NIST Phish Scale Calculator
A Mirage Security Tool
Calculate phishing email detection difficulty based on the NIST Phish Scale.
0% complete
Is the sender's name unrelated to the sender's email address, including 'reply-to' address?
Is a domain name used in the sender's email address plausibly similar to a recognizable entity's domain?
Are appropriate branding elements (text or logos) missing?
Do the design and formatting of the email appear unprofessional?
Is the email missing a generic greeting, such as a formal or informal salutation?
Is the email missing personalization?
Is the message missing detail about the sender, such as sender or contact information?
Does the message appear to be a work or business-related process?
Does the message appear to be from a friend, colleague, boss, other authority entity, or other reputable authority entity?
How many spelling errors are in the email?
How many grammar errors are in the email, including mismatched plurality?
How many inconsistencies are in the email?
How many potentially dangerous attachments are included?
How many times does text hide the true URL in a hyperlink?
How many links have a domain name plausibly similar to a recognizable entity's domain?
How many branding elements (text or logos) appear to be an imitation?
How many branding elements (text or logos) appear to be out-of-date?
How many inappropriate security indicators or security icons are in the email?
How many times is legal language used in the message, such as copyright information, disclaimers, or tax information?
How many detailed aspects that are not central to the content are in the message?
How many requests for sensitive information are in the email, including personally identifying information or credentials?
How many times does the email express time pressure, including implied?
How many threats are included in the message, including implied threats?
How many appeals does the email make to help others?
How many times does the email offer something that is too good to be true, such as having won a contest, lottery, free vacation and so on?
Does the email offer anything personalized and unexpected just for you?
How many times does the email offer something for a limited time?
Mimics a workplace process or practice
Has workplace relevance
Aligns with other situations or events, including external to the workplace
Engenders concern over consequences for NOT clicking
Has been the subject of targeted training, specific warnings, or other exposure