Abstract: An email is received that is from an email sender. From the email, the display name of the email sender, an email address of the email sender, and an email domain of the email sender, is extracted. A score is determined for the email based on at least: the extracted display name of the email sender, the extracted email address of the email sender, and the extracted email domain of the email sender, where the score indicates a probability that the email is from a legitimate sender. Message content of the email is input into multiple classifiers each corresponding to a particular message type. The message type of the email is determined based on output of the classifiers. Based on at least the determined score for the email and the determined message type of the email, a determination is made whether the email is associated with a BEC attack.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: In an embodiment, a computer-implemented method includes receiving, from a pre-processor, an output file; where the output file is created by the pre-processor in response to input of an electronic file to the pre-processor; where the electronic file is an attachment to a message that is in-transit to a recipient computer on a network; where the output file contains features that are created by the pre-processor analyzing one or more sub-features of the electronic file; receiving, from a machine learning-based classifier, malware classification data that indicates whether the electronic file does or does not contain malware; where the malware classification data is output by the machine learning-based classifier in response to the machine learning-based classifier determining that the features are or are not indicators of obfuscation; where data used to create the machine learning-based classifier includes output files previously created by the pre-processor; in response to the malware classification data mat

Abstract: In an embodiment, a computer-implemented method includes receiving, from a pre-processor, an output file; where the output file is created by the pre-processor in response to input of an electronic file to the pre-processor; where the electronic file is an attachment to a message that is in-transit to a recipient computer on a network; where the output file contains features that are created by the pre-processor analyzing one or more sub-features of the electronic file; receiving, from a machine learning-based classifier, malware classification data that indicates whether the electronic file does or does not contain malware; where the malware classification data is output by the machine learning-based classifier in response to the machine learning-based classifier determining that the features are or are not indicators of obfuscation; where data used to create the machine learning-based classifier includes output files previously created by the pre-processor; in response to the malware classification data mat

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes obtaining, from an electronic message received from the network, a triple of a display name, email address, and sending domain, determining a name score for triple, and determining characteristics of the electronic message. The name score of the triple and the characteristics of the electronic message may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: In an embodiment, the disclosed technologies monitor electronic message traffic between a network and a recipient computer system. An embodiment includes extracting, from an electronic message received from the network, a sending domain and message data, computing a lookalike score based on the sending domain, and assigning a message type to the electronic message based on the message data. The lookalike score and the message type may be used to determine whether the electronic message is a spoofing attack such as a business email compromise (BEC) attack. In response to determining that the electronic message is malicious, an embodiment may cause the network to at least one of modify, delay, re-route, or block transmission of the electronic message to the recipient computer system.

Abstract: Techniques are described herein for detecting malicious program code stored on computer devices before the code can be executed to potentially compromise a computer network. In an embodiment, a method comprises receiving, at a computer device, a file containing instructions in a programming language; based on a syntax of the programming language, parsing the file to generate parsed information, and based on the parsed information, generating a syntax tree for the file; identifying one or more alphanumeric strings in the syntax tree, and based on the alphanumeric strings, generating a syntax string for the syntax tree; generating a hash digest by applying a piecewise hashing to the alphanumeric strings in the syntax string; determining whether the hash digest indicates that the file contains potentially malicious code; in response to determining that the hash digest indicates that the file contains the potentially malicious code, performing a responsive action.

Abstract: Systems, methods, and media for determining fraud risk from audio signals and non-audio data are provided herein. Some exemplary methods include receiving an audio signal and an associated audio signal identifier, receiving a fraud event identifier associated with a fraud event, determining a speaker model based on the received audio signal, determining a channel model based on a path of the received audio signal, using a server system, updating a fraudster channel database to include the determined channel model based on a comparison of the audio signal identifier and the fraud event identified, and updating a fraudster voice database to include the determined speaker model based on a comparison of the audio signal identifier and the fraud event identifier.

Abstract: Enhanced diarization systems and methods of use are provided herein. Some exemplary methods may include applying one or more rules that affect separation of the call audio data into segments, the rules being associated with the at least one call schema, separating the call audio data into segments according to the one or more rules, grouping segments of call audio data associated with a speaker, and storing in a storage media an identifier and the grouped segments for the speaker.

Abstract: Systems, methods, and media for disambiguating call data are provided herein. Some exemplary methods include receiving notification of a fraud event including a customer account identifier and a fraud time stamp; determining a time frame that is proximate the fraud time stamp; collecting call events associated with the customer account identifier that occur during the determined time frame, each call event including a unique call event identifier, a voice sample, and a call event time stamp; identifying a first call event belonging to a first speaker and a second call event belonging to a second speaker; and generating a timeline presentation that includes the first call event and call event timestamp and an identification of a first voice sample as belonging to the first speaker, the second call event and call event timestamp and an identification of a second voice sample as belonging to the second speaker.

Abstract: Systems and methods for authenticating callers are disclosed that may obtain identifying data and a voice print, and compare the voice print to one or more stored voice prints. Further, one or more initial scores may be calculated based on the data and the comparison, and a confidence interval score may also be calculated. The systems and methods may determine whether to authenticate based on the one or more initial scores and the confidence interval score.

Abstract: Systems, methods, and media for disambiguating call data are provided herein. Some exemplary methods include receiving, via a fraud notification system, notification of a fraud event associated with a customer account, the fraud event comprising a time stamp, determining, via a call selection module, unique voice samples or models from call events obtained within a time frame that is temporally proximate the fraud event, and generating a timeline presentation that includes each unique voice sample or model identified in the call events based upon a time stamp associated with the call events.

Abstract: Systems, methods, and media for generating fused risk scores for determining fraud in call data are provided herein. Some exemplary methods include generating a fused risk score used to determine fraud from call data by generating a fused risk score for a leg of call data, via a fuser module of an analysis system, the fused risk score being generated by fusing together two or more uniquely calculated fraud risk scores, each of the uniquely calculated fraud risk scores being generated by a sub-module of the analysis system; and storing the fused risk score in a storage device that is communicatively couplable with the fuser module.

Abstract: Systems and methods for authenticating callers are disclosed that may obtain identifying data and a voice print, and compare the voice print to one or more stored voice prints. Further, one or more initial scores may be calculated based on the data and the comparison, and a confidence interval score may also be calculated. The systems and methods may determine whether to authenticate based on the one or more initial scores and the confidence interval score.

Abstract: An application stored in a mobile device is provisioned using provisioning data received from remote data storage via a network. Provisioning data is obtained at no cost to a user of the mobile device. In some implementations, the provisioning data is received after the mobile device requests to establish a data channel with a data network. The data network is identified using a predetermined identifier that the network recognizes. If the network does not recognize the special identifier, no data channel is established. After a data channel is established, the mobile device requests provisioning data from the remote data storage. In some implementations, the mobile device receives a provisioning message through a predetermined port. The provisioning message either includes provisioning data or prompts the mobile device to obtain provisioning data.

Abstract: Systems, methods, and media for disambiguating call data are provided herein. Some exemplary methods include receiving, via a fraud notification system, notification of a fraud event associated with a customer account, the fraud event comprising a time stamp, determining, via a call selection module, unique voice samples or models from call events obtained within a time frame that is temporally proximate the fraud event, and generating a timeline presentation that includes each unique voice sample or model identified in the call events based upon a time stamp associated with the call events.

Abstract: Systems, methods, and media for determining fraud risk from audio signals and non-audio data are provided herein. Some exemplary methods include receiving an audio signal and an associated audio signal identifier, receiving a fraud event identifier associated with a fraud event, determining a speaker model based on the received audio signal, determining a channel model based on a path of the received audio signal, using a server system, updating a fraudster channel database to include the determined channel model based on a comparison of the audio signal identifier and the fraud event identified, and updating a fraudster voice database to include the determined speaker model based on a comparison of the audio signal identifier and the fraud event identifier.

Abstract: Systems, methods, and media for generating fused risk scores for determining fraud in call data are provided herein. Some exemplary methods include generating a fused risk score used to determine fraud from call data by generating a fused risk score for a leg of call data, via a fuser module of an analysis system, the fused risk score being generated by fusing together two or more uniquely calculated fraud risk scores, each of the uniquely calculated fraud risk scores being generated by a sub-module of the analysis system; and storing the fused risk score in a storage device that is communicatively couplable with the fuser module.

Abstract: An application stored in a mobile device is provisioned using provisioning data received from remote data storage via a network. Provisioning data is obtained at no cost to a user of the mobile device. In some implementations, the provisioning data is received after the mobile device requests to establish a data channel with a data network. The data network is identified using a predetermined identifier that the network recognizes. If the network does not recognize the special identifier, no data channel is established. After a data channel is established, the mobile device requests provisioning data from the remote data storage. In some implementations, the mobile device receives a provisioning message through a predetermined port. The provisioning message either includes provisioning data or prompts the mobile device to obtain provisioning data.

Abstract: A method and system for barge-in acknowledgement are disclosed. A prompt is attenuated upon detection of speech. The speech is accepted and the prompt is terminated if the speech corresponds to an allowable response.