PhishMe Inc v. Chapman Technology Group Inc

1. Case Identification

• Case #: IPR2014-00531
• Patent #: 8,484,741
• Filed: March 24, 2014
• Petitioner(s): PhishMe, Inc.
• Patent Owner(s): Chapman Technology Group, Inc.
• Challenged Claims: 1-5, 8, 12, 13, 16, 19, 28-31, 35, 37, 40, and 41

2. Patent Overview

• Title: Systems and Methods for Facilitating Organizational Phishing Testing
• Brief Description: The ’741 patent discloses systems and methods for testing the susceptibility of an organization's employees to phishing scams. The invention involves creating an address book of employee emails, generating and sending simulated phishing emails with links to a target web page, monitoring recipient responses, and reporting the results to an administrator.

3. Grounds for Unpatentability

Ground 1: Anticipation of Claims 1-4, 12, 13, 16, 19, 28, 37, and 40 under 35 U.S.C. §102(b)

• Prior Art Relied Upon: The Easy Way (a 2008 online review of Petitioner's PhishMe product).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that The Easy Way, a review of a hosted "online solution" for phishing training, discloses every element of the challenged claims. The reference described a wizard-like system that allows an administrator to create recipient groups (address book), customize and send phishing emails containing links (e-mail manager/message generation), and modify a destination web page (web page manager). The Easy Way further disclosed that the system monitors user interactions, such as link clicks, and provides reports with statistics, but is explicitly configured to not collect personal data like account IDs or passwords, thereby teaching the claimed "interactive application simulator" arranged to avoid collecting confidential information.
  • Key Aspects: The core of this ground was that a publicly available review of the Petitioner's own commercial product, published years before the patent's filing date, described the entire claimed system.

Ground 2: Obviousness of Claims 1-4, 12, 13, 16, 19, 28, 37, and 40 under 35 U.S.C. §103

• Prior Art Relied Upon: The Easy Way, in view of ROT13 (a 2006 academic paper titled "Designing Ethical Phishing Experiments").
• Core Argument for this Ground:
  • Prior Art Mapping: In the alternative to Ground 1, Petitioner argued that if The Easy Way were found not to disclose the "interactive application simulator," ROT13 supplied the missing element. ROT13 described a system for conducting phishing experiments that generates phishing emails, monitors user responses, and generates reports. Critically, ROT13 explicitly stated that a well-constructed experiment should not give researchers access to user credentials, thereby teaching a system configured to avoid collecting confidential information.
  • Motivation to Combine: A Person of Ordinary Skill in the Art (POSITA) would combine The Easy Way with ROT13 because both references address the same problem: creating and managing simulated phishing campaigns for training and assessment. A POSITA seeking to build the system in The Easy Way would have looked to academic literature like ROT13 for established best practices, such as the ethical imperative to avoid collecting sensitive user data, making the combination logical and predictable.
  • Expectation of Success: A POSITA would have had a high expectation of success in integrating the data-collection-avoidance feature of ROT13 into the phishing simulation platform of The Easy Way, as it involved known software techniques for handling user input.

Ground 3: Obviousness of Claim 4 under §103

• Prior Art Relied Upon: The Easy Way, in view of Phishing Drills (a 2007 article titled "Phishing Drills Teach Employees to Dodge the Hook").

• Core Argument for this Ground:

  • Prior Art Mapping: This ground specifically targeted claim 4, which added the limitation of an "e-mail template manager module." While The Easy Way disclosed a default email message that could be customized, Phishing Drills explicitly taught using "templates for crafting customized faux phishing attacks" in a WYSIWYG workflow. Phishing Drills described a portal that would generate email templates for various scenarios (e.g., a change to a 401(k) plan) to make phishing simulations more efficient and realistic.
  • Motivation to Combine: A POSITA implementing the system of The Easy Way would be motivated to incorporate the template-based approach from Phishing Drills to improve the system's efficiency and usability. Providing pre-made, selectable templates is a well-known and simple design choice for any system that involves creating repetitive content, and applying it to phishing emails would have been a predictable improvement.
  • Expectation of Success: The integration would have been straightforward, as it involved adding a common software feature (content templates) to an existing email generation system.

• Additional Grounds: Petitioner asserted that claims 1-5, 12, 13, 16, 19, 29-31, 35, 37, 40, and 41 are obvious over The Easy Way alone based on the knowledge of a POSITA. Petitioner also asserted that claim 8, which requires an email attachment of a specific document type (e.g., PDF, Excel), is obvious over The Easy Way in view of Core Impact (a 2008 article describing a penetration testing tool that uses malicious email attachments like Excel spreadsheets).

4. Key Claim Construction Positions

Petitioner argued for the following constructions under the Broadest Reasonable Interpretation standard:

• "address book": Construed as "one or more email addresses identifiable as grouped together." This broad construction was intended to cover the "recipient groups" disclosed in The Easy Way.
• "response": Construed as "any indication of any action in response [to] the phishing email." This was meant to encompass various monitored events described in the patent, such as server delivery confirmation, email views, link clicks, or data entry.
• "interactive application simulator": Construed as "an apparatus that facilitates interaction with a user by generating a phishing email and receiving data relating to a response to the phishing email." Petitioner argued this term has no established meaning in the art and its construction should be based on its functional description in the specification, which aligned with the functionality of the systems in the prior art.

5. Relief Requested

• Petitioner requested the institution of an inter partes review and the cancellation of claims 1-5, 8, 12, 13, 16, 19, 28-31, 35, 37, 40, and 41 of the ’741 patent as unpatentable.