PhishMe Inc v. PhishLine LLC

1. Case Identification

• Case #: IPR2015-01356
• Patent #: 8,484,741
• Filed: June 8, 2015
• Petitioner(s): PhishMe, Inc.
• Patent Owner(s): PhishLine, LLC
• Challenged Claims: 9-11, 21, 23-27, 35, 36, and 41

2. Patent Overview

• Title: Systems and Methods for Phishing Susceptibility Testing
• Brief Description: The ’741 patent is directed to systems and methods for testing employee susceptibility to phishing scams. The disclosed invention involves creating an address book of targets, generating simulated phishing emails containing links to websites configured to solicit information, sending the emails, and then collecting and reporting on the recipients' responses to an administrator.

3. Grounds for Unpatentability

Ground 1: Obviousness over The Easy Way and Measuring the Human Factor - Claim 9 is obvious over The Easy Way in view of Measuring the Human Factor.

• Prior Art Relied Upon: The Easy Way (a 2008 online review of Petitioner’s PhishMe service) and Measuring the Human Factor (a 2011 publication on cybersecurity).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that The Easy Way teaches a complete system for facilitating phishing susceptibility assessments as claimed, including creating recipient groups, generating phishing emails with links, and monitoring user responses (e.g., clicks). However, it does not explicitly disclose the "call-home probe macro" recited in claim 9. This limitation was allegedly taught by Measuring the Human Factor, which describes using PDF attachments containing a "beacon" that "emits a beacon to our servers when opened" to track user interaction automatically. Petitioner asserted a person of ordinary skill in the art (POSITA) would find the claimed "macro" and the disclosed "beacon" to be functionally indistinguishable.
  • Motivation to Combine: A POSITA would combine these references because both relate to simulated phishing systems with the shared goal of measuring enterprise-level susceptibility to such attacks. A POSITA would have been motivated to incorporate the beacon/macro functionality from Measuring the Human Factor into the system of The Easy Way to enable more robust and accurate data collection on user responses, which is a simple and predictable improvement.
  • Expectation of Success: The portability of macros allows for straightforward integration into existing systems without fundamentally altering their function. The combination would have yielded only expected results.

Ground 2: Obviousness over The Easy Way, Measuring the Human Factor, and Self-Signed Certificate - Claims 10 and 11 are obvious over the combination for Ground 1 in further view of Self-Signed Certificate.

• Prior Art Relied Upon: The Easy Way, Measuring the Human Factor, and Self-Signed Certificate (a 2010 publication on creating digital certificates in Microsoft Office).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon Ground 1, adding Self-Signed Certificate to address the limitations of claim 10 (macro is signed) and claim 11 (macro is unsigned). Petitioner contended that Self-Signed Certificate explicitly teaches how and why to digitally sign macros—namely, to eliminate security warnings that would otherwise appear when a user opens the document. The reference inherently disclosed the unsigned state as the default condition before a signature is applied.
  • Motivation to Combine: A POSITA implementing the system of Ground 1 would be motivated to use a signed macro, as taught by Self-Signed Certificate, to prevent security pop-ups that could warn users and compromise the realism of the phishing simulation. The choice between a signed macro (claim 10) to improve the simulation's effectiveness or an unsigned macro (claim 11) as a default state represented a simple design choice with predictable results.

Ground 3: Obviousness over The Easy Way and Patent 8,296,376 - Claim 21 is obvious over The Easy Way in view of the ’376 patent.

• Prior Art Relied Upon: The Easy Way and Patent 8,296,376 (“’376 patent”).

• Core Argument for this Ground:

  • Prior Art Mapping: Petitioner asserted that while The Easy Way taught the base phishing simulation system, it did not explicitly describe monitoring the specific automatic responses recited in claim 21 (server receipt, read receipt, out-of-office reply). The ’376 patent allegedly cured this deficiency by disclosing a system for generating responsiveness metrics for email messages that specifically tracks these types of automatic replies, including delivery status notifications, read receipts, and auto-reply vacation messages.
  • Motivation to Combine: A POSITA would combine the teachings of the ’376 patent with the system of The Easy Way to create a more comprehensive tracking and reporting tool. The responses monitored in the ’376 patent are generic to any email system and would be useful for building a more complete statistical database of user interactions and ensuring proper email transmission within the phishing campaign.

• Additional Grounds: Petitioner asserted nine additional obviousness challenges against various claims based on combinations of The Easy Way with other references, including the ’130 publication (for outbound email status), the ’614 publication (for inbound analysis), the ’918 patent (for profiling passwords), and publications Mitigating the Risk and Audit Log (for encrypting responses).

4. Key Claim Construction Positions

Petitioner argued for specific constructions consistent with a prior PTAB decision involving the ’741 patent, asserting they were critical to its invalidity arguments.

• "response": Construed as "data related to a recipient interacting with a phishing e-mail." This broad construction was argued to encompass various user actions beyond simply entering data.
• "profile [potentially confidential information]": Construed as "details that characterize the information beyond an indication that information has been entered." This construction, focused on metadata (e.g., number of characters entered) rather than the content itself, was central to the argument for claim 35.
• "interactive application simulator": Construed as "a module that receives data related to recipients interacting with phishing e-mails."

5. Arguments Regarding Discretionary Denial

Petitioner argued that this petition should not be denied based on a prior inter partes review (IPR), IPR2014-00531, that also challenged the ’741 patent.

• Petitioner asserted that statutory estoppel under §315(e) did not apply because the prior IPR was terminated by the Patent Owner’s request for adverse judgment after institution, and thus no Final Written Decision (FWD) was rendered.
• For claims 35 and 41, which were challenged in the prior proceeding, Petitioner argued the current challenge was not repetitive because it was based on materially different claim constructions (adopted from the Board's institution decision in the prior case) and new, non-cumulative prior art references.

6. Relief Requested

• Petitioner requested institution of an IPR and cancellation of claims 9-11, 21, 23-27, 35, 36, and 41 of the ’741 patent as unpatentable.