DCT
1:17-cv-00769
PhishMe Inc v. Wombat Security Tech Inc
Key Events
Complaint
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PhishMe Inc. (Virginia)
- Defendant: Wombat Security Technologies, Inc. (Pennsylvania)
- Plaintiff’s Counsel: Young Conaway Stargatt & Taylor, LLP
- Case Identification: 1:17-cv-00769, D. Del., 06/16/2017
- Venue Allegations: Venue is alleged to be proper in the District of Delaware because Defendant is a Delaware corporation and therefore resides in the district. The complaint notes Defendant has admitted to proper venue in a prior related case.
- Core Dispute: Plaintiff alleges that Defendant’s cybersecurity training and threat detection platform infringes patents related to systems for collaborative phishing attack detection.
- Technical Context: The technology concerns enterprise cybersecurity systems that use simulated phishing emails to train employees and leverage employee reports of suspicious emails as a human-based threat detection network.
- Key Procedural History: The complaint notes a pending litigation between the parties in the same court (C.A. No. 16-403-LPS) involving a related patent. It also alleges that Defendant had knowledge of Plaintiff's technology and patent portfolio prior to the suit, citing Defendant's unsuccessful Petition for Post-Grant Review against a related patent and its citation of another related PhishMe patent during its own patent prosecution. These events may be relevant to the question of willful infringement.
Case Timeline
| Date | Event |
|---|---|
| 2013-02-08 | Priority Date for ’017 and ’221 Patents |
| 2013-01-01 | PhishMe Reporter launched |
| 2015-01-01 | PhishMe Triage launched |
| 2015-08-21 | Wombat allegedly cited related PhishMe patent in its own prosecution |
| 2015-10-01 | Wombat acquired ThreatSim |
| 2016-01-01 | Wombat launched PhishAlarm Analyzer |
| 2017-01-03 | Wombat filed unsuccessful PGR against related PhishMe patent |
| 2017-03-07 | U.S. Patent No. 9,591,017 Issued |
| 2017-06-06 | U.S. Patent No. 9,674,221 Issued |
| 2017-06-16 | Complaint Filed |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 9,591,017 - "Collaborative Phishing Attack Detection," Issued March 7, 2017
The Invention Explained
- Problem Addressed: The patent’s background section states that conventional computer programs for detecting and blocking phishing emails are insufficient because "phishing attack methods are constantly being modified by attackers to evade such forms of detection" (’017 Patent, col. 1:46-48; Compl. ¶25).
- The Patented Solution: The invention is a system that leverages human users as a distributed sensor network. It involves sending non-malicious, simulated phishing emails to train users. It provides a "plug-in" for the user's email client, allowing them to report any suspicious email (simulated or real) (’017 Patent, col. 4:59-65). The system then uses an "identifying header" to automatically determine if the reported email was part of the simulation. If it was, the user receives feedback; if not, the email is forwarded for expert analysis, improving the detection of novel, real-world attacks (’017 Patent, Abstract; Compl. ¶26).
- Technical Importance: This approach combines automated systems with structured human intelligence, creating a feedback loop where user training improves threat detection, and threat detection can inform future training.
Key Claims at a Glance
- The complaint asserts infringement of one or more claims, with independent claims 1 and 21 being representative (Compl. ¶36). Independent claim 1 recites a method comprising the following essential elements:
- Generating a non-malicious simulated phishing email with an embedded hyperlink and an identifying header.
- Transmitting the simulated email to a remote computing device.
- Providing a plug-in at the remote device for a user to report a "possible phishing attack."
- The plug-in determining if the reported email is a known simulated attack by comparing its headers to stored information.
- If it is a known simulated attack, providing feedback to the user.
- If it is not a known simulated attack, sending the email for analysis or detection.
- Providing electronic training to the user if they click the hyperlink in the simulated email.
- The complaint reserves the right to assert other claims, including dependent claims.
- The complaint asserts infringement of one or more claims, with independent claims 1 and 21 being representative (Compl. ¶36). Independent claim 1 recites a method comprising the following essential elements:
U.S. Patent No. 9,674,221 - "Collaborative Phishing Attack Detection," Issued June 6, 2017
The Invention Explained
- Problem Addressed: The patent, which shares a common specification with the ’017 Patent, addresses the same problem of the insufficiency of purely automated phishing detection systems (’221 Patent, col. 1:46-48; Compl. ¶25).
- The Patented Solution: The invention builds on the system described in the ’017 Patent. In addition to the steps of generating, reporting, and distinguishing simulated emails, the claims of the ’221 Patent add a final step: if an email is identified as a potential (i.e., not simulated) phishing attack, the system "comput[es] a likelihood that the identified email is a real phishing attack ... based on one or more attributes associated with the identified email" (’221 Patent, col. 14:19-24). This allows for prioritization of threats. The complaint alleges this covers aspects of its "PhishMe Triage" product (Compl. ¶3, ¶23).
- Technical Importance: This claimed feature addresses the issue of alert fatigue in security operations by introducing a risk-scoring or prioritization layer, enabling security teams to focus on the most probable and dangerous threats first (Compl. ¶23).
Key Claims at a Glance
- The complaint asserts infringement of one or more claims (Compl. ¶42). Independent claim 1 is a representative method claim, which largely mirrors claim 1 of the ’017 Patent but adds a final key element:
- All elements from ’017 Patent claim 1, plus:
- If the email has been identified as a potential phishing attack, computing a likelihood that it is a real phishing attack based on one or more of its attributes.
- The complaint reserves the right to assert other claims, including dependent claims.
- The complaint asserts infringement of one or more claims (Compl. ¶42). Independent claim 1 is a representative method claim, which largely mirrors claim 1 of the ’017 Patent but adds a final key element:
III. The Accused Instrumentality
Product Identification
- The complaint names Wombat's "Security Education Platform," an integrated SaaS-based platform which includes the products ThreatSim, PhishAlarm, PhishAlarm Analyzer, ThreatSim for Outlook, and PhishGuru (collectively, the "Accused Products") (Compl. ¶27).
Functionality and Market Context
- The Accused Products are used to provide simulated phishing training to customers (Compl. ¶27).
- "ThreatSim" and "PhishGuru" are alleged to generate and deliver simulated phishing emails containing embedded links that, when clicked, lead to "Teachable Moments" for the user (Compl. ¶31, ¶32).
- "ThreatSim for Outlook" and "PhishAlarm" are described as email client plugins or add-ins that provide a user interface, such as a one-click button, for employees to report suspicious emails (Compl. ¶28, ¶33). The complaint includes a screenshot from Wombat's materials showing the PhishAlarm "Report Phish" button (Compl. p. 14, FIG. PHISHALARM: ONE-CLICK REPORTING OF SUSPECTED PHISHING EMAILS).
- The complaint alleges the system distinguishes between simulated and potentially real attacks by using a custom email header. Emails containing a custom "X-ThreatSim-ID" header are identified as simulated, while emails lacking this header are forwarded to a configured address for further analysis (Compl. ¶29). A screenshot from a Wombat administrator guide illustrates the format of this custom header (Compl. p. 12, FIG. at ¶29).
- When a simulated email is reported, the system allegedly provides feedback to the user, and the complaint provides a screenshot of customizable feedback messages (Compl. ¶30, FIG. at ¶30).
- "PhishAlarm Analyzer" is alleged to automatically prioritize reported emails by examining their "attributes and content... to determine the likelihood that a reported email is an actual phishing attack," which is intended to focus security teams on the most imminent threats (Compl. ¶34).
IV. Analysis of Infringement Allegations
’017 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| generating...a simulated phishing email, wherein the simulated phishing email comprises at least one embedded hyperlink, and wherein...the simulated phishing email [has] an identifying header... | Wombat's ThreatSim and PhishGuru products are used to generate and send simulated phishing attacks containing embedded links and a custom "X-ThreatSim-ID" header. | ¶27, ¶29, ¶31-32 | col. 13:5-19 |
| providing a plug-in for an email client at the remote computing device...for...receiving a graphical user interface action performed by the individual indicating that an email...has been identified...as a possible phishing attack; | Wombat provides ThreatSim for Outlook and PhishAlarm, which are described as email client plugins that add a button allowing users to report suspicious emails with a single click. | ¶28, ¶33 | col. 13:26-36 |
| determining whether the identified email is a known simulated phishing attack by comparing one or more headers of the identified email to stored information identifying at least one known simulated phishing attack; | The Accused Products allegedly check for the presence of the custom "X-ThreatSim-ID" header to distinguish simulated phishing attacks from other emails. | ¶29 | col. 13:37-43 |
| when the identified email is determined to be a known simulated phishing attack...providing a graphically displayed feedback to the individual... | When a user reports a simulated email (identified via its header), ThreatSim for Outlook allegedly provides feedback confirming it was a simulation. | ¶30 | col. 13:44-49 |
| when the identified email is determined not to be a known simulated phishing attack...causing the plugin to send the identified email for analysis or detection... | If the "X-ThreatSim-ID" header is not found, the email is forwarded to a pre-configured email address for analysis by a security team. | ¶29 | col. 13:50-57 |
| causing the provisioning of an electronic training to the individual if the individual clicks on the embedded hyperlink... | Wombat's ThreatSim and PhishGuru products allegedly present a "Teachable Moment" to any user who clicks on a link within a simulated phishing email. | ¶31, ¶32 | col. 14:15-19 |
Identified Points of Contention:
- Scope Questions: The claim requires a "plug-in for an email client." A potential dispute may arise over whether Wombat’s "ThreatSim for Outlook" and "PhishAlarm" products, as implemented across various email platforms (e.g., desktop clients, webmail), meet the legal construction of the term "plug-in" as it is described and defined within the patent.
- Technical Questions: The claim requires "comparing one or more headers... to stored information identifying at least one known simulated phishing attack." The complaint alleges Wombat’s system checks for the presence of a self-identifying "X-ThreatSim-ID" header. This raises the question of whether checking for a single, self-validating header meets the "comparing... to stored information" limitation, which could be construed to require a lookup against an external database or list of known attack identifiers.
’221 Patent Infringement Allegations
- The infringement allegations for the initial steps of this patent's claims are identical to those for the ’017 Patent, as described above. The key additional allegation is summarized below.
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| if the email has been identified as a potential phishing attack, computing a likelihood that the identified email is a real phishing attack or is not a real phishing attack based on one or more attributes associated with the identified email. | Wombat's PhishAlarm Analyzer product allegedly "examines attributes and content of reported emails to determine the likelihood that a reported email is an actual phishing attack," thereby prioritizing threats for security teams. | ¶34 | col. 14:19-24 |
Identified Points of Contention:
- Technical Questions: The core dispute for the ’221 Patent will likely center on the "computing a likelihood" element. The complaint alleges that PhishAlarm Analyzer performs this function, but provides limited technical detail from public-facing materials. A key question for the court will be whether the internal operation of PhishAlarm Analyzer actually performs a "likelihood" computation based on "attributes" as claimed, or if it performs a function (e.g., simple sorting or filtering) that is technically distinct from the claimed method.
V. Key Claim Terms for Construction
Term 1: "plug-in for an email client" (’017 Patent, cl. 1; ’221 Patent, cl. 1)
- Context and Importance: This term defines the mechanism through which users report threats. Its construction is critical because it determines whether the various software tools Wombat provides for reporting across different email systems (desktop, mobile, web) fall within the scope of the claims.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The specification does not appear to provide a narrow, explicit definition. It refers generally to a "computer program (e.g., plug-in, client-side plug-in, etc.) present at one or more of computing devices" that can determine if a message is simulated (’017 Patent, col. 4:59-62). This language suggests "plug-in" is an exemplary, rather than exclusive, embodiment.
- Evidence for a Narrower Interpretation: A defendant may argue that the repeated use of the term "plug-in" and "client-side plug-in" implies a specific software architecture that is locally installed and integrates directly with a client application like Microsoft Outlook, potentially excluding web-based scripts or add-ins for cloud email services.
Term 2: "computing a likelihood" (’221 Patent, cl. 1)
- Context and Importance: This term describes the allegedly novel feature of the ’221 Patent—the ability to score and prioritize potential threats. The definition of "computing a likelihood" will be dispositive for infringement by the PhishAlarm Analyzer product.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claim language itself is general. The specification describes this concept as estimating the "likelihood that the message is a real phishing attack" which "may be a numerical value referred to as a score" (’221 Patent, col. 3:45-50). This could be argued to encompass any form of numerical risk scoring.
- Evidence for a Narrower Interpretation: The specification provides a specific example of how this score is computed, by summing the "trustworthiness levels" of the reporting individuals and comparing the resulting score to a threshold (’221 Patent, col. 6:50-65; FIG. 5). A defendant could argue that this detailed example limits the claim to this specific type of trust-based aggregation, and does not cover other methods of analyzing email "attributes" to generate a score.
VI. Other Allegations
- Indirect Infringement: The complaint alleges induced infringement, stating that Wombat encourages its customers to use the Accused Products in an infringing manner by providing instructions and promoting the products' infringing functionalities on its website (Compl. ¶37, ¶43).
- Willful Infringement: While not explicitly pleading "willfulness," the complaint lays the groundwork for such a claim by seeking enhanced damages and alleging that Wombat had knowledge of PhishMe's patent portfolio before the suit was filed. The complaint alleges that Wombat knew of PhishMe's inventions since at least August 21, 2015, when it cited a related PhishMe patent during its own patent prosecution, and that Wombat monitored PhishMe's patent applications, as evidenced by its filing of a PGR against a related patent (Compl. ¶39, ¶45).
VII. Analyst’s Conclusion: Key Questions for the Case
- A central issue will be one of claim construction: Can the term "plug-in for an email client", used throughout the patents, be construed broadly enough to cover the full range of reporting tools offered in Wombat's modern, cross-platform security suite? Furthermore, for the ’221 patent, what is the required technical implementation for "computing a likelihood," and does it require the specific trust-based scoring described in the specification?
- A key evidentiary question will be one of technical proof: Beyond marketing language, what evidence will show that Wombat's PhishAlarm Analyzer actually performs the "likelihood" computation required by the ’221 patent's claims? The case may turn on whether the accused product's internal logic for prioritizing threats matches the specific function claimed in the patent.
- The dispute will likely involve a significant focus on intent and knowledge. Given the allegations of Wombat's pre-suit familiarity with PhishMe's patent family through a PGR proceeding and its own prosecution history, the question of whether any infringement was willful is positioned to be a critical factor in determining the extent of potential damages.