Collaborative phishing attack detection
First Claim
1. A method, comprising:
- generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
electronically storing, by the network device, the predetermined identifier in a computerized data store;
receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message;
if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack;
if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack;
processing, by the network device, the message based on the determination of whether the identified message may be a threat.
10 Assignments
0 Petitions
Accused Products
Abstract
Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.
241 Citations
20 Claims
-
1. A method, comprising:
-
generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing, by the network device, the predetermined identifier in a computerized data store; receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message; if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack; if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack; processing, by the network device, the message based on the determination of whether the identified message may be a threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a processor; a storage device connected to the processor; a network server device; and a set of instructions on the storage device that, when executed by the processor, cause the processor perform the steps of; generating, by the processor, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing, on the storage device, the predetermined identifier in a computerized data store; receiving, by the processor from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining, by the processor, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message; if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack; if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the processor, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack; and processing, by the processor, the message based on the determination of whether the identified message may be a threat. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory computer-readable recording medium storing a simulated phishing message administration computer program, the simulated phishing message administration computer program causing a processor to perform steps comprising:
-
generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing, by the network device, the predetermined identifier in a computerized data store; receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message; if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack; if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack; and processing, by the network device, the message based on the determination of whether the identified message may be a threat. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification