

1. Email Cues

Cues are the characteristics of an email that signal it may be a phishing attempt. Fewer cues make a phishing email harder to detect, while more cues make detection easier.

Technical Indicators

Is the sender’s name unrelated to the sender’s email address, including “reply-to” address? *
Does the sender's email address use a domain name that is not plausibly similar to a legitimate or recognisable entity's domain? *

Visual Presentation Indicators

Are appropriate branding elements (text or logos) missing?
*
Do the design and formatting of the email appear unprofessional? *

Language and Content

Is the email missing a generic greeting, such as a formal or informal salutation?
*
Is the email missing personalisation? *
Is the message missing detail about the sender, such as sender or contact information? *

Common Tactics

Does the message appear to be a work or business-related process? *
Does the message appear to be from a friend, colleague, boss, other authority entity, or other reputable authority entity? *

Errors

How many spelling errors are in the email? *
How many grammar errors are in the email, including mismatched plurality? *
How many inconsistencies are in the email? *

Technical Indicators

How many potentially dangerous attachments are included? *
How many times does text hide the true URL in a hyperlink? *
How many links have a domain name plausibly similar to a to a recognisable entity's domain? *

Visual Presentation Indicators

How many branding elements (text or logos) appear to be an imitation? *
How many branding elements (text or logos) appear to be out-of-date? *
How many inappropriate security indicators or security icons are in the email? *

Language and Content

How many times is legal language used in the message, such as copyright information, disclaimers, or tax information? *
How many detailed aspects that are not central to the content are in the message? *
How many requests for sensitive information are in the email, including personally identifying information or credentials? *
How many times does the email express time pressure, including implied? *
How many threats are included in the message, including implied threats? *

Common Tactics

How many appeals does the email make to help others? *
How many times does the email offer something that is too good to be true, such as having won a contest, lottery, free vacation and so on? *
Does the email offer anything personalised and unexpected just for you? *
How many times does the email offer something for a limited time? *

2. Premise Alignment

Premise alignment measures how well an email aligns with the recipient's work roles or organisational responsibilities. A stronger premise alignment makes the email harder to identify as a phishing attempt, while a weaker alignment makes it easier to detect.

1) Mimics a workplace process or practice
How applicable is the email to workplace processes or practices for the target audience? *
2) Has workplace relevance
How pertinent is the email’s premise to the roles and responsibilities of the target audience? *
3) Aligns with other situations or events, including external to the workplace
How well does the email align to other situations or events, even those external to the workplace? *
4) Engenders concern over consequences for NOT clicking
How applicable is the email to concerns over potentially harmful ramifications for not clicking the links or attachments? *
5) Has been the subject of targeted training, specific warnings, or other exposure
How applicable is the email’s reflection of targeted training effects that would lead to premise detection? Care must be taken to appropriately incorporate the training or warning specificity, as transfer of learning is quite difficult. *

NIST Phish Scale Assessment Results

Total Cue Count:

0.00

Cue Category:

FEW – The phishing email has a lower number of cues with fewer opportunities to identify
the email as a phish

SOME – The phishing email has a moderate number of cues

MANY – The phishing email has a higher number of cues, with more opportunities to
identify the email as a phish

Phish Scale Categories:
Total ScoreCategory
1-8Few - The phishing email has a lower number of cues with fewer opportunities to identify
the email as a phish
9-14Some – The phishing email has a moderate number of cues
15+Many – The phishing email has a higher number of cues, with more opportunities to identify the email as a phish

Premise Alignment Rating:

0.00

Premise Alignment Category:

WEAK - the alignment of the phishing email’s premise to the target audience is low,
making the email less difficult to detect as a phish

MEDIUM - the alignment of the phishing email’s premise to the target audience is
moderate

STRONG - the alignment of the phishing email’s premise to the target audience is high,
making the email difficult to detect as a phish

Phishing Email Premise Alignment Category Mapping:
Premise Alignment RatingPremise Alignment Category
10 and belowWeak – the alignment of the phishing email’s premise to the target audience is low,
making the email less difficult to detect as a phish
11-17Medium – the alignment of the phishing email’s premise to the target audience is
moderate
18 and higherStrong – the alignment of the phishing email’s premise to the target audience is high,
making the email difficult to detect as a phish

Detection Difficulty:

Very difficult

Moderately difficult

Moderately to Least difficult

Least difficult

Detection Difficulty Scale:
Cues CategoryPremise Alignment CategoryPremise Alignment Category
Few (more difficult)StrongVery difficult
MediumVery difficult
WeakModerately difficult
SomeStrongVery difficult
MediumModerately difficult
WeakModerately to Least difficult
ManyStrongModerately difficult
MediumModerately difficult
WeakLeast difficult
Copy & paste the below URL with your saved answers for your records:
0.00