U.S. patent application number 15/044099 was filed with the patent office on 2016-06-09 for simulated phishing result anonymization and attribution prevention.
This patent application is currently assigned to PhishMe, Inc.. The applicant listed for this patent is PhishMe, Inc.. Invention is credited to Rohyt Belani, Scott Greaux, Aaron Higbee.
Application Number | 20160164898 15/044099 |
Document ID | / |
Family ID | 52001846 |
Filed Date | 2016-06-09 |
United States Patent
Application |
20160164898 |
Kind Code |
A1 |
Belani; Rohyt ; et
al. |
June 9, 2016 |
SIMULATED PHISHING RESULT ANONYMIZATION AND ATTRIBUTION
PREVENTION
Abstract
Described herein are methods, network devices and
machine-readable media for preventing the malicious use of phishing
simulation records. A phishing simulation record of an individual
is associated with an e-mail alias of the individual. Further, such
e-mail alias may be deactivated after phishing simulations have
been completed. Therefore, even if an attacker were able to
identify individuals most susceptible to phishing attacks, the
attacker will be unable to send any phishing attacks to those
individuals since their e-mail aliases will have been
deactivated.
Inventors: |
Belani; Rohyt; (New York,
NY) ; Higbee; Aaron; (Leesburg, VA) ; Greaux;
Scott; (Glenmont, NY) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
PhishMe, Inc. |
Leesburg |
VA |
US |
|
|
Assignee: |
PhishMe, Inc.
Leesburg
VA
|
Family ID: |
52001846 |
Appl. No.: |
15/044099 |
Filed: |
February 15, 2016 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14160443 |
Jan 21, 2014 |
9262629 |
|
|
15044099 |
|
|
|
|
Current U.S.
Class: |
726/23 |
Current CPC
Class: |
G06F 21/55 20130101;
H04L 63/1416 20130101; H04L 63/1483 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06 |
Claims
1. A computer-implemented method performed by a data processing
apparatus, the method comprising: for an individual, associating an
e-mail alias of the individual with a primary e-mail address of the
individual; sending via a computer network one or more simulated
phishing messages to the individual via the e-mail alias associated
with the individual; generating a phishing simulation record based
on a response by the individual to the one or more simulated
phishing messages, wherein, for the individual, the phishing
simulation record of the individual is associated with the primary
e-mail address of the individual only through the e-mail alias of
the individual; wherein, after sending the one or more messages,
disassociating by a computer processor the primary e-mail address
of the individual from the e-mail alias of the individual such that
phishing susceptibility attribution is precluded for the
individual.
2. The method of claim 1, wherein the phishing simulation record
comprises a measure of the corresponding individual's
susceptibility to phishing attacks.
3. The method of claim 1, further comprising determining which of
the phishing simulation records has a measure of phishing
susceptibility that exceeds a threshold.
4. The method of claim 1, wherein the phishing simulation record
comprises a total number of phishing simulations that the
corresponding individual has fallen victim to.
5. The method of claim 4, wherein if the total number of phishing
simulations that the corresponding individual has fallen victim to
exceeds a threshold, then sending via the computer network one or
more simulated phishing messages to the individual.
6. The method of claim 1, further comprising generating a plurality
of phishing simulation records based on responses by individuals to
the one or more simulated phishing messages wherein phishing
susceptibility attribution is precluded for the individuals.
7. The method of claim 1, wherein the association between the
e-mail aliases and the primary e-mail addresses is stored using
encryption.
8. The method of claim 1, wherein the association between the
phishing simulation records and the e-mail aliases is stored in a
first data store and the association between the e-mail aliases and
the primary e-mail addresses is stored in a second data store, the
first data store being separate from the second data store so that
even if an attacker gains access to the first data store, the
attacker does not automatically gain access to the second data
store.
9. The method of claim 1, further comprising: upon detecting that
one or more messages have been sent to an individual's e-mail
alias, forwarding the one or more messages to the primary e-mail
address of the individual.
10. The method of claim 1, further comprising generating a
plurality of phishing simulation records based on responses by
individuals to the one or more simulated phishing messages wherein
phishing susceptibility attribution is precluded for the
individuals and providing phishing simulations to individuals
associated with certain phishing simulation records.
11. The method of claim 1, wherein the one or more messages
comprise one or more of phishing simulations and training materials
constructed to increase an individual's awareness of phishing
attacks.
12. The method of claim 1, further comprising generating a
plurality of phishing simulation records based on responses by
individuals to the one or more simulated phishing messages wherein
phishing susceptibility attribution is precluded for the
individuals and providing phishing training materials to
individuals associated with certain phishing simulation
records.
13. A network device, comprising: a processor; a storage device
connected to the processor; and a set of instructions on the
storage device that, when executed by the processor, cause the
processor to: for an individual, associate an e-mail alias of the
individual with a primary e-mail address of the individual; sending
one or more simulated phishing messages to the individual via the
e-mail alias associated with the individual; generating a phishing
simulation record based on a response by the individual to the one
or more simulated phishing messages, wherein, for the individual,
the phishing simulation record of the individual is associated with
the primary e-mail address of the individual only through the
e-mail alias of the individual; wherein, after sending the one or
more messages, disassociating by a computer processor the primary
e-mail address of the individual from the e-mail alias of the
individual such that phishing susceptibility attribution is
precluded for the individual.
14. The network device of claim 13, further comprising a set of
instructions on the storage device that, when executed by the
processor, cause the processor generate a plurality of phishing
simulation records based on responses by individuals to the one or
more simulated phishing messages wherein phishing susceptibility
attribution is precluded for the individuals.
15. The network device of claim 13, further comprising a set of
instructions on the storage device that, when executed by the
processor, cause the processor generate a plurality of phishing
simulation records based on responses by individuals to the one or
more simulated phishing messages wherein phishing susceptibility
attribution is precluded for the individuals and providing phishing
simulations to individuals associated with certain phishing
simulation records.
16. The network device of claim 13, further comprising a set of
instructions on the storage device that, when executed by the
processor, cause the processor generate a plurality of phishing
simulation records based on responses by individuals to the one or
more simulated phishing messages wherein phishing susceptibility
attribution is precluded for the individuals and providing phishing
training materials to individuals associated with certain phishing
simulation records.
17. A non-transitory machine-readable storage medium comprising
software instructions that, when executed by a processor, cause the
processor to: for an individual, associate an e-mail alias of the
individual with a primary e-mail address of the individual; send
one or more simulated phishing messages to the individual via the
e-mail alias associated with the individual; generate a phishing
simulation record based on a response by the individual to the one
or more simulated phishing messages, wherein, for the individual,
the phishing simulation record of the individual is associated with
the primary e-mail address of the individual only through the
e-mail alias of the individual; wherein, after sending the one or
more messages, disassociating by a computer processor the primary
e-mail address of the individual from the e-mail alias of the
individual such that phishing susceptibility attribution is
precluded for the individual.
18. The non-transitory machine-readable storage medium of claim 17,
wherein if the total number of phishing simulations that the
corresponding individual has fallen victim to exceeds a threshold,
then sending via the computer network one or more simulated
phishing messages to the individual.
19. The non-transitory machine-readable storage medium of claim 17,
the instructions further comprising instructions for determining
which of the phishing simulation records has a measure of phishing
susceptibility that exceeds a threshold.
20. The non-transitory machine-readable storage medium of claim 17,
wherein the phishing simulation record comprises a total number of
phishing simulations that the corresponding individual has fallen
victim to.
21. The non-transitory machine-readable storage medium of claim 17,
wherein if the total number of phishing simulations that the
corresponding individual has fallen victim to exceeds a threshold,
then sending via the computer network one or more simulated
phishing messages to the individual.
22. The non-transitory machine-readable storage medium of claim 17,
the instructions further comprising instructions for generating a
plurality of phishing simulation records based on responses by
individuals to the one or more simulated phishing messages wherein
phishing susceptibility attribution is precluded for the
individuals.
23. The non-transitory machine-readable storage medium of claim 17,
the instructions further comprising instructions for generating a
plurality of phishing simulation records based on responses by
individuals to the one or more simulated phishing messages wherein
phishing susceptibility attribution is precluded for the
individuals and providing phishing simulations to individuals
associated with certain phishing simulation records.
24. The non-transitory machine-readable storage medium of claim 17,
the instructions further comprising instructions for generating a
plurality of phishing simulation records based on responses by
individuals to the one or more simulated phishing messages wherein
phishing susceptibility attribution is precluded for the
individuals and providing phishing training materials to
individuals associated with certain phishing simulation records.
Description
RELATED APPLICATIONS
[0001] This application is a continuation of application Ser. No.
14/160,443, filed Jan. 21, 2014, the entire contents of which are
incorporated herein by reference.
FIELD OF THE INVENTION
[0002] The present invention relates to methods, network devices
and machine-readable media for preventing the malicious use of
phishing simulation records, and more particularly relates to
techniques for decoupling phishing simulation records from the
contact information of individuals by means of an e-mail alias.
BACKGROUND
[0003] In a phishing attack, an individual (e.g., a person, an
employee of a company, a user of a computing device) receives a
message, commonly in the form of an e-mail or other electronic
communication, directing the individual to perform an action, such
as opening an e-mail attachment or following (e.g., using a cursor
controlled device or touch screen) an embedded link. If such
message were from a trusted source (e.g., co-worker, bank, utility
company or other well-known and trusted entity), such action might
carry little risk. Nevertheless, in a phishing attack, such message
is from an attacker (e.g., an individual using a computing device
to perform a malicious act on another computer device user)
disguised as a trusted source, and an unsuspecting individual, for
example, opening an attachment to view a "friend's photograph"
might in fact install spyware, a virus, and/or other malware (i.e.,
malicious computer software) on his/her computer. Similarly, an
unsuspecting individual directed to a webpage made to look like an
official banking webpage might be deceived into submitting his/her
username, password, banking account number, etc. to an
attacker.
[0004] While there are computer programs designed to detect and
block phishing e-mails, phishing attacks methods are constantly
being modified by attackers to evade such forms of detection. More
recently, training programs have been developed to train users to
recognize phishing attacks, such training involving simulated
phishing attacks. While such training is beneficial, training
programs may accumulate certain information about the users, which,
if exploited by an attacker (e.g., attacker were able to gain
access to same), could cause great harm to the participants of the
training programs. The present invention addresses such potential
vulnerabilities of training programs.
SUMMARY OF THE INVENTION
[0005] The inventors have realized that training programs (e.g.,
providing employees of a company with simulated phishing attacks,
followed by training materials), may collect certain information
that could be exploited by an attacker. For example, training
programs may maintain a measure of each individual's susceptibility
to simulated phishing attacks. If an attacker were to gain access
to such information, the attacker could specifically target those
individuals determined to be highly susceptible to phishing
attacks. Indeed, it would be ironic, but nevertheless detrimental,
that a program designed to protect individuals from phishing
attacks could be exploited by an attacker to more effectively
attack the individuals.
[0006] One approach to addressing such vulnerability is to decouple
any phishing simulation record of an individual from his/her
personal information (e.g., name, birth date, age, gender, etc.)
and/or contact information (e.g., mailing address, telephone
number, mobile number, e-mail address, etc.). That way, even if an
attacker were to gain access to phishing simulation records (e.g.,
records of the number of phishing simulations an individual falls
victim to, which types of phishing simulations an individual falls
victim to, a measure of an individual's susceptibility to phishing
attacks), the attacker would not be able to utilize such
information in a manner that harms the individuals associated with
the phishing simulation records.
[0007] At the same time, a training program is posed with the
conflicting need to associate such phishing simulation records of
individuals with those individual's contact information. Upon
identifying those individuals most susceptible to phishing attacks,
a training program would ideally be able to provide those
individuals with targeted and/or additional training materials.
[0008] To satisfy both goals of protecting simulation records from
being exploited by an attacker and allowing a training program to
provide individuals with targeted and/or additional training
materials, the inventors propose, in one embodiment of the
invention, to associate each phishing simulation record of an
individual with an e-mail alias of the individual. Any messages
(e.g., simulated attacks, training materials) sent to the e-mail
alias would be forwarded to a primary e-mail address of the
individual, enabling the proper operation of a training program.
Such e-mail alias, however, would be rendered invalid after a
certain time period (e.g., after a simulation program has been
completed) so that even if an attacker were to gain access to the
phishing simulation records, the attacker would not be able to
exploit same.
[0009] These and further embodiments of the present invention are
discussed herein.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] The present invention is illustrated by way of example, and
not limitation, in the figures of the accompanying drawings in
which:
[0011] FIG. 1 depicts a schematic illustrating a mapping from
phishing simulation records to e-mail aliases and a mapping from
e-mail aliases to primary e-mail addresses, according to one
embodiment of the invention;
[0012] FIG. 2 depicts a system diagram of components used in the
administration of phishing simulations to individuals, according to
one embodiment of the invention;
[0013] FIG. 3 depicts a specific example of how phishing
simulations are administered to individuals via their e-mail
aliases, according to one embodiment of the invention;
[0014] FIG. 4 depicts a flow diagram of a process to administer
phishing simulations to individuals via their e-mail aliases,
according to one embodiment of the invention; and
[0015] FIG. 5 depicts components of a computer system in which
computer readable instructions instantiating the methods of the
present invention may be stored and executed.
DETAILED DESCRIPTION OF THE INVENTION
[0016] In the following detailed description of the preferred
embodiments, reference is made to the accompanying drawings that
form a part hereof, and in which are shown by way of illustration
specific embodiments in which the invention may be practiced. It is
understood that other embodiments may be utilized and structural
changes may be made without departing from the scope of the present
invention.
[0017] As depicted in schematic 10 of FIG. 1, phishing simulation
records 12 may be associated with e-mail aliases (e.g., asp98r
<at> company <dot> com, 983jas <at> company
<dot> com, etc.) via mapping 14. In the example of FIG. 1,
phishing simulation records of four individuals are depicted, and
each of the phishing simulation records is associated with an
e-mail alias of each of the individuals. While four phishing
simulation records are depicted for ease of discussion, any number
of phishing simulation records may be present. For example,
phishing simulation record 1 is associated with the e-mail alias
asp98r <at> company <dot> com. In turn, each of the
e-mail aliases is associated with a primary e-mail address via
mapping 16. For example, the e-mail alias asp98r <at> company
<dot> com is associated with the primary e-mail address mary
<at> company <dot> com. It is noted that, in the
example provided in FIG. 1, the domain names of the e-mail aliases
and the primary e-mail addresses are the same (i.e., both are
company <dot> com), but this is not necessarily so. In
another example, an e-mail alias could be asp98r <at> company
<dot> com, while the primary e-mail address associated with
such e-mail alias could be mary <at> gmail <dot>
com.
[0018] The phrase "primary e-mail address", in embodiments of the
invention, refers to a more permanent e-mail address of an
individual. This could be a company e-mail address, a personal
e-mail address, etc. The primary e-mail address often incorporates
one or more of the individual's first name, last name, nickname and
other identifier of the individual in the local-part of the e-mail
address (i.e., where the "local-part" of an e-mail address is the
sequence of characters before the "<at>" symbol), but this is
not always so. In practice, a person could have more than one
primary e-mail address. For instance, a person could have a gmail
address for personal use and a company e-mail address for
professional use. Either (or both) of these e-mail address could be
considered a primary e-mail address.
[0019] An e-mail alias is a forwarding e-mail address (i.e.,
messages sent to an e-mail alias of an individual are forwarded to
the primary e-mail address of the individual). An e-mail alias of
an individual may be established after the individual's primary
e-mail address has been established, but this is not always so.
Other than these functional and/or temporal distinctions, an e-mail
alias may be quite similar to a primary e-mail address. Like a
primary e-mail address, an e-mail alias may incorporate one or more
of the individual's first name, last name, nickname and other
identifier of the individual. Like a primary e-mail address, an
e-mail alias could be in use for a long period of time.
[0020] However, e-mail alias, in accordance with embodiments of the
present invention, may be constructed in a more restrictive and/or
limited fashion than e-mail aliases currently in use. Typically, an
e-mail alias of an individual, in accordance with embodiments of
the present invention, does not incorporate any characteristic that
may be associated with the identity of the individual (e.g., does
not include the individual's first or last name, initials,
nickname, birthday, etc.) and/or any other characteristic that
could be used by an attacker to determine the identity/contact
information of an individual. In practice, the local part of an
e-mail alias may include a randomly generated sequence of
alpha-numeric characters (e.g., "aa039js"). The local part of an
e-mail alias may also include special characters (e.g., !, #, $,
etc.) in addition to alpha-numeric characters, although there may
be restrictions on the use of these special characters. Such
details may be found in RFC 5322 and RFC 6531 and will not be
discuss in further detail herein. FIG. 1 provides several example
e-mail aliases which are suitable for protecting the
identity/contact information of an individual. For instance,
without the knowledge of mapping 16, there really would be no way
for an attacker (or anyone for that matter) to ascertain the
primary e-mail address associated with the e-mail alias asp98r
<at> company <dot> com.
[0021] Typically, an e-mail alias, in accordance with embodiments
of the present invention, is active (e.g., able to send/receive
messages) for a limited duration of time (e.g., 1 hour, 1 day,
etc.). When an e-mail alias is active, any messages sent to the
e-mail alias of an individual may be forwarded to the primary
e-mail address of the individual. When an e-mail alias is inactive,
any messages sent to the e-mail alias may not be forwarded to the
associated primary e-mail address.
[0022] More particularly, the duration of time that an e-mail alias
is active may correspond to the time during which a phishing
simulation is being conducted. Before a phishing simulation begins,
an e-mail alias may be created for and assigned to an individual.
During the phishing simulation, phishing simulations and/or
training material may be sent to the individual via the
individual's e-mail alias. Any responses from the individual may
also be received via the e-mail alias. More specifically, the
individual may use his/her primary e-mail address to send a message
(e.g., reply to a phishing simulation). Such message may then be
forwarded from the primary e-mail address to the e-mail alias, so
that the training program receives any response from the individual
via his/her e-mail alias rather than via his/her primary e-mail
address. Such technique decouples the training program from any
primary e-mail addresses of individuals of the training program,
precluding any information collected by the training program from
being used to mount an attack on the individuals. When the phishing
simulation concludes, the e-mail alias may be made inactive.
[0023] FIG. 2 depicts system diagram 20 of components used in the
administration of phishing simulations to individuals, according to
one embodiment of the invention. Phishing simulation records 12 (of
FIG. 2) is a more compact representation of the collection of
phishing simulation records 12 (of FIG. 1). More specifically, a
phishing simulation record may comprise a measure of an
individual's susceptibility to phishing attacks. The measure may
include numbers from 1 to 10, with 1 indicating low susceptibility
and 10 indicating high susceptibility. Alternatively, the measure
may include a percentage from 0% to 100%, with 0% indicating that
an individual has fallen victim to none of the phishing simulations
and 100% indicating that the individual has fallen victim to all of
the phishing simulations. Alternatively and/or in addition, a
phishing simulation record may comprise the number of phishing
simulations that an individual has fallen victim to. Alternatively
and/or in addition, a phishing simulation record may indicate
whether an individual has received and/or has reviewed training
materials provided by the training program.
[0024] As depicted in FIG. 2, phishing simulation records 12 may be
communicatively coupled to record selector 22. Record selector 22,
in one embodiment of the invention, may determine which of the
phishing simulation records satisfies a criterion. For example,
record selector 22 may determine which of the phishing simulation
records has a measure of phishing susceptibility that exceeds a
certain threshold. As another example, record selector 22 may
determine which of the phishing simulation records contain a record
of individuals falling victim to more than ten phishing
simulations. Record selector 22 may then select at least one of the
phishing simulation records that satisfies the criterion. In one
instance, record selector 22 may select all of the phishing
simulation records that satisfy the criterion. As a specific
example, record selector 22 may select "Phishing Simulation Record
1" and "Phishing Simulation Record 4", as depicted in process 50 of
FIG. 3.
[0025] As depicted in FIG. 2, record selector 22 may be
communicatively coupled to phishing simulator 24. Based on
information provided by record selector 22, phishing simulator 24
may be instructed to provide phishing simulations and/or training
materials to individuals associated with certain phishing
simulation records. Phishing simulator 24 may retrieve specific
phishing simulations and/or training materials from phishing
simulation data store 26, those simulations and/or materials
retrieved being properly matched to an individual associated with a
selected phishing simulation record. For example, based on
information from a phishing simulation record that an individual
consistently fails to recognize phishing simulations with
personalized salutations, phishing simulator 24 may provide that
individual with training materials designed to increase his/her
awareness of phishing simulations with personalized
salutations.
[0026] Phishing simulator 24 may access data store 14 which stores
a mapping from phishing simulation records to e-mail aliases in
order to determine an e-mail address through which an individual
associated with a phishing simulation record can be contacted. As a
specific example, phishing simulator 24 may access data store 14 to
determine that e-mail alias asp98r <at> company <dot>
com is associated with phishing simulation record 1, and e-mail
alias k8fne9 <at> company <dot> com is associated with
phishing simulation record 4. Based on information from record
selector 22, phishing simulation data store 26 and simulation
record to alias mapping data store 14, phishing simulator 24 may
send messages (e.g., phishing simulations and/or training
materials) to certain e-mail aliases via network 28. Continuing
with the specific example provided in FIG. 3, phishing simulator 24
may send a simulated attack to asp98r <at> company
<dot> com and a simulated attack to k8fne9 <at> company
<dot> com.
[0027] Subsequently, forwarding device 30 may detect that one or
more messages have been sent to an individual's e-mail alias.
Relying upon a mapping from e-mail aliases to primary e-mail
addresses provided in data store 16, forwarding device 30 may
forward the one or more messages to a primary e-mail address of the
individual. More specifically, the one or more messages may be
forwarded to an e-mail inbox of the individual, as identified by
the primary e-mail address of the individual, via network 32 and
the individual's client machine. Returning to the specific sample
of FIG. 3, a simulated attack sent to asp98r <at> company
<dot> com may be forwarded to mary <at> company
<dot> com, and a simulated attack sent to k8fne9 <at>
company <dot> com may be forwarded to john <at> company
<dot> com, in accordance with the mapping provided in data
store 16.
[0028] After phishing simulations have concluded (or after a
certain time duration has elapsed from the instant the e-mail
aliases were created), one or more of the e-mail aliases may become
invalid, preventing those individuals whose e-mail aliases have
become invalid (or deactivated) from receiving any further messages
from their respective e-mail aliases while their respective e-mail
aliases are invalid. An e-mail alias may be rendered invalid by
removing certain associations from the mapping provided in data
store 16. For instance, to render the e-mail alias asp98r
<at> company <dot> com invalid, one may remove the
association between asp98r <at> company <dot> com and
mary <at> company <dot> com. Alternatively, such
association from e-mail alias to primary e-mail address could be
preserved in data store 16, but forwarding device 30 could be
instructed to (temporarily) stop forwarding any messages from
asp98r <at> company <dot> com to mary <at>
company <dot> com. Indeed, e-mail aliases need not be
permanently deactivated. Instead, they could be deactivated at the
end of one phishing simulation and reactivated during a subsequent
phishing simulation.
[0029] As discussed above, a primary reason for using e-mail
aliases and rendering them inactive after a certain period of time
is to thwart an attacker's attempt to exploit phishing simulation
records (in the event that the attacker gains access to same). In
accordance with techniques of one embodiment of the invention, even
if the attacker has knowledge that an individual is highly
susceptible to phishing attacks, such knowledge is of little use if
the attacker has no way of contacting the individual (e.g., the
attacker could attempt to send a phishing attack to an e-mail
alias, but such attack would fail to reach the intended individual
in the event that the e-mail alias has been rendered inactive).
[0030] An underlying assumption in FIG. 2 is that data store 14 is
separate from data store 16 such that even if an attacker were to
gain access to data store 14, the attacker does not automatically
also gain access to data store 16. In one embodiment of the
invention, data store 14 may be physically separated from data
store 16 (e.g., data store 14 and data store 16 may be separate
devices and/or may be separated by network 28).
[0031] In a variation of FIG. 2, phishing simulator 24 may be
directly coupled to forwarding device 30 (i.e., network 28 is not
present). In such embodiment, the mapping present in data store 14
and the mapping present in data store 16 may be stored in a common
data storage device. To thwart an attacker from gaining knowledge
of the association between phishing simulation records and primary
e-mail addresses (and subsequently attacking individuals who
participate in the training program), the mapping from e-mail
aliases to primary e-mail addresses may be stored in an encrypted
manner. As such, even if in attacker were to gain access to the
phishing simulation records, the attacker will be unable to contact
individuals associated with the phishing simulation records
(assuming that the e-mail aliases have been rendered invalid).
[0032] In the discussion above, references have been made to a
"training program". Such "training program" may include one or more
of the components of FIG. 2: phishing simulation records 12, record
selector 22, phishing simulator 24, phishing simulations 26 and
simulation record to alias mapping 14. Forwarding device 30 and
e-mail alias to primary e-mail mapping 16 may be present in a mail
server which is coupled to the training program via network 28.
[0033] FIG. 4 depicts flow diagram 70 of a process to administer
phishing simulations to individuals via e-mail aliases, according
to one embodiment of the invention. At step 72, for each
individual, a phishing simulation record of the individual may be
associated with an e-mail alias of the individual. Such association
may be recorded in data store 14, as described above. At step 74,
record selector 22 may determine which of the phishing simulation
records satisfies a criterion. At step 76, record selector 22 may
select at least one of the phishing simulation records which
satisfies the criterion. Finally, at step 78, phishing simulator 24
may, for each of the selected phishing simulation records, send one
or more messages to the individual associated with the selected
phishing simulation record via that individual's e-mail alias.
[0034] While embodiments of the present invention have been
described in the context of preventing an attacker from maliciously
using phishing simulation records, there may be other contexts for
which decoupling a phishing simulation record from an individual's
personal/contact information using an e-mail alias would be
beneficial. For instance, privacy laws or a company's Chief Privacy
Officer may want to preclude phishing susceptibility attribution.
That is, a company's objective is typically to reduce its
employees' susceptibility to phishing attacks, and not necessarily
to specifically know who is most susceptible.
[0035] As is apparent from the foregoing discussion, aspects of the
present invention involve the use of various computer systems and
computer readable storage media having computer-readable
instructions stored thereon. FIG. 5 provides an example of computer
system 100 that is representative of any of the client/server
devices discussed herein. Further, computer system 100 is
representative of a device that performs the process depicted in
FIG. 4. Note, not all of the various devices discussed herein may
have all of the features of computer system 100. For example,
certain devices discussed above may not include a display inasmuch
as the display function may be provided by a client computer
communicatively coupled to computer system 100 or a display
function may be unnecessary. Such details are not critical to the
present invention.
[0036] Computer system 100 includes a bus 102 or other
communication mechanism for communicating information, and a
processor 104 coupled with the bus 102 for processing information.
Computer system 100 also includes a main memory 106, such as a
random access memory (RAM) or other dynamic storage device, coupled
to the bus 102 for storing information and instructions to be
executed by processor 104. Main memory 106 also may be used for
storing temporary variables or other intermediate information
during execution of instructions to be executed by processor 104.
Computer system 100 further includes a read only memory (ROM) 108
or other static storage device coupled to the bus 102 for storing
static information and instructions for the processor 104. A
storage device 110, which may be one or more of a floppy disk, a
flexible disk, a hard disk, flash memory-based storage medium,
magnetic tape or other magnetic storage medium, a compact disk
(CD)-ROM, a digital versatile disk (DVD)-ROM, or other optical
storage medium, or any other storage medium from which processor
104 can read, is provided and coupled to the bus 102 for storing
information and instructions (e.g., operating systems, applications
programs and the like).
[0037] Computer system 100 may be coupled via the bus 102 to a
display 112, such as a flat panel display, for displaying
information to a computer user. An input device 114, such as a
keyboard including alphanumeric and other keys, is coupled to the
bus 102 for communicating information and command selections to the
processor 104. Another type of user input device is cursor control
device 116, such as a mouse, a trackball, or cursor direction keys
for communicating direction information and command selections to
processor 104 and for controlling cursor movement on the display
112. Other user interface devices, such as microphones, speakers,
etc. are not shown in detail but may be involved with the receipt
of user input and/or presentation of output.
[0038] The processes referred to herein may be implemented by
processor 104 executing appropriate sequences of computer-readable
instructions contained in main memory 106. Such instructions may be
read into main memory 106 from another computer-readable medium,
such as storage device 110, and execution of the sequences of
instructions contained in the main memory 106 causes the processor
104 to perform the associated actions. In alternative embodiments,
hard-wired circuitry or firmware-controlled processing units (e.g.,
field programmable gate arrays) may be used in place of or in
combination with processor 104 and its associated computer software
instructions to implement the invention. The computer-readable
instructions may be rendered in any computer language including,
without limitation, C#, C/C++, Fortran, COBOL, PASCAL, assembly
language, markup languages (e.g., HTML, SGML, XML, VoXML), and the
like, as well as object-oriented environments such as the Common
Object Request Broker Architecture (CORBA), Java.TM. and the like.
In general, all of the aforementioned terms are meant to encompass
any series of logical steps performed in a sequence to accomplish a
given purpose, which is the hallmark of any computer-executable
application. Unless specifically stated otherwise, it should be
appreciated that throughout the description of the present
invention, use of terms such as "processing", "computing",
"calculating", "determining", "displaying" or the like, refer to
the action and processes of an appropriately programmed computer
system, such as computer system 100 or similar electronic computing
device, that manipulates and transforms data represented as
physical (electronic) quantities within its registers and memories
into other data similarly represented as physical quantities within
its memories or registers or other such information storage,
transmission or display devices.
[0039] Computer system 100 also includes a communication interface
118 coupled to the bus 102. Communication interface 118 provides a
two-way data communication channel with a computer network, which
provides connectivity to and among the various computer systems
discussed above. For example, communication interface 118 may be a
local area network (LAN) card to provide a data communication
connection to a compatible LAN, which itself is communicatively
coupled to the Internet through one or more Internet service
provider networks. The precise details of such communication paths
are not critical to the present invention. What is important is
that computer system 100 can send and receive messages and data
through the communication interface 118 and in that way communicate
with hosts accessible via the Internet.
[0040] Thus, methods, network devices and machine-readable media
for preventing malicious use of phishing simulation records have
been described. It is to be understood that the above description
is intended to be illustrative, and not restrictive. Many other
embodiments will be apparent to those of skill in the art upon
reviewing the above description. The scope of the invention should,
therefore, be determined with reference to the appended claims,
along with the full scope of equivalents to which such claims are
entitled.
* * * * *