Collaborative phishing attack detection

US 10,187,407 B1
Filed: 05/01/2017
Issued: 01/22/2019
Est. Priority Date: 02/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enhancing the security of a computing environment, the method comprising:

generating a simulated phishing email at a networked computing system, wherein;

the simulated phishing email comprises specified identifying header information, and wherein the specified identifying header information is stored in a header of the simulated phishing email;

the simulated phishing email is a non-malicious email that resembles a phishing attack;

the simulated phishing email includes content attempting to lure an individual into performing a target action on a computing device;

when the individual performs the target action on the computing device, performance of the target action does not compromise the computing device or personal information of the individual;

transmitting the simulated phishing email from the networked computing system over a communications network so that it can be delivered in an email account associated with a user;

providing computer-executable instructions for an email client plugin, wherein the instructions provide a user-interface element in the form of a button in the email client for a user interaction in the form of identifying an email received in the email account associated with the user as a suspected phishing email or a simulated phishing email;

providing computer-executable instructions for the email client plugin for receiving a user interaction with the user-interface element displayed to the user in the form of the button while the email received in the email account associated with the user is displayed to the user;

providing computer-executable instructions for the email client plugin for determining when the received email is the simulated phishing email generated by the networked computing system by comparing the specified identifying header information to header information of the received email, wherein when the header information of the received email matches the specified identifying header information, then the received email is indicated as the simulated phishing email generated by the networked computing system;

when the received email is determined to be the simulated phishing email generated by the networked computing system based on the comparing of the header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a simulated phishing email;

when the received email is determined to not be a simulated phishing email generated by the networked computing system based on the comparing of header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a suspected phishing email;

recording data in volatile or non-volatile computer memory indicating whether the received email was identified as a simulated phishing email; and

providing computer-executable instructions for the email client plugin, upon determining that the received email is not a simulated phishing email, causing the received email to be transmitted for analysis as to whether or not it is malicious.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

Citations

14 Claims

1. A method for enhancing the security of a computing environment, the method comprising:
- generating a simulated phishing email at a networked computing system, wherein;
  
  the simulated phishing email comprises specified identifying header information, and wherein the specified identifying header information is stored in a header of the simulated phishing email;
  
  the simulated phishing email is a non-malicious email that resembles a phishing attack;
  
  the simulated phishing email includes content attempting to lure an individual into performing a target action on a computing device;
  
  when the individual performs the target action on the computing device, performance of the target action does not compromise the computing device or personal information of the individual;
  
  transmitting the simulated phishing email from the networked computing system over a communications network so that it can be delivered in an email account associated with a user;
  
  providing computer-executable instructions for an email client plugin, wherein the instructions provide a user-interface element in the form of a button in the email client for a user interaction in the form of identifying an email received in the email account associated with the user as a suspected phishing email or a simulated phishing email;
  
  providing computer-executable instructions for the email client plugin for receiving a user interaction with the user-interface element displayed to the user in the form of the button while the email received in the email account associated with the user is displayed to the user;
  
  providing computer-executable instructions for the email client plugin for determining when the received email is the simulated phishing email generated by the networked computing system by comparing the specified identifying header information to header information of the received email, wherein when the header information of the received email matches the specified identifying header information, then the received email is indicated as the simulated phishing email generated by the networked computing system;
  
  when the received email is determined to be the simulated phishing email generated by the networked computing system based on the comparing of the header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a simulated phishing email;
  
  when the received email is determined to not be a simulated phishing email generated by the networked computing system based on the comparing of header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a suspected phishing email;
  
  recording data in volatile or non-volatile computer memory indicating whether the received email was identified as a simulated phishing email; and
  
  providing computer-executable instructions for the email client plugin, upon determining that the received email is not a simulated phishing email, causing the received email to be transmitted for analysis as to whether or not it is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the simulated phishing email comprises at least one embedded hyperlink or attachment.
  - 3. The method of claim 1, wherein the computer-executable instructions are provided for an email client of the email system, and further wherein the email client is web-based or is cloud-based.
  - 4. The method of claim 1, wherein the user-interface element is a graphical user-interface element comprising a button that, when selected, automatically sends a notification of the user identification to the networked computing system.
  - 5. The method of claim 1, wherein transmitting the received email for analysis further comprises sending the received email in its entirety.
  - 6. The method of claim 1, wherein the email system comprises a web-based email client, an email client installed on a remote computing device, or an email server.
  - 7. The method of claim 1, wherein the specified identifying header information stored in the header of the simulated phishing email functions to identify a sender.

8. A system for enhancing the security of a computing environment, the system comprising a processor and data store with computer-executable instructions for:
- generating a simulated phishing email at a networked computing system, wherein;
  
  the simulated phishing email comprises specified identifying header information, and wherein the specified identifying header information is stored in a header of the simulated phishing email;
  
  the simulated phishing email is a non-malicious email that resembles a phishing attack;
  
  the simulated phishing email includes content attempting to lure an individual into performing a target action on a computing device;
  
  when the individual performs the target action on the computing device, performance of the target action does not compromise the computing device or personal information of the individual;
  
  transmitting the simulated phishing email from the networked computing system over a communications network so that it can be delivered in an email account associated with a user;
  
  an email client plugin with computer-executable instructions for;
  
  a user-interface element in the form of a button in the email client for a user interaction in the form of identifying an email received in the email account associated with the user as a suspected phishing email or a simulated phishing email;
  
  receiving a user interaction with the user-interface element displayed to the user in the form of a button while the email received in the email account associated with the user is displayed to the user;
  
  determining when the received email is the simulated phishing email generated by the networked computing system by comparing the specified identifying header information to header information of the received email, wherein when the header information of the received email matches the specified identifying header information, then the received email is indicated as the simulated phishing email generated by the networked computing system;
  
  when the received email is determined to be the simulated phishing email generated by the networked computing system based on the comparing of the header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a simulated phishing email;
  
  when the received email is determined to not be a simulated phishing email generated by the networked computing system based on the comparing of header information, then the user interaction with the user interface element in the form of the button causes the plugin to identify the received email in the email account associated with the user as being a suspected phishing email;
  
  recording data in volatile or non-volatile computer memory indicating whether the received email was identified as a simulated phishing email; and
  
  upon determining that the received email is not a simulated phishing email, causing the received email to be transmitted for analysis as to whether or not it is malicious.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the simulated phishing email comprises at least one embedded hyperlink or attachment.
  - 10. The system of claim 8, wherein the computer-executable instructions are provided for an email client of the email system, and further wherein the email client is web-based or is cloud-based.
  - 11. The system of claim 8, wherein the user-interface element is a graphical user-interface element comprising a button that, when selected, automatically sends a notification of the user identification to the networked computing system.
  - 12. The system of claim 8, wherein transmitting the received email for analysis further comprises sending the received email in its entirety.
  - 13. The system of claim 8, wherein the email system comprises a web-based email client, an email client installed on a remote computing device, or an email server.
  - 14. The system of claim 8, wherein the specified identifying header information stored in the header of the simulated phishing email functions to identify a sender.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
Cofense Inc.
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Ho, Dao Q
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/583,970
Time in Patent Office

631 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 3/04842   Selection of displayed obje...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/306   User profiles

Collaborative phishing attack detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative phishing attack detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links