The described technology is generally directed towards homoglyph attack detection. A homoglyph attack detection service can create images of customer's protected domain names. A convolutional neural network can generate feature vectors based on the images. The feature vectors can be stored in a similarity search data store. Newly observed domain names can be compared to the customer's protected domain names, by also generating feature vectors for the newly observed domain names and conducting approximate nearest neighbor searches. Search results can be further evaluated by comparing protected domain names to newly observed domain names using a siamese neural network which applies a similarity threshold. Newly observed domain names that meet or exceed the similarity threshold can be flagged for further action.

System, device, and method of detecting business email fraud and corporate email fraud. A method includes: receiving a user request to perform an online transaction on behalf of a corporate entity; generating a notification that requires the user to indicate whether he obtained managerial authorization for performing that online transaction on behalf of that corporate entity; monitoring user gestures and user interactions in response to that notification; receiving a positive answer from the user; performing an analysis of user gestures and user interactions, and generating a signal indicating a determination that the positive answer from the user is false, based on analyzed metrics that correspond to characteristics of the user gestures and user interactions; blocking or unauthorizing, at least temporarily, that online transaction that was requested on behalf of that corporate entity.

An apparatus, system, product and method comprising: obtaining a selection of page elements of a source page that are estimated to represent a visual appearance of the source page; generating respective representations of the page elements, wherein the representation is configured to be used for acquiring a page element in different pages; obtaining a target page, wherein a user is enabled to interact with the target page; determining a visual similarity measurement between the source page and the target page, wherein the visual similarity measurement is based on a successful acquisition in the target page, of the page elements, using the respective representations; classifying the target page as a phishing attack based on the visual similarity measurement, whereby detecting the phishing attack; and performing a responsive action in response to said detecting the phishing attack.

In one embodiment, a similarity index is calculated from characteristics of a suspected phishing web page to a database of known phishing web pages. The characteristics derive from both HTML tags of the suspected phishing web page and a screenshot of the suspected phishing web page. With machine learning using the similarity index as an input, a probability is estimated that the suspected web page comprises a known phishing web page from the database of known phishing web pages. A known phishing web page is selected from one or more candidates known phishing web pages, based on having a highest probability.

One or more DNS services are provided that are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC.

A method of tracking phishing activity is disclosed. A request to download a webpage hosted as part of a legitimate website on a server is initiated. The request includes identification data pertaining to at least one user computing device. The identification data is extracted from the request. A unique identifier corresponding to the extracted identification data is generated. Fingerprint data is generated using at least a subset of the extracted identification data. The unique identifier, the extracted identification data and the fingerprint data is stored. The fingerprint data is encoded into a program and/or data associated with the webpage to generate a modified webpage. The modified webpage is transmitted from the server to the user computing device in response to the request.

In order to detect a replay attack in a speaker recognition system, at least one feature is identified in a detected magnetic field. It is then determined whether the at least one identified feature of the detected magnetic field is indicative of playback of speech through a loudspeaker. If so, it is determined that a replay attack may have taken place.

The systems and methods disclose an automated effective template generation and recommendation for selection. A semantic similarity of a plurality of messages may be identified that at least meets a similarity threshold, each of the plurality of messages reported by a plurality of users as a potentially malicious message. The plurality of messages may be indexed under a common template identifier. One or more messages of the plurality of messages indexed under the common template identifier may be determined to have a report-to-reach ratio less than a report-to-reach threshold. Responsive to the determination, the one or more messages may be identified to be used for generating one or more simulated phishing templates. A recommendation of the one or more templates may be provided to a system administrator and/or a security awareness and simulation training platform to create and deliver simulated phishing messages using the templates.

A computer-implemented method for generating a first set of longest common sequences from a plurality of known malicious webpages, the first set of longest common sequences representing input data from which a human generates a set of regular expressions for detecting phishing webpages. There is included obtaining HTML source strings from the plurality of known malicious webpages and transforming the HTML source strings to reduce the number of at least one of stop words and repeated tags, thereby obtaining a set of transformed source strings. There is further included performing string alignment on the set of transformed source strings, thereby obtaining at least a scoring matrix. There is additionally included obtaining a second set of longest common sequences responsive to the performing the string alignment. There is further included filtering the second set of longest common sequences, thereby obtaining the first set of longest common sequences.

A method for detecting a fraud attempt in a communication session may include receiving, via at least one processor, a set of data associated with a communication session between a representative of an organization and a user, tagging, via the at least one processor, one or more items of the set of data as one or more tagged data items, applying, via the at least one processor, a fraud detecting algorithm to the one or more tagged data items to determine a percent likelihood of the user attempting to defraud the representative, generating, via the at least one processor, a visualization based on the percent likelihood, and displaying, via the at least one processor, the visualization via an electronic display during the communication session.