| CPC H04L 63/0236 (2013.01) [H04L 51/212 (2022.05); H04L 51/222 (2022.05); H04L 63/102 (2013.01); H04L 63/105 (2013.01); H04L 63/1433 (2013.01)] | 20 Claims |
|
1. A method comprising:
obtaining first data associated with a series of past digital communication activities performed with an email account, wherein each digital communication activity included in at least a portion of the series involves at least one of a representation or a transmission of a communication;
parsing the first data to discover an attribute of each past digital communication activity in the series of past digital communication activities;
generating a behavior profile for the email account by creating, in a data structure, a separate entry for each past digital communication activity in at least a portion of the series of past digital communication activities that specifies the corresponding attribute, wherein at least a portion of the entries in the behavior profile are in a temporal order so as to ensure that deviations in behavior of the email account are detectable;
obtaining second data associated with a specific digital communication activity performed with the email account;
determining, based on an analysis of the second data, that the specific digital communication activity is associated with a link and indexing content of associated with link to at least in part determine whether the specific digital communication activity is associated with an instance of phishing;
parsing the second data to discover an attribute of the specific digital communication activity;
producing a deviation metric by programmatically comparing the attribute of the specific digital communication activity to the behavior profile; and
determining, based on the deviation metric and the determination of whether the specific digital communication activity is associated with an instance of phishing, a likelihood that the email account is compromised.
|