Collaborative phishing attack detection
First Claim
1. A method, comprising:
- generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
electronically storing the predetermined identifier in a computerized data store;
receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message;
if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and
if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis;
wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic or identifier of the message with a characteristic or identifier of a transmitted simulated phishing attack.
9 Assignments
0 Petitions
Accused Products
Abstract
Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.
306 Citations
30 Claims
-
1. A method, comprising:
-
generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing the predetermined identifier in a computerized data store; receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message; if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis; wherein determining whether the message is a known simulated phishing attack comprises comparing a characteristic or identifier of the message with a characteristic or identifier of a transmitted simulated phishing attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method, comprising:
-
generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing the predetermined identifier in a computerized data store; receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message; if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis; wherein determining whether the message is a known simulated phishing attack comprises comparing the message or a portion of the message with simulated phishing attacks. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method, comprising:
-
generating a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message; electronically storing the predetermined identifier in a computerized data store; receiving a notification triggered by a user action by an individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack; determining whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the message or to the metadata of the message; if the message is determined to be a known simulated phishing attack based on the comparison of the identifier, providing feedback to the individual confirming that the message was a simulated phishing attack; and if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, forwarding the message for threat analysis; wherein determining whether the message is a known simulated phishing attack comprises analyzing one or more characteristics or identifiers of the message at a client-side plug-in. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification