Search Icon White
ANSI Member Updates words on a brick wall with a megaphone.

NIST Computer Scientist Publishes Article on Phishing


During Cybersecurity Awareness Month, the National Institute of Standards and Technology (NIST) has published an article that elaborates on its in-depth research on phishing, revealing tips to keep your personal information safe.

NIST defines phishing as a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.

Authored by scientist Dr. Shanee Dawkins, the article details how through the NIST research project, a method known as the NIST Phish Scale, researchers have identified two major sets of factors that determine whether someone clicks on a phishing email, which include observable cues and user context.

“The observable cues are in the message itself,” Dawkins explains. “Users are generally good at spotting red flags, such as typos, a personal email address instead of a business one, a generic greeting, and more. We’ve identified 23 of these cues that can help users decide if a message is legitimate.” She also noted that user context has to do with your job. “I’m a researcher, so if someone sent me an email to pay an invoice, I could easily spot that as a phish. That’s not my job. But if you sent that same email to someone in accounts receivable who pays invoices, it might be harder for them to detect.”

NIST has also released several important tips to “fight the phish” and keep your personal (or your employer’s) information safe: 

  • Remain vigilant. If you see something suspicious, report it right away. 
  • When in doubt about the authenticity of a message, don’t click. 
  • Don’t call the number in a suspicious email. If the email is from a company or an organization, verify the number on its website and call that number to check the legitimacy of information. 
  • If you receive a message from someone you think you know, call them to verify they actually sent it, especially if they ask for money.
  • Phishing can come through as text messages on your phone (smishing) or fraudulent phone calls (vishing) that use similar tactics as emails. Be wary of all forms of communication. 

Dawkins works in the visualization and usability group at NIST, where she performs research focusing on human-centered design and evaluation guidelines and standards. NIST’s Phish Scale is available for organizations conducting phishing awareness training. Access more on NIST’s Just a Standard Blog page.

ANSI Members: Submit a Member Update

ANSI Full Members may submit contributions to [email protected]. All submissions are published at ANSI's discretion, and generally must be a resource that is freely available and/or non-commercial information of significant value to the ANSI community.

Submit an Update
Search All Member Updates