| CPC H04L 51/212 (2022.05) [G06F 40/169 (2020.01); G06F 40/284 (2020.01); H04L 51/214 (2022.05)] | 17 Claims |
|
1. A method comprising:
obtaining, at an email computer system, a sender model that represents first language included in previously sent emails associated with an email account;
accessing an outbound email sent from the email account and destined for a recipient;
analyzing second language of the outbound email with respect to a set of language concepts;
determining, based on the analyzing, that the second language includes a first word that is of a financial concept;
determining, based on the analyzing, that the second language includes a second word that is of an action concept associated with an action to take with respect to the first word;
based at least in part on the second language including the first word of the financial concept and the second word of the action concept, calculating a similarity score between the outbound email and at least one of the previously sent emails represented in the sender model;
identifying a characteristic of a user of the email account; and
obtaining a group sender model that represents third language included in second previously sent emails associated with a group of users exhibiting the characteristic;
determining that the outbound email is a malicious email based at least in part on the similarity score and at least partly using the group sender model; and
performing a remedial action with respect to the outbound email the remedial action comprising at least one of:
deleting the outbound email;
quarantining the outbound email; or
updating the sender model at least partly using the outbound email.
|