Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting spoofed webpages includes: accessing an email; and scanning the email for links. The method also includes, in response to detecting a link in the email: accessing web content contained in a target webpage at the link; extracting target visual features from the web content; accessing a set of verified webpage templates, each verified webpage template in the set of verified webpage templates containing a set of verified features present in a verified webpage associated with a verified resource locator; identifying a particular verified webpage template, in the set of verified webpage templates, containing a particular set of verified features approximating the target visual features; characterizing a difference between the link and a particular verified resource locator associated with the particular verified webpage template; and, in response to the difference exceeding a threshold difference, flagging the email as malicious.

Abstract: A method for detecting financial attacks in emails includes: accessing an email inbound to a recipient address; scanning a body of the email for language signals; correlating a first sequence of words, in the email, with a financial signal; correlating a second sequence of words, in the email, with an action request signal; calculating a risk for the email representing a financial attack based on the financial signal and the action request signal detected in the email; and, in response to the risk exceeding a threshold risk, annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, annotating the second sequence of words in the email according to a second visual highlighting scheme—different from the first visual highlighting scheme—associated with the action request signal, and redirecting the email to a quarantine folder.