Collaborative phishing attack detection
First Claim
1. A method, comprising:
- receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals;
determining, by the first computer system, whether the message is a known simulated phishing attack; and
if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;
otherwise,if the message is not a known simulated phishing attack,determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and
processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein for a first one of the one or more individuals, the trustworthiness level of the first individual is based on one or more of;
a percentage of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a percentage of simulated phishing attacks that the first individual ignored,a percentage of simulated phishing attacks that the first individual fell victim to, a sophistication level of a simulated phishing attack received by the first individual,a type of simulated phishing attack received by the first individual, a number of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a number of simulated phishing attacks that the first individual ignored, and a number of simulated phishing attacks that the first individual fell victim to,a number of real phishing attacks that the first individual correctly identified as a possible phishing attack,a number of real phishing attacks that the first individual ignored,a number of real phishing attacks that the first individual fell victim to,a field of employment of the first individual,an educational degree of the first individual,a job position of the first individual, andan employment history of the first individual.
9 Assignments
0 Petitions
Accused Products
Abstract
Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.
277 Citations
15 Claims
-
1. A method, comprising:
-
receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals; determining, by the first computer system, whether the message is a known simulated phishing attack; and if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;
otherwise,if the message is not a known simulated phishing attack, determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein for a first one of the one or more individuals, the trustworthiness level of the first individual is based on one or more of; a percentage of simulated phishing attacks that the first individual correctly identified as a possible phishing attack, a percentage of simulated phishing attacks that the first individual ignored, a percentage of simulated phishing attacks that the first individual fell victim to, a sophistication level of a simulated phishing attack received by the first individual, a type of simulated phishing attack received by the first individual, a number of simulated phishing attacks that the first individual correctly identified as a possible phishing attack, a number of simulated phishing attacks that the first individual ignored, and a number of simulated phishing attacks that the first individual fell victim to, a number of real phishing attacks that the first individual correctly identified as a possible phishing attack, a number of real phishing attacks that the first individual ignored, a number of real phishing attacks that the first individual fell victim to, a field of employment of the first individual, an educational degree of the first individual, a job position of the first individual, and an employment history of the first individual. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals; determining, by the first computer system, whether the message is a known simulated phishing attack; and if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;
otherwise,if the message is not a known simulated phishing attack, determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein the one or more individuals comprises more than one individual, and if an average of the trustworthiness levels exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
-
Specification