Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: Systems and methods to incentivize engagement in security awareness training are disclosed. The systems and methods include a user enrolling in a simulated self-phishing system that enables the user to receive simulated self-phishing communications and be scored on the user's interactions with the simulated self-phishing communications. The method includes identifying organizational information of the user, and communicating simulated self-phishing communications based at least on the organizational information of the user. The method includes receiving interaction data of the user with the simulated self-phishing communications. The method may generate a score of the user based at least on the interaction data.

Abstract: Systems and methods are described for using secured groups for simulated phishing campaigns to obfuscate data for levels of privacy based on protected criteria classes. Initially, a group to resolve members of the group based on multiple users matching one or more group criteria is established. It is then determined that at least one criteria of the one or more criteria has been configured as one of multiple protected criteria classes. Responsive to the determination, the group is identified as a secured group. A query of the group is then executed to identify one or more users of the multiple users as members of the group based on the users matching the criteria of the secured group at the time of execution of the group and information of the one or more users resulting from the execution of the secured group is obfuscated in accordance with the protected criteria class.

Abstract: Systems and methods are described for providing customized message content to be displayed to a user of an email client, responsive to the user selecting, via a plug-in or agent of the email client, to report an email as a potential phishing email. In examples, the user may be an employee of an organization and the systems and methods may facilitate a determination by the plug-in or agent of the email client that the reported email is one that does not pose a security risk, such as a simulated phishing email sent by the organization itself, or an email sent from a trusted partner of the organization. The systems and methods may facilitate a customization of the message content that is displayed to the user. In examples, the customized message content may be included or specified within one or more SMTP extension headers of an SMTP email.

Abstract: Embodiments disclosed herein describe a server, for example a security awareness server or an artificial intelligence machine learning system that establishes a risk score or vulnerable for a user of a security awareness system, or for a group of users of a security awareness system. The server may create a frequency score for a user, which predicts the frequency at which the user is to be hit with a malicious attack. The frequency score may be based on at least a job score, which may be represented by a value that is based on the type of job the user has, and a breach score that may be represented by a value that is based on the user's level of exposure to email.

Abstract: The present disclosure describes systems and method for performing a vulnerabilities assessment of an organization. A campaign controller executes one or more simulated phishing campaigns directed to a plurality of users of an organization, using a plurality of models determined by the campaign controller based at least on identification of the organization. The campaign controller stores to a database the results of execution of the one or more simulated phishing campaigns and based on the results, the campaign controller determines one or more vulnerabilities to phishing for the organization. In one embodiment, the campaign controller determines a percentage of the plurality of users of the organization that are phish-prone. In some embodiments, the users of the organization that are phish-prone interacted with a link of a simulated phishing communication.

Abstract: Systems and methods are described for modifying one or more advertisements of a webpage or a social media feed to create a simulated cybersecurity attack. Initially, content responsive to a request by a user via a user device to access a webpage or social media feed with one or more advertisements is received. One or more advertisements are detected within the content. An advertisement of the one or more advertisements is modified or replaced with simulated cybersecurity attack advertisements. The webpage or social media feed with the modified advertisement is displayed to the user device. User interactions with the simulated cybersecurity attack content are tracked and training is provided based on user interactions.

Abstract: Systems and methods are described for determination of indicators of malicious elements within messages. A report of a malicious message is received from a user of an organization, the malicious message having traversed an endpoint security system of the organization. After receiving the report of the malicious message, one or more indicators of one or more malicious elements of the malicious message are identified. Further, an identification of the endpoint security system and a dangerousness score of the malicious message are determined. The one or more indicators, the identification of the endpoint security system, and the dangerousness score are stored into a threat database that is able to be queried to generate an endpoint-specific threat data set.

Abstract: Embodiments of the disclosure describe systems and methods for selecting a first group of users, which is selected to receive simulated phishing emails as part of a simulated phishing campaign, and adding users to a second group of users based upon those selected users interacting with a simulated phishing email that is part of a simulated phishing campaign; tracking the completion of remediation training related to phishing emails by users in the second group of users and receiving one or more indications that the users in the second group of users have completed remedial training; and automatically adding users, who are members of the second user group, to the first user group, to a third user group, or to a predetermined user group responsive to the one or more indications that the users in the second group of users have completed remedial training.

Abstract: Systems and methods for prioritization of reported messages and rewarding reporting users are disclosed. The systems and methods leverage knowledge and security awareness of the most informed users in an organization to protect an organization from serious harm from new malicious messages, give credit to the most informed users, and optimize threat triage and analysis. The system converts a reported malicious message to a defanged message. The system communicates the defanged message to a plurality of users. The system determines an impact score for the user based on interactions with the defanged message by the plurality of users, and with the impact score gives credit to the reporter and optimizes threat triage and analysis.

Abstract: Systems and methods are described for detecting a simulated phishing message by an email client plug-in. A unique key is received at the email client plug-in. An indication that an email was reported by a user as a suspicious message is received at the email client plug-in. The email is a simulated phishing message having the unique key mapped by cryptographic hashing function into a hash value in a predetermined field in the header of the simulated phishing message. The presence of the predetermined field is detected and the hash value in the predetermined field is compared to a result of applying cryptographic hashing function to the unique key received by the email client plug-in. Responsive to being matched to the result, it is determined that the suspicious message is a simulated phishing message generated by a server.

Abstract: Embodiments of the disclosure describe a simulated phishing campaign manager that communicates a simulated phishing communication that includes at least the telephone number and reference identifier, to a device of a user. The content of the simulated phishing communication may prompt the user to call the telephone number identified in the simulated phishing communication. The security awareness system may select a telephone number and a reference identifier to use for the simulated phishing communication, the combination of which may be later used to identify a specific user if they respond to the message. Each of a plurality of users may have a unique combination of telephone number and reference identifier. The telephone number may be selected based on the geographic location of the user, or the telephone number may be selected to correspond to content in a simulated phishing communication.

Abstract: Systems and methods are described for using a template for simulated phishing campaigns based on predetermined date from a date associated with a user. The predetermined date may by an event, an anniversary or a milestone associated with employment of the user with a company. The campaign controller may identify a date associated with the user and based on the identification of the date associated with the user, the campaign controller may select one or more templates for one or more simulated phishing campaigns to be triggered by a predetermined date related to the date associated with the user.

Abstract: This disclosure describes embodiments of an improvement to the static group solution because all the administrator needs to do is specify the criteria they care about. Unlike static groups, where the administrator needs to keep track of the status of individual users and move them between static groups as their status changes, smart groups allows for automatic identification of the relevant users at the moment that action needs to be taken. This feature automates user management for the purposes of enrollment in either phishing and training campaigns. Because the smart group membership is determined as the group is about to be used for something, the smart group membership is always accurate and never outdated. The query that determines the smart group membership gets run at the time when you are about to do a campaign or perform some other action that needs to know the membership of the smart group.

Abstract: Systems and methods are described for contextualizing a simulated phishing communication based at least on one of language and locale. Initially, a template for a simulated phishing communication is created with content in a source language. Then one or more contextual parameters for a user are identified. The one or more contextual parameters identify at least one of a target language and a target locale. The content of the simulated phishing communication is modified according to at least one of the target language and the target locale and the simulated phishing communication is communicated to one or more devices of the user with the content modified for at least one of the target language and the target locale.

Abstract: Systems and methods, disclosed herein, of a campaign controller that stores information to a database about execution of multiple simulated phishing campaigns for multiple users, where each of the simulated phishing campaigns use one or more models for communicating simulated phishing communications. Based on this information, the campaign controller may determine a rate of success of the model, in causing a user to interact with a link in one of the simulated phishing campaigns, and may display the model's rate of success via a user interface.

Abstract: Systems and methods are described for providing calendar-based simulated phishing attacks to users of an organization. Initially, a context is identified for a calendar-based simulated phishing attack directed towards a user. An electronic calendar invitation for the calendar-based simulated phishing attack is then generated using the context. Thereafter, the electronic calendar invitation may be communicated to an electronic calendar of the user.

Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: Systems and methods are disclosed for simulating a phishing attack involving an email thread. An email thread of a plurality of email threads of an entity for use in a simulated phishing attack is identified. A simulation system generates a converted reply simulated phishing email to an email of the email thread. The converted reply simulated phishing email is generated to be from a user that is one of a recipient or a sender of one or more emails of the email thread and is communicated to a target user's email account, the converted reply simulated phishing email.

Abstract: The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.