Collaborative phishing attack detection

US 9,674,221 B1
Filed: 01/28/2017
Issued: 06/06/2017
Est. Priority Date: 02/08/2013
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method for identifying and processing email messages received at a remote computing device in connection with a simulated phishing email campaign, comprising:

generating, by a network device, a simulated phishing email, wherein the simulated phishing email is a non-malicious email that resembles a real phishing attack by attempting to lure an individual into performing a target action on the remote computing device, wherein the simulated phishing email comprises at least one embedded hyperlink, and wherein if the individual performs the target action, performance of the target action does not compromise the remote computing device or personal information of the individual;

causing the simulated phishing email to be transmitted over a communications network to the remote computing device, the simulated phishing email comprising an identifying header, wherein the identifying header designates the simulated phishing email as a non-malicious simulated phishing email sent by the network device;

providing a plug-in for an email client at the remote computing device, the plug-in configurable for executing computer instructions for receiving a graphical user interface action performed by the individual indicating that an email, the email being either the simulated phishing email or another email, delivered in an email account associated with the individual has been identified by the individual as a possible phishing attack;

determining whether the identified email is a known simulated phishing attack by comparing one or more headers of the identified email to information identifying at least one known simulated phishing attack;

when the identified email is determined to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, providing a graphically displayed feedback to the individual confirming that the identified email was a simulated phishing attack; and

when the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to the information identifying at least one known simulated phishing attack, sending the identified email for analysis or detection of whether or not the identified email is a phishing attack;

providing a graphical user interface element that, when selected, causes a notification to be sent to the network device, the notification triggered by the user interface action by the individual that the email delivered in the email account associated with the individual has been identified by the individual as a possible phishing attack;

receiving the notification over the communications network by the network device from the remote computing device;

if the identified email is determined to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a simulated phishing attack;

if the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a potential phishing attack;

causing the provisioning of an electronic training to the individual if the individual clicks on the embedded hyperlink in the simulated phishing email; and

if the email has been identified as a potential phishing attack, computing a likelihood that the identified email is a real phishing attack or is not a real phishing attack based on one or more attributes associated with the identified email.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

338 Citations

20 Claims

1. A method for identifying and processing email messages received at a remote computing device in connection with a simulated phishing email campaign, comprising:
- generating, by a network device, a simulated phishing email, wherein the simulated phishing email is a non-malicious email that resembles a real phishing attack by attempting to lure an individual into performing a target action on the remote computing device, wherein the simulated phishing email comprises at least one embedded hyperlink, and wherein if the individual performs the target action, performance of the target action does not compromise the remote computing device or personal information of the individual;
  
  causing the simulated phishing email to be transmitted over a communications network to the remote computing device, the simulated phishing email comprising an identifying header, wherein the identifying header designates the simulated phishing email as a non-malicious simulated phishing email sent by the network device;
  
  providing a plug-in for an email client at the remote computing device, the plug-in configurable for executing computer instructions for receiving a graphical user interface action performed by the individual indicating that an email, the email being either the simulated phishing email or another email, delivered in an email account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining whether the identified email is a known simulated phishing attack by comparing one or more headers of the identified email to information identifying at least one known simulated phishing attack;
  
  when the identified email is determined to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, providing a graphically displayed feedback to the individual confirming that the identified email was a simulated phishing attack; and
  
  when the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to the information identifying at least one known simulated phishing attack, sending the identified email for analysis or detection of whether or not the identified email is a phishing attack;
  
  providing a graphical user interface element that, when selected, causes a notification to be sent to the network device, the notification triggered by the user interface action by the individual that the email delivered in the email account associated with the individual has been identified by the individual as a possible phishing attack;
  
  receiving the notification over the communications network by the network device from the remote computing device;
  
  if the identified email is determined to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a simulated phishing attack;
  
  if the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a potential phishing attack;
  
  causing the provisioning of an electronic training to the individual if the individual clicks on the embedded hyperlink in the simulated phishing email; and
  
  if the email has been identified as a potential phishing attack, computing a likelihood that the identified email is a real phishing attack or is not a real phishing attack based on one or more attributes associated with the identified email.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein sending the identified email for analysis or detection further comprises sending the identified email to a computer security technician for analysis to determine if the identified email is a real phishing attack or not.
  - 3. The method of claim 1, wherein sending the identified email for analysis or detection further comprises sending the identified email to computer configured to detect phishing attacks to determine if the identified email is a real phishing attack or not.
  - 4. The method of claim 1, wherein if the identified email is determined not to be a known simulated phishing attack, and analysis or detection of the identified email results in a determination that the identified email is a real phishing attack, providing feedback to the individual that identified the identified email as a possible phishing attack confirming that the identified email was a real phishing attack.
  - 5. The method of claim 1, wherein a single graphical user interface action performed by the individual is sufficient to trigger the notification to be sent from the computing device of the individual.
  - 6. The method of claim 1, wherein the plugin is further configurable to provide a graphical user interface element comprising a button that, when selected, automatically sends the notification to the network device by one click or touch of the button.
  - 7. The method of claim 1, further comprising searching through a log of simulated phishing attacks to determine whether the identified email is a simulated phishing attack.
  - 8. The method of claim 1, wherein sending the identified email for analysis or detection further comprises sending the identified email in its entirety.
  - 9. The method of claim 1, further comprising computing a likelihood that the identified email is a real phishing attack based on a history of the individual in identifying previous simulated phishing attacks as suspicious.
  - 10. The method of claim 1, further comprising computing a likelihood that the identified email is a real phishing attack based a quantitative trustworthiness level assigned to the individual.

11. A system for identifying and processing email messages received at a remote computing device in connection with a simulated phishing email campaign, comprising:
- a network device configured for;
  
  generating a simulated phishing email wherein the simulated phishing email is a non-malicious email that resembles a real phishing attack by attempting to lure an individual into performing a target action on the remote computing device, wherein the simulated phishing email comprises at least one embedded hyperlink, and wherein if the individual performs the target action, performance of the target action does not compromise the remote computing device or personal information of the individual;
  
  causing the simulated phishing email to be transmitted over a communications network to the remote computing device, the simulated phishing email comprising an identifying header, wherein the identifying header designates the simulated phishing email as a non-malicious simulated phishing email sent by the network device;
  
  if the identified email is determined to be a known simulated phishing attack based on a comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a simulated phishing attack;
  
  if the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers of the identified email to information identifying at least one known simulated phishing attack, electronically recording data indicating that the email has been identified as a potential phishing attack; and
  
  causing the provisioning of an electronic training to the individual if the individual clicks on the embedded hyperlink in the simulated phishing email; and
  
  if the email has been identified as a potential phishing attack, computing a likelihood that the identified email is a real phishing attack or is not a real phishing attack based on one or more attributes associated with the identified email;
  
  the remote computing device configured for;
  
  executing a plug-in for an email client at the remote computing device for receiving a graphical user interface action performed by the individual indicating that an email, the email being either the simulated phishing email or another email, delivered in an email account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining whether the identified email is a known simulated phishing attack by comparing one or more headers of the identified email to information identifying at least one known simulated phishing attack;
  
  when the identified email is determined to be a known simulated phishing attack based on the comparison of the headers of the identified email to information identifying at least one known simulated phishing attack, providing a graphically displayed feedback to the individual confirming that the identified email was a simulated phishing attack;
  
  when the identified email is determined not to be a known simulated phishing attack based on the comparison of the one or more headers to the information identifying at least one known simulated phishing attack, sending the identified email for analysis or detection of whether or not the identified email is a phishing attack; and
  
  wherein the remote computing device is further configurable to provide a graphical user interface element that, when selected, causes a notification to be sent to the network device, the notification triggered by the user interface action by the individual that the email delivered in the email account associated with the individual has been identified by the individual as a possible phishing attack.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein sending the identified email for analysis or detection further comprises sending the identified email to a computer security technician for analysis to determine if the identified email is a real phishing attack or not.
  - 13. The system of claim 11, wherein sending the identified email for analysis or detection further comprises sending the identified email to computer configured to detect phishing attacks to determine if the identified email is a real phishing attack or not.
  - 14. The system of claim 11, wherein if the identified email is determined not to be a known simulated phishing attack, and analysis or detection of the identified email results in a determination that the identified email is a real phishing attack, providing feedback to the individual that identified the identified email as a possible phishing attack confirming that the identified email was a real phishing attack.
  - 15. The system of claim 11, wherein a single graphical user interface action performed by the individual is sufficient to trigger the notification to be sent from the computing device of the individual.
  - 16. The system of claim 11, wherein a plugin provided for email client at the remote computing device is further configurable to provide a graphical user interface element comprising a button that, when selected, automatically sends the notification to the network device by one click or touch of the button.
  - 17. The system of claim 11, further comprising searching through a log of simulated phishing attacks to determine whether the identified email is a simulated phishing attack.
  - 18. The system of claim 11, wherein sending the identified email for analysis or detection further comprises sending the identified email in its entirety.
  - 19. The system of claim 11, further comprising computing a likelihood that the identified email is a real phishing attack based on a history of the individual in identifying previous simulated phishing attacks as suspicious.
  - 20. The system of claim 11, further comprising computing a likelihood that the identified email is a real phishing attack based a quantitative trustworthiness level assigned to the individual.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/418,709
Time in Patent Office

129 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 3/04842   Selection of displayed obje...

H04L 51/42   Mailbox-related aspects, e....

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/306   User profiles

Collaborative phishing attack detection

First Claim

9 Assignments

Litigations

1 Petition

Accused Products

Abstract

338 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Collaborative phishing attack detection

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

338 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others