EP3284002A1 - Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème - Google Patents

Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème

Info

Publication number
EP3284002A1
EP3284002A1 EP16780723.9A EP16780723A EP3284002A1 EP 3284002 A1 EP3284002 A1 EP 3284002A1 EP 16780723 A EP16780723 A EP 16780723A EP 3284002 A1 EP3284002 A1 EP 3284002A1
Authority
EP
European Patent Office
Prior art keywords
phishing
message
templates
user
organization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP16780723.9A
Other languages
German (de)
English (en)
Inventor
Mark T. Chapman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PhishLine LLC
Original Assignee
PhishLine LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PhishLine LLC filed Critical PhishLine LLC
Priority claimed from PCT/US2016/027481 external-priority patent/WO2016168427A1/fr
Publication of EP3284002A1 publication Critical patent/EP3284002A1/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/01Input arrangements or combined input and output arrangements for interaction between user and computer
    • G06F3/048Interaction techniques based on graphical user interfaces [GUI]
    • G06F3/0484Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
    • G06F3/04842Selection of displayed objects or displayed text elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/10Text processing
    • G06F40/166Editing, e.g. inserting or deleting
    • G06F40/186Templates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/04Real-time or near real-time messaging, e.g. instant messaging [IM]
    • H04L51/046Interoperability with other network applications or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/52User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail for supporting social networking services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/01Social networking

Definitions

  • the present invention relates generally to susceptibility to social engineering such as phishing and more specifically to systems and software services for testing and/or reducing the susceptibility of an organization to social engineering.
  • Social engineering includes manipulation, such as psychological manipulation, of people into performing actions or divulging confidential information, for example, information that people would not normally disclose. Such information can be used for various nefarious purposes, e.g., electronic theft, fraud, etc.
  • One form of social engineering is phishing. Phishing is a technique of fraudulently obtaining confidential information.
  • a phisher may send a message, e.g., e-mail, text, SMS, telephone call, voicemail, pre-recorded message, etc., to a recipient.
  • the message may request the recipient to take some action, e.g., click a link, open and/or download a file, provide confidential information, etc.
  • the link may take the recipient to a website that requests the recipient to provide confidential information on false pretenses.
  • Other links may take the recipient to a website that is designed to download malicious code onto the recipient's electronic device, e.g., code that captures the recipient's personal information from the electronic device, etc.
  • Phishing messages may be designed to be difficult to identify as such, e.g., the messages may be written, include information, etc., to appear to originate from a legitimate source.
  • the efficacy of the testing of susceptibility to phishing may be improved by sending different phishing e-mails, e.g., not sending the same phishing e-mail to members of the organization each time the susceptibility to social engineering is to be tested.
  • One embodiment of the invention relates to a system for creating phishing templates to test the susceptibility of an organization to social engineering.
  • the system includes an interface configured to receive at least one of a first input indicative of a characterization attribute and a second input indicative of a theme topic from a user.
  • the system includes a database including a plurality of tags having different characterization attributes and theme topics.
  • the system includes a processor configured to create a phishing template based on a phishing pattern including a plurality of indicators indicative of types of tags to be located in the phishing template.
  • the processor is configured to select tags from the plurality of tags in the database based on the at least one first input indicative of the characterization attribute and the second input indicative of the theme topic received from the user.
  • Another embodiment of the invention relates to a method of generating phishing templates.
  • the method includes creating a pattern including a first indicator referencing a first type of tag and a second indicator referencing a second type of tag.
  • the method includes receiving an input from a user indicative of a characterization attribute.
  • the method includes providing a database of tags of a first type and tags of a second type. Each tag has a
  • the method includes generating and storing all combinations of pairs of tags of the first type and tags of the second type.
  • the method includes receiving a request from a user for a phishing template.
  • the request includes a specified characterization attribute.
  • the method includes selecting a pair of tags.
  • the characterization attribute of both the selected first and second tags matches the specified characterization attribute.
  • Another embodiment of the invention relates to a method of creating phishing templates.
  • the method includes selecting a pattern from a plurality of patterns.
  • the selected pattern includes a plurality of indicators indicating different types of tags.
  • the method includes providing a database including a plurality of different types of tags. Each tag has a
  • the method includes receiving a selected characterization attribute from a user.
  • the method includes selecting a first tag of a first type indicated by a first one of the plurality of indicators.
  • the first tag has a first characterization attribute compatible with the selected characterization attribute.
  • the method includes selecting a second tag of a second type indicated by a second one of the plurality of indicators.
  • the second tag has a second characterization attribute.
  • the method includes verifying that the second characterization attribute is compatible with the first characterization attribute.
  • the method includes creating a first phishing template including the first tag and the second tag. [0006]
  • Another embodiment of the invention relates to a method of creating phishing templates.
  • the method includes selecting a pattern from a plurality of patterns.
  • the selected pattern includes a plurality of indicators indicating different types of tags.
  • the method includes providing a database including a plurality of different types of tags. Each tag has a
  • the method includes receiving a selected characterization attribute and a selected theme from a user.
  • the method includes selecting a first tag of a first type indicated by a first one of the plurality of indicators.
  • the first tag has a first
  • the method includes selecting a second tag of a second type indicated by a second one of the plurality of indicators.
  • the second tag has a second characterization attribute and a second theme.
  • the second characterization attribute is compatible with the first characterization attribute.
  • the second theme is compatible with the first theme.
  • the method includes creating a first phishing template including the first tag and the second tag.
  • the system includes an interface.
  • the interface is configured to receive input from the organization selecting characterization attributes for message templates for a social engineering testing campaign.
  • the system includes a processor.
  • the processor is configured to receive the input through the interface.
  • the system includes a message template inventory containing a plurality of message templates. Each of the templates has characterization attributes.
  • the processor is configured to select message templates from the plurality of message templates consistent with the characterization attributes selected by the organization.
  • the system is configured to display the number of the selected message templates through the interface to the user.
  • Another embodiment of the invention relates to a method of testing susceptibility of an organization to social engineering.
  • the method includes compiling projected engagement rate statistics for message templates based on characterization attributes.
  • the method includes displaying projected engagement rate statistics for messages based on characterization attributes.
  • the method includes receiving desired characterization attributes from a social engineering testing campaign from the organization.
  • the method includes selecting message templates from a message template inventory based on received desired characterization attributes.
  • the method includes producing phishing messages based on the selected message templates.
  • the method includes sending the phishing messages to members of the organization.
  • the method includes monitoring actual engagement rate for the phishing messages sent to the members of the organization.
  • the method includes displaying the actual engagement rate to the organization.
  • FIG. 1 is a phishing e-mail template according to an exemplary embodiment.
  • FIG. 2 is a phishing e-mail pattern according to an exemplary embodiment.
  • FIG. 3 is a first phishing e-mail template created based on the phishing e-mail pattern of FIG. 2 according to an exemplary embodiment.
  • FIG. 4 is a second phishing e-mail template created based on the phishing e-mail pattern of FIG. 2 according to an exemplary embodiment.
  • FIG. 5 is a system for generating a plurality of e-mails having different characteristics shown schematically according to an exemplary embodiment.
  • FIG. 6 is the campaign profile indicator look up table of FIG. 5 according to an exemplary embodiment.
  • FIG. 7 is a graph of a library of phishing templates according to an exemplary embodiment.
  • FIG. 8 is a block diagram illustrating a system for analyzing susceptibility to social engineering and benchmarking or collecting statistics regarding message template effectiveness according to an exemplary embodiment.
  • FIG. 9 illustrates a graphical user interface configured to receive input from an organization indicating preferences for message templates to be used for a social engineering testing campaign according to an exemplary embodiment.
  • FIG. 10 illustrates a graphical user interface showing projected engagement rates and inventory for characterization attributes and theme topics according to an exemplary
  • FIG. 11 illustrates a graphical user interface showing projected engagement rates based on characterization attributes according to an exemplary embodiment.
  • phish communications may be sent to members of the organization over various communication mediums.
  • the phish communications solicit the recipients to respond.
  • Responses solicited may be over various communication mediums, e.g., the same medium as the phish communications, a different medium than the phish, etc.
  • a phish communication may be sent to a recipient member of the organization via e-mail, e.g., SMTP, etc.
  • a phish communication may be sent via text message, e.g., SMS, etc.
  • a phish communication may be sent via an audible message, e.g., telephone call, voicemail, etc.
  • a phish communication may be sent via social media message, e.g., Twitter message, Facebook message, etc.
  • a phish communication may be a printed document.
  • the phish communication may solicit a response via an e-mail.
  • the phish communication may solicit a response via a text message.
  • a phish communication may solicit a response via a telephone call.
  • a phish communication may solicit a response via a social media message.
  • a phish communication may solicit the recipient to visit a webpage, for example, to provide information such as confidential information, to the webpage.
  • testing may also include sending more than one round of phish communications to the members of the organization. Therefore, it may be beneficial to generate multiple different, differently themed, differently characterized, etc., phishing communications.
  • a communication template is created.
  • a template may be used, for example, by a processor such as an e-mail generator to create personalized phish communications to be sent to various members of an organization.
  • the template includes personal information indicators. The indicators indicate the type of personal information to be included in the communication created based on the template and where to locate the personal information in the template.
  • the personal information may be obtained, for example, from a database of information regarding the members of the organization.
  • FIG. 1 An embodiment of a template, shown as an e-mail template 100, is illustrated in FIG. 1.
  • the e-mail template 100 includes various different types of portions of information content, e.g., salutation 102, pretext portion 105, call to action portion 106, closing portion 107, etc., as will be further described below.
  • the e-mail template 100 includes a salutation 102.
  • the salutation 102 includes a name indicator 104.
  • the name indicator 104 indicates to the e-mail generator that when an e-mail communication is created based on the e-mail template 100 what portion of the name of the intended recipient should be added to the e-mail in the salutation.
  • the e-mail template 100 also includes a pretext portion 105 to be added to the e-mail generated from the e- mail template at the indicated location, e.g., in one embodiment including a reason that the recipient is receiving the e-mail.
  • the e-mail template 100 also includes a call to action portion 106.
  • the call to action portion 106 indicates a call to action to be added to the e-mail created by the e-mail generator from the template soliciting the recipient to take an action, in the illustrated embodiment soliciting the recipient to confirm a new password.
  • the e-mail template 100 also includes a closing portion 107, such as a closing that may be used to conclude an e-mail.
  • the call to action portion 106 includes a department name indicator 108.
  • the department name indicator 108 indicates to the e-mail generator that when an e-mail is created based on the e-mail template 100 that the name of the recipient's department within the organization will be included in the e-mail at the location indicated by the department name indicator 108.
  • the e-mail template 100 also includes a signature portion 109.
  • the signature portion 109 indicates to the e- mail generator what information should be included in the signature, for example, in the illustrated embodiment, the signature portion 109 indicates that the signature in the generated e- mail should be the name of the recipient's department, which may be obtained by the e-mail generator for example, from an address book, company database, etc.
  • the e-mail template 100 also includes a link 110.
  • the link 110 links to a webpage that will solicit the recipient of the e- mail to enter the recipient's new password.
  • the e-mail generator is configured to customize the link in each generated e-mail such that when the link is clicked by a recipient, the recipient that clicked the link can be identified.
  • the e-mail template 100 includes a logo indicator 112.
  • the logo indicator 112 is configured to indicate to the e-mail generator to include the logo 112 of an organization, such as the organization of the intended recipient, other recognizable and/or reputable organization, etc., in an e-mail generated from the template 100, which may tend to convince the recipient of the credibility of the e-mail.
  • an organization such as the organization of the intended recipient, other recognizable and/or reputable organization, etc.
  • meta-templates such as phishing patterns may be used by a processor to create multiple different templates, e.g., with different themes, characteristics, etc.
  • a meta-template shown as an e-mail phishing pattern 200 is illustrated.
  • the e-mail phishing pattern 200 is configured to be used, for example, by a processor, to create multiple different e-mail templates, e.g., with different themes,
  • the e-mail phishing pattern 200 combines a what you see is what you get or text-only design with indicators.
  • the e-mail phishing pattern 200 includes a content greeting indicator 202.
  • the content greeting indicator 202 is configured to trigger the processor to include a greeting tag in the e-mail template created based on the e-mail phishing pattern 200 at the indicated location, as will be further described below.
  • the e-mail phishing pattern 200 includes a content pretext indicator 205.
  • the content pretext indicator 205 is configured to trigger the processor to include a pretext tag in an e-mail template being created by the processor in the indicated location.
  • the e-mail phishing pattern 200 also includes a content call to action indicator 206.
  • the content call to action indicator 206 is configured to trigger the processor to include a call to action tag in an e-mail template being created by the processor in the indicated location.
  • the e-mail phishing pattern 200 also includes a content closing indicator 207.
  • the content closing indicator 207 is configured to trigger the processor to include a closing tag in an e-mail template being created by the processor in the indicated location.
  • the e-mail phishing pattern 200 also includes a content signature indicator 209.
  • the content signature indicator 209 is configured to trigger the processor to include a signature tag in an e-mail template being created by the processor in the indicated location.
  • the e-mail phishing pattern 200 also includes a profile link indicator 210.
  • the profile link indicator 210 is configured to be replicated by the processor in an e-mail template being created by the processor in the indicated location and also to indicate to the e- mail generator generating a phishing e-mail based on the template to include a link to a webpage, e.g., a link from which the system can identify what member of the organization clicked on the link, in phishing e-mails created in the indicated location.
  • the e-mail phishing pattern 200 also includes a profile logo indicator 212.
  • the profile logo indicator 212 is configured to be replicated by the processor in an e-mail template being created by the processor and also to indicate to the e-mail generator generating a phishing e-mail based on the template to include a logo in the phishing e-mail in the indicated location.
  • the e-mail phishing pattern 200 also includes a content unsubscribe tag 213.
  • the content unsubscribe tag 213 is configured to trigger the processor to include a portion, for example, a clickable portion, to allow a recipient of an e- mail created based on the e-mail template to attempt to unsubscribe from receiving the e-mail.
  • the clickable portion is not functional, e.g., does not allow the recipient to unsubscribe from receiving further test phishing e-mails.
  • the processor can create various different e-mail templates with various different characteristics, themes, etc., based on the e-mail phishing pattern 200. For example,
  • Each of the e-mail templates 300 and 400 includes a salutation tag 302 and 402 and a name identifier 304 and
  • each e-mail template 300 and 400 includes a pretext tag 305 and
  • the pretext tags 305 and 405 have different characteristics, a different level of formality, familiarity, etc.
  • Each of e-mail templates 300 and 400 include a call to action tag 306 and 406 with each call to action portion having different characteristics, a different level of formality, familiarity, etc.
  • Each of the e-mail templates 300 and 400 include a closing tag 307 and 407 with each closing tag 307 and 407 having different characteristics, a different level of formality, familiarity, etc.
  • Each of the e-mail templates 300 and 400 includes a signature tag 309 and 409 with each signature tag 309 and 409 having different characteristics, a different level of formality, familiarity, etc.
  • the salutation tag 302, the name identifier 304, the pretext tag 305, the call to action tag 306, the closing tag 307, and the signature tag 309 all have similar characteristics, similar level of formality, familiarity, etc., such that the e-mail template 300 overall can be used by an e-mail generator to produce an e-mail that has a consistent feel throughout.
  • the salutation tag 402, the name identifier 404, the pretext tag 405, the call to action tag 406, the closing tag 407, and the signature tag 409 all have similar
  • the e-mail template 400 overall can be used by an e-mail generator to produce an e-mail that has a consistent feel throughout.
  • a phishing pattern 501 similar to the pattern 200 illustrated in FIG. 2, including a plurality of indicators is provided.
  • a processor 502 receives input 504 from a user.
  • the input 504 includes theme information for phish communications to be created, e.g., subject matter information for phish
  • the processor 502 provides an interface to the user through which the processor 502 is configured to receive the input information 504 from the user.
  • the interface provides a multi-level list of possible themes organized, for example, in a tree structure of drop down menu lists, e.g., a top level theme cluster, a next level theme group, and a final level theme topic.
  • the theme clusters may include commerce, company internal, financial, personal, social, technology, etc.
  • the theme group level may include, for example, announcements, automotive, back to school, banking/credit card, building security, business networking, bring your own device, chain letter, charity/causes, etc.
  • the theme topic level may include, for example, account cancellation, account compromised, account overdraft, account verification, address change, affordable care act enrollment, accept your friend request, 1099 now available, etc.
  • the input 504 also includes characterization information for phish communications to be created, e.g., information regarding the way information will be presented in the phishing communication.
  • the interface provides a multi-level list of possible
  • characterization attributes represent multiple options within a characterization category. In one embodiment, they are assigned a numeric value, such as on a scale of 1 to 3, 1 to 5, 1 to 20, 1 to 50, etc. For other characterization attributes, such as "Language", the attributes would simply be a list of languages, regions, etc.
  • the characterization interface includes top level characterization categories describing the level of sophistication and ease of recognition of attributes.
  • the characterization categories include relevance (relevance of the message to the target user/organization), design (level of sophistication for the visual design and layout of the message), branding (the extent to which third party brands and trademarks may be incorporated into the message), internal (the extent to which valid internal entities may be incorporated into the message), formality (level of formality for the message), language (the natural language for the message), personalization (level of personalization for the message), grammar correctness (the level of correct use of grammar and punctuation), spelling or typos (level of spelling errors or other typos), etc.
  • the characterization interface also includes a second level of characterization attribute choices.
  • the interface may present the user with the option to select branding level 1 (message does not knowingly reference or emulate known third-party brands), branding level 2 (message emulates a brand without using the actual brand name), or branding level 3 (message uses actual brand name or mark).
  • branding level 1 messages does not knowingly reference or emulate known third-party brands
  • branding level 2 messages emulates a brand without using the actual brand name
  • branding level 3 messages uses actual brand name or mark.
  • other suitable levels or numbers of levels may be used.
  • the interface may present the user with the option to select design level 1 (message includes plain text with negligible use of images), design level 2, (message includes formatted text, possibly in multiple columns, and related images), or design level 3 (message includes highly formatted output that looks polished with integrated graphics and layout).
  • design level 1 messages includes plain text with negligible use of images
  • design level 2 messages includes formatted text, possibly in multiple columns, and related images
  • design level 3 messagessage includes highly formatted output that looks polished with integrated graphics and layout.
  • other suitable levels or numbers of levels may be used.
  • the interface may present the user with the option to select formality level 1 (message includes information words, colloquial language, slang, abbreviations borrowed from texting, etc.), formality level 2 (normal business language), or formality level 3 (strict use of formal language style including, for example, technical language such as language common to the medical field, legal field, insurance field, etc.).
  • formality level 1 messages includes information words, colloquial language, slang, abbreviations borrowed from texting, etc.
  • formality level 2 normal business language
  • formality level 3 strict use of formal language style including, for example, technical language such as language common to the medical field, legal field, insurance field, etc.
  • other suitable levels or numbers of levels may be used.
  • the interface may present the user with the option to select internal level 1 (message contains no reference to real departments, divisions, or people in the target organization), internal level 2 (message contains generic names of internal entities without using organization-specific reference, e.g., human resources, IT, etc.), or internal level 3
  • the language category when the user selects the language category, a variety of language choices in which the message may be written (e.g., English, Spanish, Greek, Swahili, etc.). In other embodiments, other suitable languages in which the message may be written may be provided.
  • language choices in which the message may be written e.g., English, Spanish, Greek, Swahili, etc.
  • other suitable languages in which the message may be written may be provided.
  • the interface may present the user with the option to select personalization level 1 (message does not use any personal information beyond e-mail address or similar), personalization level 2 (message contains some personal information such as first or last name), personalization level 3 (message contains highly targeted personal information that goes beyond level 2 including, for example, other attributes that are specific to the intended recipient such as department, number of years at the company, etc.). In other embodiments, other suitable numbers of personalization levels in which the message may be written may be provided.
  • the interface may present the user with the option to select relevance level 1 (message content is random, irrelevant, general, etc.), relevance level 2 (message content is somewhat compelling, somewhat relevant, and somewhat believable), or relevance level 3 (message content is compelling, relevant, timely, targeted, and plausible).
  • relevance level 1 messages content is random, irrelevant, general, etc.
  • relevance level 2 messagessage content is somewhat compelling, somewhat relevant, and somewhat believable
  • relevance level 3 messagessage content is compelling, relevant, timely, targeted, and plausible.
  • other suitable languages in which the message may be written may be provided.
  • Users may provide input for desired characterization attributes and levels of characterization attributes for one or more than one available characterization attribute category.
  • the processor 502 is in communication with and/or has access to a database 506.
  • the database 506 includes salutation tags, pretext tags, call to action tags, closing tags, and signature tags which can be used to create a phishing template based on a phishing pattern.
  • the salutation tags, pretext tags, call to action tags, closing tags, and signature tags are categorized by characterization attributes and theme topics. Based on the indicators included in the pattern 501 and the characterization attributes and theme topics selected by the user, the processor 502 can select salutation tags, pretext tags, call to action tags, closing tags, and signature tags from the database 506 and create a plurality of different phishing templates 508, 508', . . . 508 n .
  • the processor 502 is configured to create a webpage for the link.
  • the processor 502 is configured to create the webpage to be consistent with the characterization attributes, theme topics, branding, and/or campaign profile, selected for the phishing template including the link configured to link to the created webpage.
  • the system 500 includes a spelling wrecker module and a spelling wrecker database.
  • the spelling wrecker database includes a plurality of words and misspellings of those words.
  • the spelling wrecker module is configured to search phishing templates and to replace some of the words in the templates found in the spelling wrecker database with misspellings of those words.
  • a spelling wrecker module is provided.
  • the spelling wrecker module is configured to randomly add or delete letters to one of the templates to create spelling errors in the template.
  • the spelling wrecker module is configured to introduce spelling errors into phishing messages created based on phishing templates.
  • the system 500 includes a grammar wrecker module and a grammar wrecker database.
  • the grammar wrecker database includes groups of words, e.g., common groups of words, and these groups of words with grammar errors introduced.
  • the groups of grammar errors introduced are classified in the grammar wrecker database by the types of grammar errors that the errors are, e.g., subject-verb number
  • the grammar wrecker module is configured to search the templates, or phishing messages created from the templates, to find groups of words matching groups of words in the grammar wrecker database and to replace them with the groups of words with grammar errors introduced to introduce grammar errors into the templates, or phishing messages.
  • the system 500 is configured to receive input from a user indicating whether to introduce spelling errors and/or grammar errors, the level, e.g., how many spelling errors and/or grammar errors to introduce, the type of spelling and/or grammar errors to introduce, etc.
  • the system 500 includes a wrecker protector module.
  • the wrecker protector module includes a wrecker protector database including a plurality of words, phrases, numbers, etc., that may be perceived as vulgar, offensive, etc.
  • the wrecker protector module is configured to review the portions of the templates or phishing messages modified to include spelling or grammar errors by the spelling wrecker module and/or grammar wrecker module to determine whether any of the words, phrases, numbers, etc., in the wrecker protector database that may be perceived as vulgar, offensive, etc., are included in the template or phishing message as a result of the spelling or grammar wrecker changes.
  • the wrecker protector module is configured to undo the change of the spelling or grammar wrecker module, to direct the spelling or grammar wrecker module to make a new change to the template or message, and to verify that the new change does not result in a word, phrase, number, etc., that is included in the wrecker protector database.
  • the system 500 includes a phishing message generator 510.
  • the phishing message generator 510 has access to information regarding members of an
  • the phishing message generator 510 also has access to campaign profile information, shown as a campaign profile indicator look up table 513.
  • the campaign profile indicator look up table 513 includes a plurality of profile indicators 602 that may be included in the phishing templates 508 and values to be included in phishing messages generated by the phishing message generator 510 at the locations indicated by the profile indicators 602.
  • the same e-mail templates may be used for different organizations.
  • a first organization may provide a first campaign profile that defines the company name value in the campaign profile indicator look up table 513 to be Acme, the company CFO name to be Charles TheMan, and the company CEO name to be Mrs. Company President.
  • a second organization may define the company name value in a second campaign profiling indicator lookup table to Beta, the company CFO name to be Mary TheWoman, and the company CEO name to be Mr. Company President.
  • the phishing message generator 510 when generating messages for the first organization and encountering a profile indicator 602 in a template 508 may access the look up table 513 to include a corresponding value in the phishing message generated at the location indicated by the indicator.
  • the phishing message generator 510 when generating messages for the second organization and encountering a profile indicator in a template 508 may access the second look up table to include a corresponding value in the phishing message generated.
  • profile indicator look up tables may be generated to include information, logos, etc., of fanciful, e.g., non-existent, companies, such that phishing messages appearing to originate from various organizations outside of the organization which is being tested for susceptibility to phishing attacks may be generated.
  • the phishing message generator 510 receives information regarding the type of phishing messages, e.g., the medium over which the phishing messages will be delivered, to be generated.
  • the phishing message generator 510 selects a template 508.
  • the phishing message generator 510 based on indicators, e.g., name indicator 102, department name indicator 108 (see FIG. 1) in the template 508 creates a phishing message 514 including personal information regarding the intended recipient from the address book 512, locating the personal information at locations in the message indicated by the e-mail template 508.
  • the phishing message generator 514 also includes campaign profile values in the phishing message 514 at locations indicated by the profile indicators in the phishing template 508 based on the information in the campaign profile indicator look up table 513, e.g., includes the company name, logo, etc., in the phishing message 514. Then, based on the type of phishing message, the phishing message generator 514 forwards the phishing message 514 to a message server 516 for delivery to the intended recipient.
  • the phishing message generator 514 includes delivery or contact information for the intended recipient from the address book 512 such that the phishing message 514 can be delivered to the intended recipient.
  • the phishing message 514 is forwarded to an e-mail server
  • the phishing message 514 is forwarded to a text message server
  • the phishing message 514 is forwarded to a text message server
  • the phishing message 514 is an audible message
  • the phishing message 514 is forwarded to an audible message server (e.g., text-to-voice translator, etc.)
  • the phishing message 514 is a physical printed message
  • the phishing message 514 is forwarded to a physical printed message server (e.g., organization mail room, post office, etc.), etc.
  • the system 500 is configured to store, e.g., in a memory, database, etc., information regarding the characterization attributes and theme topics of each of the phishing messages 514 sent, for example, in a campaign.
  • the information regarding the characterization attributes and theme topics can be determined from the phishing template 508 used by the phishing message generator 510, as the phishing message generator 510 is configured to produce a phishing message 514 that has the same characterization attributes and theme topics as the phishing template 508 from which it is produced.
  • the phishing messages 514 request that the recipient take some action, e.g., click a link, respond to the message, provide confidential information, etc.
  • the system 500 is configured to determine whether each phishing message 514 was a success, e.g., the recipient took the action requested by the phishing message, or a failure, e.g., the recipient did not take the action requested by the phishing message.
  • system 500 is configured to determine what action specifically was taken by the recipient, e.g., what confidential information was provided, etc.
  • the system 500 is able to conduct analysis, e.g., benchmarking analysis, and to report and analyze results based on the characterization attributes and theme topics. For example, the system 500 may determine that recipients take the action requested by the phishing message x% of the time if the phishing message received by the recipient has a business theme topic and includes spelling errors, but recipients take the action requested by the phishing message y% of the time if the phishing message received by the recipient has a business theme topic and does not include spelling errors.
  • analysis of organizational performance in social engineering susceptibility testing relative to characterization attributes and theme topics can be compared to historical organization performance, industry performance, other performance benchmarks, etc.
  • the system 500 is configured to inventory the library or a subset of the library of phishing templates 508, 508', . . . 508 n that are available.
  • FIG. 7 shows an exemplary graph illustrating numbers of available phishing templates arranged by theme cluster and showing number of theme groups in each theme cluster and number of theme topics in each theme group.
  • a system for creating phishing templates includes an interface, e.g., including a graphical user interface, configured to receive input from a user to create tags, e.g., a library of tags to be used in creating templates.
  • the interface is configured to receive tags from a user and an input from a user to indicate the type of each tag that the user inputs, e.g., the indicator in a phishing pattern that will indicate the input tag.
  • the user can enter "Dear Personal Title Lastname Suffix" and indicate that this tag is a "Greeting" tag, e.g., a tag to be used when an indicator in a phishing pattern indicates that a Greeting tag is to be included in the phishing template created based on the phishing pattern.
  • the interface is also configured to receive input from the user regarding whether the input tag is specific to a particular theme (and if so, to which theme the input tag is specific) or whether the tag is generic to all the themes, e.g., can be used in a phishing template regardless of the theme topic selected by the user.
  • the interface is configured to receive characterization attribute information for each entered tag.
  • Characterization attribute levels may be rated in various different ways. In one embodiment, levels may be rated numerically. For example, for the Greeting tag described as input above, "Dear Personal Title Lastname Suffix", a user may specify that this tag has a formality level of 1. Thus, this tag may be included in a phishing template for which a formality characterization attribute of 1 has been specified. Additionally, in one embodiment, the tag may be indicated by a user to satisfy multiple levels for various characterization attributes. For example, the user may indicate that "Dear Personal Title Lastname Suffix" is compatible with a personalization level of both 1 and 2.
  • this tag may be included in a phishing template for which either a personalization characterization attribute of 1 or a personalization characterization attribute of 2 has been specified. Additionally, in one embodiment, the tag may be indicated by a user to be characterization attribute neutral. For example, the user may indicate that "Dear Personal Title Lastname Suffix" is compatible with all branding levels. Thus, this tag may be included in a phishing template for which any branding characterization attribute has been specified.
  • the processor 502 when a user requests that a phishing campaign be generated and selects, at least one phishing pattern, and selects characterization attributes and theme topics for the campaign (in one embodiment, the user may select at least one phishing pattern and not select any characterization attributes and theme topics), the processor 502 (see FIG. 5) will select a first tag from a library of tags, the first tag being of the type, e.g., salutation, call to action, etc., indicated by the first indicator in the phishing pattern.
  • the user may not have entered a desired level. For example, a user may not have indicated a formality level desired.
  • a tag compatible with the other characterization attributes and theme topics selected by the user, but with any formality level may be selected from the library of tags.
  • the processor 502 is configured to determine the formality level of the first tag and for other tags to be included in the first template, the processor 502 only selects tags that are compatible with the formality level of the first tag. Thus, the processor 502 assures that characterization attributes are consistent throughout the first template. Then, when a second template is created, the processor 502 again selects a new first tag for the second template and can select a tag with any formality level.
  • the processor 502 assures that only tags with a formality level compatible with the formality level of the new first tag are included in the second template to assure that characterization attributes are consistent throughout the second template, e.g., even for characterization attributes not specified by the user.
  • a characterization attribute is consistent if the level of the characterization attribute for a tag is at least as high as the specified characterization attribute level (e.g., a formality level of 1 is consistent with a specified formality level of 5, 4, 3, 2, or 1). In another embodiment, a characterization attribute is consistent if the level of the
  • a characterization attribute is equal to the specified characterization attribute level (e.g., a formality level of 2 is consistent with a specified formality level of 2 but is not consistent with a specified formality level of 3).
  • a characterization attribute is consistent if the level of the characterization attribute is within a range of the specified characterization attribute level (e.g., specified formality level 3 and a range parameter of 1 is consistent with formality levels 2 and 4, but not formality levels 1 and 5).
  • consistency of characterization attributes may be determined by defined relationships between the attributes. For example, a language attribute of "English” may be defined as consistent only with “English - U.S.”, or with “English - U.S.”, “English - U.K”, and “English - Canadian”. In both examples, the "English” characterization attribute would be defined as incompatible with “French” (all types), “Spanish” (all types), etc.
  • a system for creating phishing templates includes an interface, e.g., a graphical user interface.
  • the interface allows the user to select a desired phishing pattern and desired characterization attributes and theme topics.
  • the interface is configured to indicate to the user the number of possible e-mail templates satisfying the selected
  • the interface is configured to receive from the user campaign profile values (see FIG. 6). Different campaign profile values can be entered to create different campaign profiles, e.g., differently branded campaign profiles.
  • the interface allows the user to select a campaign profile from the available campaign profiles to brand a phishing campaign.
  • the system is configured to generate a different phishing template for each member of the organization such that each member of the organization receives a unique phishing message, with each phishing message having internal characterization attribute consistency.
  • the system determines that a member of an organization has taken an action requested by a phishing message, the system is configured to send the member of the organization suggestions for different types of training to reduce susceptibility to social engineering based on the characterization attributes and/or theme topics of the phishing message sent to the member.
  • the system is also configured to examine future performance by the member in social engineering susceptibility testing and to determine effectiveness of different types of training, etc.
  • the system 500 see FIG.
  • e-mail message 5 is configured to generate a large number, e.g., millions, tens of millions, hundreds of millions, billions, tens of billions, hundreds of billions, etc., of unique phishing messages, e.g., e-mail messages.
  • These e-mail messages can be used to test spam filters to determine if spam filters are susceptible to e-mail messages having particular characterization attributes, theme topics, words, etc. Based on these results, the spam filtering algorithms can be adjusted to improve spam filter performance.
  • a plurality of different message templates such as e-mail template 100 (see FIG. 1), may be created by a user manually, e.g., a user comes up with a salutation word or words and enters them into a computer, selects a location for name indicators, writes a call to action, comes up with a closing word or words, etc.
  • e-mail template 100 may be created by a user manually, e.g., a user comes up with a salutation word or words and enters them into a computer, selects a location for name indicators, writes a call to action, comes up with a closing word or words, etc.
  • These plurality of message templates form an inventory of templates.
  • a system for analyzing susceptibility to social engineering is configured to analyze and categorize each of the message templates based on characterization attributes and theme topics.
  • the system is configured to determine the formality level from among a plurality of different formality levels that each template should be assigned, e.g., based on the diction of each template, the name indicators used, such as first name and last name, whether an honorific precedes the name indicator, etc.
  • the system also may be configured to determine relevance (relevance of the message to the target user/organization), design (level of sophistication for the visual design and layout of the message), branding (the extent to which third party brands and trademarks may be incorporated into the message), internal (the extent to which valid internal entities may be incorporated into the message), formality (level of formality for the message), language (the natural language for the message), personalization (level of personalization for the message), grammar correctness (the level of correct use of grammar and punctuation), spelling or typos (level of spelling errors or other typos), etc.
  • the system is configured to analyze and categorize each of the message templates in the inventory of templates based theme topic, e.g., based on the subject matter of each message template to categorize each message template into subject matter categories, for example, categories from a predetermined list of possible categories.
  • the system 700 includes a processor 702 and an inventory of message templates 704.
  • the message templates 704 each have information regarding their characterization attributes and theme topics, either because the message templates 704 were generated from a pattern 200, as described above, or because hand generated message templates 704 have been analyzed to determine their characterization attributes and theme topics, as described above.
  • the processor 702 is configured to receive inputs from a plurality of organizations 706 through interfaces. In one embodiment, the organizations 706 each select a message template from the inventory to be used to generate messages to members of that organization. In another embodiment, the organizations 706 select desired characterization attributes and theme topics based on which message templates matching the selected
  • characterization attributes and theme topics may be selected by the processor 702 from the inventory 704.
  • the interface 800 includes a characterization attributes portion in which a user can select, e.g., using radio buttons, drop down menus, etc., different characterization attributes for messages to be used in a social engineering testing campaign.
  • the interface 800 also includes a theme topic portion which allows the organization to choose, e.g., from a drop down menu, etc., from different available theme topics for the messages to be used in a social engineering testing campaign.
  • the interface 800 also includes a portion 802 indicating the number of templates in a template inventory that match the selected characterization attributes and/or theme topic.
  • the processor 702 (FIG. 8) is configured to search the template inventory 704 and, based on the selected characterization attributes and theme topics selected, to display the number of templates available matching the selected characterization attributes and theme topics.
  • the processor 702 is configured to select message templates from the template inventory 704, to generate messages based on the selected message templates, and to send the generated messages to selected members 708 of the organizations 706 who may receive and review the messages using electronic devices, e.g., review e-mail, voicemail, telephone calls, social media messages, etc.
  • the processor 702 is configured to track statistics regarding the characterization attributes and theme topics of all messages sent.
  • the processor 702 is configured to monitor engagement with the messages, e.g., monitor whether members of the organizations that received messages respond to the message or take other actions solicited by the message, e.g., click a link to visit a website, enter confidential information, call a telephone number, etc.
  • the processor 702 benchmarks, e.g., maintains statistics, for engagement rate based on characterization attributes and theme topics of messages sent.
  • the processor 702 tracks engagement rate, e.g., the ratio of the number of unique members of an organization that engage with a phishing message at least once to the number of total opportunities, e.g., the total number of phishing messages of the type (for example, having specific characterization attributes and theme topics) sent to members of the organization.
  • the processor 702 tracks engagement count, e.g., the number of times that phishing messages are engaged total (for example, the processor 702 counts a single user engaging with a phishing message multiple times, with each engagement being counted as part of the engagement count). Over time, the processor 702 gathers statistics for engagement rate and engagement count for phishing messages with different characterization attributes and different theme topics. The processor 702 is configured to aggregate these statistics to determine a projected engagement rate for different characterization attributes and theme topics.
  • a user interface 900 e.g., a graphical user interface
  • the interface 900 includes a plurality of selectable
  • the interface 900 displays the available inventory of message templates, e.g., number of different message templates, for each characterization attribute and theme topic, e.g., if only that single characterization attribute or theme topic were selected, and the number of message templates available in inventory. Additionally, the interface 900 displays the projected engagement rate for each characterization attribute and theme topic, e.g., if only that single characterization attribute or theme topic were selected, the projected ratio of number of unique members that will engage a phishing message with the selected
  • characterization attribute or theme topic to the total number of phishing messages sent with the selected characterization attribute and theme topic.
  • the interface 900 allows organizations to select multiple characterization attributes and/or theme topics.
  • the processor 702 is configured to display in a number display 902 on the interface 900 the number of message templates in the inventory 704 that meet all of the characterization attributes and the theme topic selected by the organization. Additionally, the processor 702 is configured to display in a rate display 904 on the interface 900 a projected engagement rate for phishing messages that match all of the characterization attributes and the theme topic selected by the organization. In one embodiment, the processor 702 is configured to dynamically update both the number display 902 and the rate display 904 as the organization selects or de-selects various characterization attributes and theme topics.
  • the projected engagement rates are determined by the processor based on the history of all social engineering testing campaigns run by the processor 702.
  • the projected engagement rates may be determined by the processor 702 based on a subset of the previous social engineering testing campaigns run by the processor 702. For example, a subset may be selected based on the specific industry of the organization running the campaign, the specific level (e.g., of employee C-suite, entry level, etc.) of the message recipients, the department (e.g., accounting, sales, customer service, etc.) within the organization of the message recipients, etc.
  • the processor 702 is configured to receive an indication from the organization of the subsets of campaigns that the organization would prefer to have projected engagement rates displayed for. If the organization chooses a subset for which the information that the processor 702 has available is below a correlation threshold, the processor 702 is configured not to display the projected engagement rates. For example, if the organization chooses to have projected engagement rates limited only to a particular industry, and the processor 702 only has information regarding campaigns for a single other organization in that industry, the processor 702 will not display the projected engagement rates.
  • the processor 702 determines that of the messages previously sent for which the processor 702 has information that the percentage of those messages that are from a single organization is above a threshold, the processor 702 will not display the projected engagement rates. In one embodiment, if an organization chooses to have projected engagement rates limited to a particular industry, the processor 702 will not display the projected engagement rates if there are less than four organizations in the selected industry for which previous social engineering campaign information is available or if any single organization's previous social engineering campaign information constitutes more than 25% of the total data.
  • the processor 702 is configured to determine projected engagement rate in several different ways. First, for example, if the processor 702 has sent a total of one million phishing messages having a selected characterization attribute, 900,000 of the messages being sent to members within one organization with a 50% engagement rate, and 100,000 of the messages being sent to members within a second organization with a 10% engagement rate, there are four different engagement rate statistics that may be displayed by the processor 702 to a user. First, a total mean engagement rate can be determined based on the ratio of total number of e-mails engaged to total number of e-mails sent, or 46% in the example above.
  • an average engagement rate can be determined based on the ratio of the sum of the engagement percentages of each organization divided by the total number of organizations, or 30%) in the example above.
  • the processor 702 can display a minimum projected engagement rate, or the lowest engagement rate of any organization for a particular
  • the processor 702 can display a maximum projected engagement rate, or the highest engagement rate of any organization for a particular characterization attribute, 50% in the example above.
  • the processor 702 can display a total mean engagement rate, 46% in the example above.
  • the processor 702 can display an average engagement rate, 30%> in the example above.
  • the processor 702 is configured to determine for a
  • characterization attribute or combination of characterization attributes the number of phishing messages that must be sent before the projected engagement rate for that characterization attribute or combination of characterization attributes will be statistically significant and/or before the processor 702 will display projected engagement rate for the characterization attribute or combination of characterization attributes. Additionally, in one embodiment, the processor 702 is configured to evaluate characteristics, e.g., job title, organization, department, etc., of recipients of the total number of phishing messages sent for a particular characterization attribute or combination of characterization attributes to ensure that the population has sufficient diversity, randomness, etc., before the projected engagement rate will be displayed.
  • characteristics e.g., job title, organization, department, etc.
  • an embodiment of an interface shown as a graphical user interface 1000 is illustrated.
  • the interface 1000 is configured to receive input from an organization regarding desired characterization attributes and to display number of templates available in an inventory matching the selected characterization attributes.
  • the interface 1000 is also configured to display projected engagement rate for each level of characterization attributes.
  • a processor is configured, upon selection of a characterization attribute, to update the projected engagement rates of the levels of the other characterization attributes. For example, if an organization selects personalization level 1, the processor will update the projected engagement rates for each of the levels of formality and misspelling based on the selected personalization level.
  • the processor 702 is configured to calculate and display projected engagement rate for each theme topic independent of characterization attributes selected. In another embodiment, the processor 702 is configured to calculate and display projected engagement rate for each theme topic dependent on the characterization attributes selected. In one embodiment, the processor 702 is configured to calculate and display projected engagement rate for each characterization attribute independent of theme topic selected. In another embodiment, the processor 702 is configured to calculate and display projected engagement rate for each characterization attribute dependent on the theme topic selected.
  • the processor 702 upon completion of a social engineering testing campaign, is configured to conduct benchmarking on the results of the social engineering testing campaign and display the results to the organization through the interface. In one embodiment, the processor 702 is configured to indicate whether the actual engagement rate for the organization is within an acceptable engagement rate range. In one embodiment, the processor 702 is configured to indicate to the organization if the actual engagement rate for the organization is above the projected engagement rate. In one embodiment, the processor 702 is configured to display actual engagement rate for a subset of the organization, e.g., by department in the organization, by job title of member of the organization, etc.
  • the processor 702 is configured to indicate the engagement rate for subsets of the organization based on any attribute associated with a user, including address book attributes and company database attributes.
  • user attributes may include risk-based attributes, for example users who have had a virus found on their computer, users who have called the help desk for a password reset or other issues related to computer security, or users who have changed jobs or are new hires, etc.
  • risk-based attributes for example users who have had a virus found on their computer, users who have called the help desk for a password reset or other issues related to computer security, or users who have changed jobs or are new hires, etc.
  • a phishing pattern of " ⁇ conten greeting ⁇ ⁇ contentxlosing ⁇ " is provided.
  • Table 1 illustrates exemplary tags available with the "formality” or "personalization” Characterization Categories applied.
  • the system is configured to randomly create 4 different Phishing Templates based on having 2 of each of greetings and closings.
  • Table 2 illustrates exemplary possible combinations.
  • the system is configured to receive an input from a user indicating the formality desired by the user. If the user indicates that they only want to generate a Phishing Template that includes Formality- 1 content then no combinations would be available.
  • the system is configured to similarly receive input from the user regarding desired themes.
  • system may be configured to receive characterization attributes input from users in one of the following exemplary ways.
  • Inclusive - only include Formality- 1 but not Formality-2 or Formality-3.
  • the system and/or method for selecting Attributes and Themes is interactive.
  • a method for generating messages from a pre-built table is provided.
  • the method may include exhaustively listing the Phishing Pattern Universe in a table.
  • the method includes running random queries to filter the available Attributes of the Phishing Templates.
  • 100 of each tag type are provided in a pattern.
  • four Tag Types are provided, where tag type 1 includes 4 options; tag type 2 includes 6 options; tag type 3 includes 10 options; and tag type 4 includes 5 options.
  • any number of tags type and any number of tags per tag type may be used. In typical embodiments, 5-10 tag types, 10-20 tag types, 20-50 tag types, or more than 50 tag types may be used.
  • a method for generating messages on-the-fly is provided.
  • a Phishing Template from a Phishing Pattern Universe may be created on-the-fly as follows.
  • the system randomly chooses a Tag of that Type that matches the Characterization Attributes and Themes. For example, the system may choose a theme that "Animals Need Your Help" and a Personalization Level of 1.
  • the system may choose replacements based on user defined behavior. For example, if there is no Greeting of Personalization- 1, the system could be configured to allow, or disallow the selection of Personalization-2 Tags.
  • the system creates different Phishing Templates based on the user-specified Phishing Patterns, Characterization Attributes and Themes. [0093] In one embodiment, the system can generate millions of possible unique email templates on-the-fly, while keeping them coherent. The attributes of each generated Phishing Template is used to generate each Phish. Therefore, the system is configured to benchmark and report on variations.
  • themes are specified.
  • benchmark data is available within the user interface for the user who is selecting Phishing Patterns, Characterization Attributes and Themes.
  • the benchmark shows information about the number of possible Phishing Templates that could be generated based on the Phishing Patterns, Tags, etc.
  • benchmarking information is provided regarding the "track record" of various phishing test attributes, such as click-through-rate, out of office reply, callback rate, etc.
  • benchmarks are put in the context of industry-specific statistics. In another embodiment, benchmarks are compared to other available database information from prior campaigns at this customer site or across customers.
  • a system is provided that is configured to select templates and themes at will, e.g., without any themes or characteristics being received from a user.
  • the system is configured to inquire from the user whether to apply the spell-wrecker function, grammar-wrecker function, and wrecker-protector function, to receive user input regarding applying these functions, and to apply these functions based on user input.
  • the system is configured to receive input from the user regarding Campaign Profiles for use in customizing the generated Phishing Templates.
  • the system is configured to all a user to apply Campaign Profiles to a phishing template created, for example, by the user, not by the system, etc. [0104] In one embodiment, the system provides the ability to apply Themes and Characterization Attributes to Campaign Profiles.
  • Campaign Profiles are different than Tags, e.g., the user is able to provide information in the Campaign Profile. In one embodiment, the user does not develop Tags.
  • graphical user interfaces described herein may be configured to be displayed, e.g., displayed on computer screens, electronic device screens, etc.
  • systems, processors, modules, interfaces, and message generators described herein may include a general purpose processor, an application specific processor, a circuit containing one or more processing components, a group of distributed processing components, e.g., distributed computers configured for processing, etc.
  • Embodiments of systems, processors, modules, interfaces, and message generators may be or include any number of components for conducting data processing and/or signal processing. According to an exemplary embodiment, any distributed and/or local memory device may be utilized with and/or included in the systems, processors, modules, interfaces, and message generators of this disclosure.
  • systems, processors, modules, interfaces, and message generators may include memory communicably connected to the systems, processors, interfaces and message generators (e.g., via a circuit or other connection) and may include computer code for executing one or more processes described herein.
  • systems, processors, modules, interfaces, and message generators may be implemented in software. In another embodiment, the systems, processors, modules, interfaces, and message generators may be implemented in a combination of computer hardware and software.
  • systems implementing systems, processors, modules, interfaces, and message generators discussed herein include one or more processing components, one or more computer memory components, and one or more communication components.
  • the systems, processors, modules, interfaces, and message generators may include a general purpose processor, an application specific processor (ASIC), a circuit containing one or more processing components, a group of distributed processing components, a group of distributed computers configured for processing, etc., configured to provide the functionality discussed herein.
  • ASIC application specific processor
  • the systems, processors, modules, interfaces, and message generators may include memory components such as one or more devices for storing data and/or computer code for completing and/or facilitating the various processes described in the present disclosure, and may include database components, object code components, script components, and/or any other type of information structure for supporting the various activities described in the present disclosure.
  • the systems, processors, modules, interfaces, and message generators may include memory components such as one or more devices for storing data and/or computer code for completing and/or facilitating the various processes described in the present disclosure, and may include database components, object code components, script components, and/or any other type of information structure for supporting the various activities described in the present disclosure.
  • the systems, processors, modules, interfaces, and message generators may include memory components such as one or more devices for storing data and/or computer code for completing and/or facilitating the various processes described in the present disclosure, and may include database components, object code components, script components, and/or any other type of information structure for supporting the various activities described in the present
  • communication components described herein may include hardware and software for
  • communication components may include, wires, jacks, interfaces, wireless communications hardware etc., for receiving and transmitting information as discussed herein.
  • the systems, processors, interfaces, and message generators and/or methods described herein may be embodied in nontransitory, computer readable media, including instructions (e.g., computer coded) for providing the various functions and performing the various steps discussed herein.
  • the computer code may include object code, program code, compiled code, script code, executable code, instructions, programmed instructions, non-transitory programmed instructions, or any combination thereof.
  • systems, processors, modules, interfaces, and message generators described herein may be implemented by any other suitable method or mechanism.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computational Linguistics (AREA)
  • Artificial Intelligence (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • General Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • Primary Health Care (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Human Computer Interaction (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un système permettant d'essayer la sensibilité d'un organisme à l'ingénierie sociale. Le système comprend une interface configurée pour recevoir une entrée à partir de l'organisme sélectionnant des attributs de caractérisation pour des modèles de message pour une campagne d'ingénierie sociale. Le système comprend un processeur configuré afin de recevoir l'entrée par l'intermédiaire de l'interface. Le système génère un inventaire de modèles de message contenant une pluralité de modèles de message à partir de combinaisons de motifs de modèle de hameçonnage, d'attributs de caractérisation et de thèmes de telle sorte que les modèles générés comprennent un contenu d'étiquette qui est cohérent. Le processeur est configuré afin de sélectionner des modèles de message parmi la pluralité de modèles de message cohérents avec les attributs de caractérisation sélectionnés par l'organisme et afficher le nombre des modèles de message sélectionnés par l'intermédiaire de l'interface à l'utilisateur.
EP16780723.9A 2015-04-14 2016-04-14 Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème Withdrawn EP3284002A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201562147414P 2015-04-14 2015-04-14
US201562185299P 2015-06-26 2015-06-26
PCT/US2016/027481 WO2016168427A1 (fr) 2015-04-14 2016-04-14 Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème

Publications (1)

Publication Number Publication Date
EP3284002A1 true EP3284002A1 (fr) 2018-02-21

Family

ID=60486718

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16780723.9A Withdrawn EP3284002A1 (fr) 2015-04-14 2016-04-14 Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème

Country Status (2)

Country Link
EP (1) EP3284002A1 (fr)
CN (1) CN107454952A (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499932A (zh) * 2021-12-16 2022-05-13 山东星维九州安全技术有限公司 一种钓鱼邮件测试服务支撑方法、系统及终端

Also Published As

Publication number Publication date
CN107454952A (zh) 2017-12-08

Similar Documents

Publication Publication Date Title
US20160308897A1 (en) System for Analyzing Susceptibility to Social Engineering and Benchmarking Based on Characterization Attribute and Theme
Goel et al. Got phished? Internet security and human vulnerability
Rubin Deception detection and rumor debunking for social media
Raddatz et al. Becoming a blockchain user: understanding consumers’ benefits realisation to use blockchain-based applications
Williams et al. How persuasive is phishing email? The role of authentic design, influence and current events in email judgements
Egelman et al. You've been warned: an empirical study of the effectiveness of web browser phishing warnings
US20200067861A1 (en) Scam evaluation system
Jansen et al. How people help fraudsters steal their money: An analysis of 600 online banking fraud cases
CA2584520C (fr) Procede et systeme permettant la transmission du message electronique via un reseau
CN108833640A (zh) 电子邮件消息的区分类
Pfeffer et al. Replication: Stories as informal lessons about security
EP3465455A1 (fr) Systèmes et procédés mis en oeuvre par ordinateur permettant d'identifier des chaînes de caractères de texte visuellement similaires
Boothroyd Older Adults' Perceptions of Online Risk
Boroon et al. Exploring the dark side of online social networks: a taxonomy of negative effects on users
EP3284002A1 (fr) Système permettant d'analyser la sensibilité à l'ingénierie sociale et à la référenciation sur la base d'un attribut de caractérisation et d'un thème
US10652276B1 (en) System and method for distinguishing authentic and malicious electronic messages
Bellini et al. The {Digital-Safety} Risks of Financial Technologies for Survivors of Intimate Partner Violence
US20110231529A1 (en) System and Method for Assessing a Distributor of Correspondence
Faklaris et al. Preliminary Results from a US Demographic Analysis of SMiSh Susceptibility
El-Din et al. The human factor in mobile phishing
Lew et al. Modeling trust in the mobile user experience: system quality characteristics influencing trust
Cole Exploring Online Fraudsters’ Decision-Making Processes
Kaupins COMPARISON OF NEWSPAPER CHARACTERISTICS TO PRIVACY POLICY CLAIMS.
Bieger et al. Phishing prevention in mobile messaging platforms by the Dutch banking sector
Reis et al. Aspects that contribute to the success of personalized web applications

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20170928

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20181101