Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects Human-Centered Cybersecurity Research Areas

Human-Centered Cybersecurity

Phishing

Short URL: https://csrc.nist.gov/phishing

Phishing continues to be an escalating cyber threat facing organizations of all types and sizes, including industry, academia, and government.

Our team performs research to understand phishing within an operational (real-world) context by examining user behaviors during phishing awareness training exercises. Our projects provide insights into users’ rationale and role in early detection, and how these might be scaffolded with technological solutions. Recent efforts have focused on the NIST Phish Scale, a method for rating the human detection difficulty of phishing emails considering both the characteristics of the email and the user context of the email's recipient. 

 

Publications

Papers

NIST Phish Scale User Guide paper icon - Shaneé Dawkins & Jody Jacobs. NIST Technical Note 2276 (2023).

How to Scale a Phish: An Investigation Into the Use of the NIST Phish Scale (Poster Abstract) poster icon  - Shaneé Dawkins & Jody Jacobs. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).

Scaling the Phish: Advancing the NIST Phish Scale paper icon - Fernando Barrientos, Jody Jacobs, & Shaneé Dawkins. Poster session at International Conference on Human-Computer Interaction (HCII) (2021).

Categorizing Human Phishing Difficulty: A Phish Scale paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Journal of Cybersecurity (2020)

A Phish Scale: Rating Human Phishing Message Detection Difficulty paper icon - Michelle P. Steves, Kristen K. Greene, & Mary F. Theofanos. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2019)

Presentations

The NIST Phish Scale: A method for rating human phishing detection difficulty presentation icon – This presentation is intended for phishing awareness training program implementors.  It provides a detailed review of Phish Scale components, a structured walk-through of how to apply the Phish Scale, and an overview of the Phish Scale User Guide.

The NIST Phish Scale: Considering user context in phishing awareness programs presentation icon– This presentation focuses on the importance of considering user context in phishing awareness programs. It provides a high-level overview of the Phish Scale and its methods of application. 

Videos

Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness  video icon - Shaneé Dawkins & Jody Jacobs. Presented at RSA Conference (April 25, 2023). 

Introducing Phish Scale video icon (2020)

Blogs

Recognizing and Reporting Phishing - Cybersecurity Awareness Month (2023)

My Research Can Help Protect You -- and Your Company -- From Hackers Trying to Steal Your Money and Information (2023)

Cybersecurity Awareness Month: Fight the Phish (2021)

The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails (2020)

Staff Spotlight: NIST Usable Cybersecurity Featuring Kristen Greene (2020)

Podcasts

Cybercrime Magazine Podcast: The Phish Scale. A new method for training employees (2020)

 

Papers

Not All Victims Are Created Equal: Investigating Differential Phishing Susceptibility paper icon - Matthew Canham, Shaneé Dawkins, & Jody Jacobs, HCI International 2024 Conference (HCII2024)

Peering into the Phish Bowl: An Analysis of Real-World Phishing Cues (Poster Abstract)  poster icon - Lorenzo Neil, Shaneé Dawkins, Jody Jacobs, & Julia Sharp. Poster session at Symposium on Usable Privacy and Security (SOUPS) (2023).

No Phishing Beyond This Point paper icon  - Kristen Greene, Michelle Steves, & Mary Theofanos. IEEE Computer (2018)

User Context: An Explanatory Variable in Phishing Susceptibility paper icon  – Kristen K. Greene, Michelle P. Steves, Mary F. Theofanos, & Jennifer Kostick. Proceedings of the Workshop on Usable Security (USEC) at the Network and Distributed Systems Security (NDSS) Symposium (2018)

Exploratory Lens Model of Decision-Making in Potential Phishing Attack Scenario paper icon - Franklin Tamborello & Kristen Greene. NISTIR 8194 (2017)

Presentations

Can You Spot a Phish? – This presentation is intended for general audiences. It gives an introduction to phishing cues and how to find them, and steps users can take to protect themselves from phishing attacks.  

ISPAB presentation - User Context: An Explanatory Variable in Phishing Susceptibility presentation icon- Kristen Greene, Michelle Steves, & Mary Theofanos. (June 21, 2018)

Videos

You've Been Phished video icon (2018)

 

Contacts

NIST Human-Centered Cybersecurity
human-cybersec@nist.gov

Julie Haney

Created November 17, 2016, Updated April 18, 2025