WO2025192952A1 - Apparatus for preventing phishing and operating method thereof - Google Patents

Abstract

The present invention relates to an apparatus for preventing phishing and an operating method thereof. The apparatus for preventing phishing, according to an embodiment of the present invention, may include: a communication interface unit that receives data of a phone call or text message of a user terminal device using a service for preventing phishing; and a control unit that verifies the received data to determine phishing and, when phishing is suspected on the basis of the result of the determination, if there is a financial transaction of a user due to the suspected phishing, blocks the financial transaction by receiving authentication from a third party designated by the user to prevent phishing.

Description

Device for preventing phishing scams and method for operating the device.

The present invention relates to a device for preventing phishing fraud and a method for operating the device, and more specifically, to a device for preventing phishing fraud and a method for operating the device for blocking in advance information theft or fraudulent financial transactions that occur through, for example, smishing, pharming, phishing, memory hacking, etc.

Information and communication technology (ICT) is rapidly developing, and in particular, high-capacity, high-speed data transmission technologies, particularly mobile communications, are rapidly advancing. Consequently, a significant portion of financial transactions are conducted via desktop PCs or mobile devices. Taking advantage of this lack of face-to-face interaction, various financial scams, such as voice phishing and text phishing (or smishing), are frequently occurring, resulting in significant losses. Voice phishing is a form of financial fraud that involves impersonating the prosecution, the Financial Supervisory Service, courts, or financial institutions to induce financial transactions or steal personal financial information. Text phishing, similarly, involves impersonating public institutions and sending lengthy, deceptive text messages to induce financial transactions or steal personal financial information.

However, there is a problem that users cannot verify whether the number on the other end of the call is actually the number of the public institution during the short time the call is being made, so they may fall victim to voice phishing or, even if the call is actually from a public institution, may become suspicious and cause disruption to work.

Additionally, in the case of text phishing, the sender can change the sender's number at will, so in this case, there is a problem in that there is no way to verify whether the sender is a public institution by verifying the phone number.

Furthermore, even when users determine that the other party is attempting voice phishing, they are often confused and do not know how to report it, how to collect evidence, or which route to use to report it, so they often give up on reporting it. This is one of the reasons why it is difficult to eradicate voice phishing.

(Patent Document 1) Korean Patent Publication No. 10-1520246 (May 8, 2015)

(Patent Document 2) Korean Patent Publication No. 10-2105059 (April 21, 2020)

(Patent Document 3) Korean Patent Publication No. 10-2412946 (June 21, 2022)

(Patent Document 4) Korean Patent Publication No. 10-2330276 (November 18, 2021)

(Patent Document 5) Korean Patent Publication No. 10-2017-0062726 (June 8, 2017)

The purpose of the present invention is to provide a device for preventing phishing fraud and a method for operating the device to prevent information theft or fraudulent financial transactions in advance, such as through smishing, pharming, phishing, memory hacking, etc.

The tasks of the present invention are not limited to the tasks mentioned above, and other tasks not mentioned will be clearly understood by those skilled in the art from the description below.

In order to solve the above problem, a device for preventing phishing fraud according to an embodiment of the present invention includes a communication interface unit that receives data of a voice call or text message performed on a user terminal device of a user using a service for preventing phishing fraud, and a control unit that verifies the received data to determine whether or not phishing occurs, and when phishing is suspected as a result of the determination, if there is a financial transaction by the user due to the suspected phishing, receives authentication from a third party designated by the user for phishing fraud prevention and blocks the financial transaction.

The above control unit can verify the voice content of the voice call to check for words suspected of voice phishing and determine whether or not it is phishing, and when URL (Uniform Resource Locator) information sent as a text message is clicked, verify the URL information to determine whether or not it is suspicious URL information and determine whether or not it is phishing.

The above control unit further verifies the caller's phone number or the device identification information of the caller's terminal device to determine whether or not the call is phishing, and can warn the user terminal device of phishing when phishing is suspected.

The above control unit can automatically connect a call to the third party's terminal device if a call suspected of being voice phishing continues for a specified period of time, thereby notifying the user that a call suspected of being voice phishing is in progress.

In addition, a method for operating a device for preventing phishing fraud according to an embodiment of the present invention for solving the above problem includes a step of receiving data of a phone call or text message performed in a user terminal device of a user using a service for preventing phishing fraud by a communication interface unit, and a step of verifying the received data to determine whether phishing occurs, and when phishing is suspected as a result of the determination, if there is a financial transaction by the user due to the suspected phishing, blocking the financial transaction by receiving authentication from a third party designated by the user for preventing phishing fraud.

The step of determining whether the above-mentioned phishing is true may include a step of verifying the voice content of the voice call to confirm words suspected of voice phishing and thereby determining whether the above-mentioned phishing is true, and a step of verifying the URL information sent via text message when the URL information is clicked to confirm whether the URL information is suspicious and thereby determining whether the above-mentioned phishing is true.

The above driving method may further include a step of further verifying the caller's phone number or device identification information of the caller's terminal device to determine whether or not the above is phishing, and a step of warning the user terminal device of phishing when phishing is suspected.

The above driving method may further include a step of automatically connecting a call to a third party terminal device when a call suspected of being voice phishing continues for a predetermined period of time to notify the user that the call is suspected of being voice phishing.

According to an embodiment of the present invention, financial transactions caused by voice phishing or smishing, etc., which have recently occurred among many telephone or computer users, can be blocked in advance, thereby preventing financial loss.

In addition, an embodiment of the present invention monitors phone calls or text messages of users who have subscribed to the service, and when a financial transaction leads to a phishing scam, it can block malicious and negative financial transactions in advance by intervening, such as requesting authentication from a third party (e.g., a child) designated by the user in advance.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description of the claims.

FIG. 1 is a drawing showing a phishing fraud prevention system according to an embodiment of the present invention.

Figure 2 is a block diagram illustrating the detailed structure of the phishing fraud prevention device of Figure 1.

Figure 3 is a drawing showing a phishing fraud prevention process according to an embodiment of the present invention.

Figure 4 is a flowchart showing the operation process of the phishing fraud prevention device of Figure 1.

The present invention is not limited to the embodiments described below, but can be implemented in various different forms. These embodiments are merely illustrative of the contents of the present invention and are provided to provide those skilled in the art with a detailed understanding of the scope of the invention. The present invention is defined solely by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

Embodiments described herein will be described with reference to cross-sectional and/or plan views, which are ideal examples of the present invention. In the drawings, the illustrated regions are expressed for the effective explanation of the technical contents. Therefore, the regions illustrated in the drawings have a schematic nature, and the shapes of the regions illustrated in the drawings are intended to illustrate specific forms of the device regions and are not intended to limit the scope of the invention. Although terms such as first, second, and third are used to describe various components in various embodiments of the present specification, these components should not be limited by such terms. These terms are used only to distinguish one component from another. The embodiments described and illustrated herein also include complementary embodiments thereof.

The terminology used herein is for the purpose of describing embodiments only and is not intended to be limiting of the present invention. In this specification, the singular also includes the plural unless specifically stated otherwise. As used herein, the terms "comprises" and/or "comprising" do not exclude the presence or addition of one or more other components, steps, operations, and/or elements to the mentioned components, steps, operations, and/or elements.

Unless otherwise defined, all terms (including technical and scientific terms) used herein may be used in their common sense to those of ordinary skill in the art to which the present invention pertains. Furthermore, terms defined in commonly used dictionaries are not to be interpreted ideally or excessively unless explicitly and specifically defined otherwise.

Hereinafter, with reference to the drawings, the concept of the present invention and embodiments thereof will be described in detail.

FIG. 1 is a drawing showing a phishing fraud prevention system according to an embodiment of the present invention.

The phishing fraud prevention system (90) of FIG. 1 according to an embodiment of the present invention is not intended to be limited to phishing, and can operate as a fraud prevention system for preventing smishing, pharming, phishing, memory hacking, etc., and includes some or all of a sender terminal device (100), a receiver terminal device (105), a communication network (110), a phishing fraud prevention device (120), a third-party terminal device (130), and a third-party device (140) as illustrated in FIG. 1.

Here, “including some or all” means that some components, such as a third-party device (140), may be omitted to configure the phishing prevention system (90), or some or all of the components constituting the phishing prevention device (120) may be integrated into a network device (e.g., a wireless switching device, a gateway, etc.) constituting a communication network (110), and is described as including all in order to help a sufficient understanding of the invention.

The sender terminal device (100) refers to a user's terminal device that performs malicious attacks (or operations) such as smishing, pharming, phishing, and memory hacking according to an embodiment of the present invention. The sender terminal device (100) may include not only a PC-based terminal device such as a desktop computer or laptop computer, but also, in the case of voice phishing or smishing, a mobile-based terminal device such as a smartphone, tablet PC, or even a wearable device worn on the wrist. For example, in the case of text messages, it is entirely possible to connect to the server of a text message sending company and use the service to send text messages in bulk, and thus the present invention will not be particularly limited to any one form. The sender terminal device (100) of an attacker performing a malicious attack may preferably be a telephone, such as a mobile phone, that can make calls by generating a call request.

The receiver terminal device (105) may operate as one of the devices for preventing phishing fraud according to an embodiment of the present invention, and the type of the receiver terminal device (105) may not be significantly different from that of the sender terminal device (100). However, the receiver terminal device (105) may include a computer or telephone that can receive phone calls, text messages, and even emails that can be attacked by malicious attackers, and can use messenger services. Of course, in the embodiment of the present invention, considering that many socially vulnerable groups, such as the elderly, youth, and the disabled, suffer financial losses due to malicious attacks such as voice phishing, terminal devices carried by these types of users may be preferable. However, the embodiment of the present invention will not specifically limit victims who suffer damage from such malicious attackers or who deal with them.

Users of the recipient terminal device (105), such as the elderly who are prone to phishing, can access the phishing fraud prevention device (120) of FIG. 1 and utilize the service according to an embodiment of the present invention. For example, after signing up for the service provided by the phishing fraud prevention device (120), they can install an application (hereinafter, “app”) on their smartphone, etc., or access an app store, etc., to download and install the app. Upon completion of this procedure, data related to phone calls, text messages, messengers, etc., or even emails registered through the recipient terminal device (105), are analyzed to monitor the status of the recipient terminal device (105), and an operation can be performed to verify whether phishing is occurring, for example, when a call suspected of phishing is in progress or URL information suspected of smishing is clicked. Of course, the app installed within the recipient terminal device (105) can perform this verification operation on its own, but it can also operate to transmit data to the phishing fraud prevention device (120) of FIG. 1 through the app to perform verification. As for how to process data, the operation can be determined and performed in various ways depending on the intention of the system designer, and thus the embodiment of the present invention will not be specifically limited to any one form. For example, the app installed on the receiver terminal device (105) according to the embodiment of the present invention can block the installation of malware or apps for stealing personal information in order to prevent phishing scams, but in case the recipient installs it without knowing, it is also possible to copy and save the storage path information, and then automatically delete the apps or malware installed along the corresponding path when the phishing prevention device (120) notifies that the recently clicked message is a smishing message. Of course, in the embodiment of the present invention, it may be desirable to install such apps for stealing personal information after prior verification of URL information, etc.

The recipient terminal device (105) can, when using the phishing fraud prevention service according to an embodiment of the present invention, designate a third party to request verification (or approval) when a phishing fraud leads to a financial transaction, such as for the elderly, the disabled, or adolescents. Of course, based on the sender-recipient relationship, this third party could be a parent for children or a child for the elderly. For example, elderly parents can respond to constantly evolving new types of fraud by designating their own children as the third party. In other words, when malicious voice phishing or smishing for financial transactions occurs using the recipient terminal device (105) carried by the elderly, the phishing fraud prevention device (120) of FIG. 1 can detect even new types of fraud through ongoing technological development. Therefore, monitoring can alert the recipient terminal device (105) to any phishing-related abuse, and when it ultimately leads to a financial transaction, it can require third-party approval, thereby preemptively blocking fraud. Of course, depending on service usage, the recipient terminal device (105) can receive a warning on screen or by voice when a phishing scam is suspected. Furthermore, if a third party intervenes, the recipient can be notified of the reason for the blocked financial transaction. Third-party intervention can occur not only during financial transactions, but also automatically at any time if a suspected phishing phone call lasts longer than a specified time. In this case, the caller and recipient are on the phone, but the phishing prevention device (120) can automatically connect the call so that the third party can listen in, or operate to enable a three-way call where the third party can participate in the call like the caller. Of course, for this purpose, the phishing prevention device (120) can be linked to a switching device through a partnership with a telecommunications company to enable this operation.

The communication network (110) can be configured in various forms. The communication network (110) can include both wired and wireless communication networks. For example, a wired or wireless Internet network can be used or linked as the communication network (110). Here, the wired network includes an Internet network such as a cable network or a public switched telephone network (PSTN), and the wireless communication network includes a CDMA, WCDMA, GSM, EPC (Evolved Packet Core), LTE (Long Term Evolution), Wibro network, etc. Of course, the communication network (110) according to the embodiment of the present invention is not limited thereto, and can be used as an access network of a next-generation mobile communication system to be implemented in the future, for example, a cloud computing network in a cloud computing environment, a 5G network, a 6G network, etc. For example, if the communication network (110) is a wired communication network, an access point within the communication network can connect to a telephone exchange, etc., but if it is a wireless communication network, data can be processed by connecting to an SGSN or GGSN (Gateway GPRS Support Node) operated by a communication company, or data can be processed by connecting to various relays such as a BTS (Base Transceiver Station), NodeB, or e-NodeB.

The communication network (110) may include an access point. The access point may include a small base station, such as a femto or pico base station, which is often installed inside a building. Here, the femto or pico base station may be classified according to the maximum number of receiver terminal devices (105) or third-party terminal devices (130) of FIG. 1 that can be connected to the small base station. Of course, the communication network (110) may include a short-range communication module for performing short-range communication, such as Zigbee and Wi-Fi, with the receiver terminal devices (105) or third-party terminal devices (130). The access point may use TCP/IP or RTSP (Real-Time Streaming Protocol) for wireless communication. Here, short-range communication can be performed using various standards, such as Bluetooth, Zigbee, infrared (IrDA), radio frequency (RF) such as UHF (Ultra High Frequency) and VHF (Very High Frequency), and ultra-wideband (UWB) in addition to Wi-Fi. Accordingly, the access point can extract the location of the data packet, designate the best communication path for the extracted location, and forward the data packet along the designated communication path to the next device, such as the phishing prevention device (120). The access point can share multiple lines in a general network environment, and may include, for example, a router, a repeater, and a repeater.

The phishing prevention device (120) may operate as one of the devices for preventing phishing fraud according to an embodiment of the present invention, and may include, for example, a cloud server that is connected and operates remotely (globally) with a receiver terminal device (105), and may be configured to include a DB (120a) that is connected to the server via a dedicated network such as an intranet. In the system (90) of FIG. 1, the server and DB (120a) may be considered to constitute a back-end. In the back-end configuration, separate data processing may not be performed, and in some cases, for example, encryption/decryption operations may be possible for important data. Representatively, authentication information of a third party (e.g., biometric information such as a fingerprint or iris) that performs a key role according to an embodiment of the present invention may be encrypted/decrypted.

When a recipient subscribes to a service according to an embodiment of the present invention on a recipient terminal device (105) and uses the service, the phishing prevention device (120) may receive in real time the recipient's identification information, such as the recipient's phone number (information) or device ID, as well as data of phone calls and text messages, from a wired/wireless switching device of a telecommunications company used by the recipient, which constitutes the third-party device (140) of FIG. 1. Of course, in the embodiment of the present invention, it is also possible to receive data directly from the recipient terminal device (105), and thus the present invention is not particularly limited to any one form. For example, an app that provides a service according to an embodiment of the present invention may be equipped with a program that automatically records voice calls. In addition, this may enable detection when a call is received. Only for users subscribed to the service, when a phone call is made on the recipient terminal device (105), the app may be executed and the automatically recorded voice signal may be provided to the phishing prevention device (120). Of course, since the voice received through the microphone (hereinafter, “microphone”) of the receiver terminal device (105) is in the form of an analog or digital voice signal, an STT (Speech to Text) module may be required to convert the voice signal into text. This is because only then can the text data be analyzed and the call content, etc., interpreted. If such an STT module is installed in the receiver terminal device (105), the phishing fraud prevention device (120) can receive text data from the receiver terminal device (105). On the other hand, if a voice signal is provided, the phishing fraud prevention device (120) can directly execute the STT module to generate text data related to the voice call.

Furthermore, the phishing prevention device (120) according to an embodiment of the present invention can analyze text data related to voice calls. For text data analysis, a corpus dictionary containing phishing-related words can be used. For example, a library can pre-store data related to words (or idioms) commonly used in voice phishing. Therefore, the library can be used to determine whether words suspected of voice phishing are detected in the text data. Recently, many artificial intelligence models, such as Large Language Models (LLMs), capable of natural language processing of sentences have been developed. Therefore, utilizing these LLMs can enable more accurate and rapid text data analysis. For example, unlike existing rule-based methods, artificial intelligence programs have the advantage of enabling predictions through data analysis. For example, even if it's not a word detection method in text data, it's possible to compare and analyze existing cases of voice phishing criminals using methods such as voice tone or pronunciation, or a combination of the two methods, and make predictions based on these comparisons.

More specifically, the phishing prevention device (120) according to an embodiment of the present invention can verify the phone number (or device ID, etc.) of the caller's terminal device (100) when a phone call is made from the caller's terminal device (105). Furthermore, it can determine whether voice phishing is occurring through verification of words (STT) during the call. Furthermore, if phishing is determined, a warning can be issued to the caller's terminal device (105). Warning methods may include screen-based warnings, voice warnings, etc., or password input or third-party connection and authentication may be performed during the warning phase. Furthermore, authentication procedures, etc., may be performed during a remittance. As mentioned above, when a user of the caller's terminal device (105) conducts a financial transaction suspected of being phishing, authentication may be performed by a designated third party. Of course, the phishing prevention device (120) can determine whether a financial transaction is being conducted using a mobile device such as a smartphone or a remittance is being conducted via an automated teller machine (ATM). In such cases, it can notify a third-party terminal device (130) of a suspected phishing situation, thereby preventing authentication. Of course, third-party authentication can utilize various methods such as password input, pattern authentication, or biometric authentication, and thus the present invention will not be specifically limited to any one form. In other words, a financial transaction can be completed when a third party approves a financial transaction and the authentication information provided upon approval matches the previously registered authentication information. Of course, in the present invention, if a malicious attacker detects this, the third party may be a malicious user, so it is entirely possible to block the financial transaction when the authentication information matches.

Of course, the phishing prevention device (120) can perform various other functions. When providing continuous warnings based on time intervals after a screen or voice warning (first alert), the time interval can be varied based on the duration of the call. If the warnings persist beyond a certain time limit, the warning cycle can be shortened. Furthermore, if the frequency of specific words or phrases mentioned during a call decreases or falls below a certain threshold, the authentication process (e.g., user or third-party authentication) up to the final remittance can be simplified.

For example, in an embodiment of the present invention, the following scenario may be possible. The phishing fraud prevention device (120) according to an embodiment of the present invention performs voice phishing AI verification and blocking operations, and may also perform various additional operations related to withdrawal services of third parties, etc. Firstly, it may verify a phone number (e.g., using an address book, police station, etc.), and secondly, it may perform automatic recording when a specific word (or idiom) is mentioned during a call. On-screen and voice warnings may be continuously issued at time intervals after the first warning. When a pre-registered password is entered during a normal call, a normal call can be made, and if it is not entered, a forced call termination may be performed. If a voice phishing suspected call continues to be made, the call may be automatically connected to a pre-registered third party (e.g., a third party may be notified in advance that the user is in a voice phishing suspected call). If the user has been a victim of smith phishing, i.e., smishing, a three-way call may not be possible. In this case, notifications can be sent via text message, social media, etc. (e.g., to the user, third parties, etc.). Furthermore, the current situation (e.g., voice phishing phone number, suspicion, etc.) can be notified in advance to relevant organizations (e.g., telecommunications companies, insurance companies, police agencies, etc.). However, to complete the final remittance, a pre-registered third-party authentication process (e.g., consent, fingerprint, pattern, OTP, password, etc.) must be completed. For example, automated contact from a third party can be made by analyzing conversation content through an AI program, accurately informing the recipient of the current situation. Contacts stored in the recipient's terminal (105) phone book can be automatically contacted. For government offices without contact information, the system can automatically connect to a portal site or other internet portal to obtain their phone numbers and initiate automatic contact. Considering the time required for searches and accuracy, it may be advisable for users to pre-save information on automatically contactable organizations when signing up for the service and utilize it when necessary.

In addition, the phishing prevention device (120) can distribute profits generated through services provided by telecommunications companies or, if necessary, in conjunction with insurance companies. Furthermore, in embodiments of the present invention, it can be utilized for ATMs, mobile banking, internet banking, and the like. In other words, phishing can be prevented by linking with servers providing the relevant services. These servers, etc. can constitute a third-party device (140) in embodiments of the present invention, and the phishing prevention device (120) can exchange service-related data in real time by linking with the third-party device (140) via an API (Application Programming Interface).

The third-party terminal device (130) may function as one of the devices for preventing phishing fraud according to an embodiment of the present invention, and may refer to a terminal device of a user designated as a third party in the recipient terminal device (105) of a user who is concerned about the damage caused by phishing fraud, or more precisely, a user using a service according to an embodiment of the present invention. Of course, in the case of an elderly person, a specific person among his or her children (in relation to the sender) may be the third party, and in the case of a child, his or her parents may be the third party. Of course, the third-party terminal device (130) may be a mobile-based terminal device such as a smartphone or a wearable device. When a third party is designated in the recipient terminal device (105) for service use, the phishing fraud prevention device (120) may connect to the third-party terminal device (130) based on the third-party information entered in the recipient terminal device (105) and proceed with a procedure for registering authentication information, and the third-party terminal device (130) may be involved in this operation. Accordingly, when a phishing scam is suspected at the recipient terminal (105) and a financial transaction is conducted, the third-party terminal (130) can receive information related to the suspicion of phishing at the recipient terminal (105) from the phishing prevention device (120). More precisely, during the final remittance stage, the third-party terminal (130) can request authentication while notifying the relevant information. For example, in order to prevent unauthorized intervention during this process, actions such as blocking the remittance when the authentication information matches can be taken. In addition, when a phone call suspected of phishing at the recipient terminal (105) lasts longer than a standard period of time, the phone call is automatically connected, allowing eavesdropping on the phone conversation between the sender and recipient, or more precisely, legal eavesdropping. Of course, in this case, a three-way call is possible, so it may be entirely possible to intervene in the call.

The third-party device (140) may function as one of the devices for preventing phishing fraud according to an embodiment of the present invention, and may refer to various types of additional devices required to use the service according to an embodiment of the present invention. Typical examples include ATMs and government office devices. Furthermore, while a telecommunications company's switching device is substantially included in the communications network (110), it may also be understood as a third-party device (140). The telecommunications company's switching device may provide information indicating that the caller information is suspected of being phishing, such as an international call, to the phishing prevention device (120). Of course, the phishing prevention device (120) may collect and store data such as suspected phishing phone numbers, words, or idioms in its own database (120a), and may perform verification on its own. However, since the caller phone number can be intentionally altered, in an embodiment of the present invention, it may be preferable to verify the caller's terminal device (100) using identification information such as the device ID or IP information. Of course, you can use both together.

In addition to the above, the sender terminal device (100), the receiver terminal device (105), the communication network (110), the phishing fraud prevention device (120), the third-party terminal device (130), and the third-party device (140) of FIG. 1 can perform various operations, and since the related contents will be continuously covered later, the detailed contents will be replaced with those contents.

Figure 2 is a block diagram illustrating the detailed structure of the phishing fraud prevention device of Figure 1.

The phishing fraud prevention device (120) of FIG. 1 according to an embodiment of the present invention is one of the devices for preventing phishing fraud, and includes part or all of a communication interface unit (200), a control unit (210), a phishing fraud prevention unit (220), and a storage unit (230) as shown in FIG. 2.

Here, “including some or all” means that some components, such as the storage unit (230), may be omitted to configure the anti-phishing device (120), or some components, such as the anti-phishing unit (220), may be integrated into other components, such as the control unit (210), and is described as including all to help a sufficient understanding of the invention.

The communication interface unit (200) communicates with the receiver terminal device (105), the third-party terminal device (130), and the third-party device (140) of Fig. 1, respectively. During the communication process, the communication interface unit (200) can perform operations such as modulation/demodulation, encoding/decoding, muxing/demuxing, and scaling to convert resolution, which are obvious to those skilled in the art, and thus further description thereof will be omitted.

The communication interface unit (200) can monitor phone calls, text messages, emails, SNS, and even messenger services made by the recipient terminal device (105) when the recipient terminal device (105) subscribes to a service according to an embodiment of the present invention. Of course, such operations can be performed under the control of the control unit (210). In the case of a phone call, the communication interface unit (200) can receive a voice signal provided by the recipient terminal device (105) or data converted from the voice signal into text and provide it to the control unit (210). In addition, in the case of text messages such as text messages impersonating an agency such as the prosecution or a obituary text, the text or URL of the text message, if any, can be received and provided to the control unit (210). Of course, the app installed on the recipient terminal device (105) can perform verification before connecting to the URL address information when clicking on the URL in the text message, rather than directly connecting to the URL address information. This can be configured to perform a type of switch operation. In the case of emails or SNS, verification can be performed in a similar manner to text messages.

The communication interface unit (200) can, under the control of the control unit (210), notify a designated third-party terminal (130) that phishing is suspected and a financial transaction is occurring at the recipient terminal (105) under the control of the control unit (210) when, for example, phishing is suspected or determined to be phishing as a result of data analysis, or more precisely, when phishing is suspected and it is determined that the user of the recipient terminal (105) is conducting a financial transaction through Internet banking or an offline ATM, and request authentication. Accordingly, when authentication is performed, the communication interface unit (200) can operate to allow or block a financial transaction based on the result thereof. For example, the phishing fraud prevention device (120) of FIG. 1 can compare the previously stored authentication information (e.g., biometric information, etc.) of a third party with the authentication information currently provided by the third party terminal device (130) and block a monetary transaction when they match. In this case, the device can request that the current transaction be blocked at the ATM constituting the third party device (140) of FIG. 1 under the control of the control unit (210). For example, in the embodiment of the present invention, it is entirely possible to design the system so that the authentication information of the third party is encrypted and decrypted.

The control unit (210) includes a processor such as a CPU, MPU, GPU, etc., and may further include memory such as RAM. The processor and memory may be formed by integrating them into an IC chip. The control unit (210) may perform the overall control operations of the communication interface unit (200), the phishing prevention unit (220), and the storage unit (230) of FIG. 2. The control unit (210) may receive monitoring data provided from the receiver terminal device (105), temporarily store it in the storage unit (230), and then retrieve it and provide it to the phishing prevention unit (220) to request data analysis. Through data analysis, it is possible to determine whether phishing has occurred, and in the process, the control unit (210) may search for phishing-suspicious words stored in the DB (120a) of FIG. 1. Of course, the phishing prevention unit (220) can also process natural language through LLM, etc., so it can more accurately determine whether or not a message is phishing by evaluating the context as a whole, not just the sentence. Furthermore, the control unit (210) can verify the phone number or device ID (or IP information, etc.) of the sender's terminal device (100) during the phishing determination process and use the database (120a) to determine whether or not a message is phishing. Of course, information such as phishing-related words or device IDs used to determine whether or not a message is phishing can also be stored and used in a library in the form of software. In this case, the processing speed can be increased compared to accessing the database (120a).

In addition, the control unit (210) can perform various operations in conjunction with the phishing prevention unit (220). For example, if an artificial intelligence model is installed in the phishing prevention unit (220), the control unit (210) can perform operations for training the artificial intelligence model. Data related to phishing can be collected to train learning data such as phone numbers, device IDs, and words related to phishing. In the case of a company providing a service for preventing phishing, it is not difficult to acquire specialized data such as words related to phishing, and thus the data can be used as learning data to train a model and then provide a service according to an embodiment of the present invention. Above all, the control unit (210) according to an embodiment of the present invention can perform an operation for performing authentication through a third-party terminal device (130) at the request of the phishing prevention unit (220), or in the case of text messages, it can participate in an operation for preventing the installation of malicious code or malicious apps for stealing personal information, etc., on the recipient terminal device (105). At the request of the anti-fraud department (220), the recipient terminal device (105) of Fig. 1 can be notified that the current text message is a smishing message.

The phishing prevention unit (220) checks data such as voice calls, text messages, and even emails, SNS, and messenger services generated from the recipient terminal device (105) using the service according to an embodiment of the present invention to determine whether there is phishing, and if phishing is suspected and leads to a financial transaction, it can take action to block it. Since the ultimate goal of phishing is monetary transactions, to prevent this, when a financial transaction is made, authentication can be requested from a designated third-party terminal device (130) to block the monetary transaction. Of course, monetary transactions can be made through internet banking or offline using an ATM. Third-party authentication can include all of these. In addition, in the case of phishing via text message, i.e. smishing, malicious codes for stealing personal information are installed on the recipient terminal device (105), so the phishing prevention unit (220) can verify the URL information or text content of the text message and block its operation if there is a concern about phishing. For example, the installation of the corresponding code, etc. can be blocked by notifying the app installed on the recipient terminal device (105). In addition, if the code is already installed, the path, etc., can be copied, so that the path can be traced and deleted based on this. In addition, in the case of URL information, the URL address information can be connected to the URL only when verification is completed through prior verification before being directly connected. In the case of URL address information, it can be seen that the switch operation is performed in the app installed on the recipient terminal device (105).

The phishing prevention unit (220) according to an embodiment of the present invention analyzes data converted from voice signals to text in the case of voice phishing, i.e., in the case of voice calls, and determines whether phishing is occurring based on words, etc. If a financial transaction is initiated, third-party authentication is performed. Of course, whether a financial transaction is initiated can be monitored through an app in the case of Internet banking. However, in the case of offline ATMs, location information can be tracked using a GPS module installed in the recipient's terminal (105), for example, to confirm that the final location is at the bank, and monitoring can be performed. Furthermore, ATM use can be monitored in various ways, such as through API integration with the ATM. Conversely, in the case of smishing, URL information is verified before connecting to the site upon clicking the URL information, and phishing is determined. In this case, malware designed to steal personal information is installed, so actions can be taken to block this. In the case of voice phishing, there are many cases where a child's car accident or impersonation of an organization employee is used, and in the case of smishing, considering that obituary texts are mainly used, related actions to prevent phishing scams can be taken based on specific cases.

The phishing prevention unit (220) can prevent phishing by performing actions such as searching for names registered in the recipient's terminal device (105) phone book when a specific child's name is mentioned in a voice call suspected of voice phishing, performing a direct call connection, and automatically connecting the call to the relevant institution if the caller is impersonating an institution employee. Of course, for this automatic connection, when the recipient's terminal device (105) enters information such as their residential address when signing up for the service, the phone number of a phishing prevention department, such as a nearby police station, can be automatically matched. Therefore, in the event of a prosecutor impersonation, the relevant department can be notified or the speakerphone of the employee's phone can be automatically activated to listen in. Of course, it is also entirely possible to be notified of relevant facts through a messenger-based chat service. This allows for a rapid response to phishing scams.

The storage unit (230) can temporarily store various types of information or data under the control of the control unit (210). The storage unit (230) can receive and temporarily store voice signal data related to a voice call from the receiver terminal device (105) of FIG. 1, and at this time, it can match and store the data with the identification information or phone number information of the receiver terminal device (105) and then provide it to the phishing fraud prevention unit (220) for data analysis.

In addition to the above, the communication interface unit (200), control unit (210), phishing fraud prevention unit (220), and storage unit (230) of FIG. 2 can perform various operations, and other detailed information has been sufficiently explained above, so it will be replaced with those contents.

Meanwhile, the communication interface unit (200), control unit (210), phishing fraud prevention unit (220), and storage unit (230) of FIG. 2 according to an embodiment of the present invention are configured as physically separate hardware modules, but each module may store and execute software for performing the above operations therein. However, the software is a collection of software modules, and each module may be formed of hardware, so there is no particular limitation to the configuration, such as software or hardware. For example, the storage unit (230) may be hardware, such as storage or memory. However, it is also possible to store information (repository) in software, so there is no particular limitation to the above.

In addition, as another embodiment of the present invention, the control unit (210) may include a CPU and a memory, and may be formed as a single chip. The CPU may include a control circuit, an operation unit (ALU), a command interpretation unit, and a registry, and the memory may include a RAM. The control circuit may perform a control operation, the operation unit may perform an operation of binary bit information, and the command interpretation unit may perform an operation of converting a high-level language into machine language and vice versa, including an interpreter or a compiler, and the registry may be involved in software data storage. According to the above configuration, for example, at the initial stage of the operation of the phishing fraud prevention device (120) of FIG. 1, the program stored in the phishing fraud prevention unit (220) may be copied and loaded into the memory, i.e., RAM, and then executed, thereby rapidly increasing the data operation processing speed. In the case of a deep learning model, it may be loaded into the GPU memory instead of the RAM and executed by accelerating the execution speed using the GPU.

Figure 3 is a drawing showing a phishing fraud prevention process according to an embodiment of the present invention.

As illustrated in FIG. 3, the recipient terminal device (105), for example, when a phone call or a text message is transmitted from the sender terminal device (100) of FIG. 1, can process the data of the phone call or text message in conjunction with the anti-phishing device (120) (S300). The recipient terminal device (105) can install an app for using the service according to an embodiment of the present invention, through which phone calls, etc. can be monitored and data can be transmitted. Of course, if an STT module that converts voice signals into text is installed in the app, text data of the voice content can be provided to the anti-phishing device (120). In addition, if URL information is included in the text message, when the user of the recipient terminal device (105) clicks on the URL information, the app installed in the recipient terminal device (105) can temporarily suspend direct access to the information. In addition, the app can function as a kind of switch by connecting when verification is complete.

The phishing prevention device (120) can verify data provided by the recipient's terminal device (105) to determine whether a call is phishing (S310). During this process, phishing can be determined based on factors such as whether words suspected of phishing are found and how often they are mentioned. Furthermore, when utilizing an AI model such as LLM, sentence analysis through natural language processing of conversations and the context between sentences are possible, allowing for the overall flow of conversation to be assessed to determine phishing. Of course, since this determination is based on pre-trained learning data in the AI model, phishing determinations can be made more accurately. For example, an AI conversational robot can generate dialogue to accurately detect suspected phishing and respond to the caller accordingly. For example, the robot could respond with, "I'm a police officer..." and then check the caller's response. Furthermore, there are various other dialogues that an AI conversational robot can generate, or methods of conducting conversations based on pre-generated dialogues, to accurately determine phishing. In the case of text messages, different actions may be possible depending on whether or not URL information is included. If URL information is included, the URL information can be verified. Furthermore, in the case of obituary messages, if a bereaved family member is detected through text analysis of the obituary message, it is entirely possible to request a search for the name of the detected bereaved family member through the phone book of the recipient's terminal device (105). For example, if a contact information is secured, actions such as automatically connecting a call may be possible.

Above all, the phishing prevention device (120) can determine whether a financial transaction is being conducted via voice phishing or smishing (S320). In fact, the ultimate goal of phishing can be seen as obtaining financial gain. Therefore, since financial transactions may involve the theft of personal information used in financial transactions through methods such as smishing, this operation can be performed. For example, it can determine whether malicious code for theft of personal information is being installed. Accordingly, if URL information is included in a text message and clicked by the user of the recipient's terminal device (105), the phishing prevention device (120) can temporarily suspend access through an app according to a pre-installed embodiment of the present invention and operate to allow access only after verification by the phishing prevention device (120) is completed.

The anti-phishing device (120) can request authentication from a designated third-party terminal (130) at the final remittance stage, for example, if it determines that a financial transaction has occurred via voice phishing (S330). For example, elderly individuals, who are vulnerable to using smartphones and other devices, are at high risk of being exposed to new types of fraud. Therefore, a specific child of the elderly can be designated as the third party to receive approval if financial fraud is suspected. For example, the third party according to an embodiment of the present invention can be considered very important. Rather than simply asking for permission, specific authentication information can be requested. This can include a password set by the third party or biometric information such as fingerprints. Therefore, this information can be encrypted or decrypted during transmission and reception, or it can be configured in a blockchain format to prevent hacking. For example, authentication information previously registered by a third party is stored in the DB (120a) of FIG. 1, the third party's terminal device (130), and further, in a third-party device (140) such as a financial institution server, so that further third-party verification can be performed only when phishing is suspected, or a transaction can be completed or a financial transaction can be blocked when there is approval from multiple nodes, i.e., devices, utilizing blockchain.

Of course, the phishing prevention device (120) may reject authentication from a third-party terminal device (130), and rejection may also occur when the previously stored authentication information matches the authentication information provided by the third-party terminal device (130). Accordingly, the result of the financial transaction blocking may be notified to the recipient terminal device (105) (S350). Of course, in the case of an ATM, the display screen may display a pop-up indicating the reason for the financial transaction blocking.

In addition to the above, the receiver terminal device (105), phishing fraud prevention device (120), and third-party terminal device (130) of FIG. 1 can perform various operations, and other detailed information has been sufficiently explained above, so it will be replaced with those contents.

Figure 4 is a flowchart showing the operation process of the phishing fraud prevention device of Figure 1.

For convenience of explanation, referring to FIG. 4 together with FIG. 1, a phishing prevention device (120) according to an embodiment of the present invention receives data of a voice call or text message performed on a user terminal device of a user utilizing a service for preventing phishing fraud, i.e., a recipient terminal device (105) of FIG. 1 (S400). In the case of a phone call, the data may be text data converted from a voice signal or may include text data of a text message. The text data of a text message may include URL information, etc.

In addition, the phishing prevention device (120) verifies the received data to determine whether it is phishing, and if the result of the determination is suspected of phishing, if there is a financial transaction by the user due to suspected phishing, the device receives authentication from a third party designated by the user to prevent phishing and blocks the financial transaction (due to phishing based on the authentication result) (S410).

This has been sufficiently explained previously. If the user of the recipient terminal device (105) is elderly, the third party may be his or her children. Furthermore, if the user of the recipient terminal device (105) is a child, the third party may be his or her parents. By involving a third party in a financial transaction suspected of phishing, a buffer period can be created and further verification can be performed, thereby preventing not only phishing but also ultimate financial loss to the user. For example, in the case of the installation of malicious code for theft of personal information, the app according to a previously installed embodiment of the present invention can detect the process and prevent its installation or delete the previously installed code. This can also prevent theft of personal information.

In addition to the above, the phishing fraud prevention device (120) of FIG. 1 can perform various operations, and other detailed information has been sufficiently explained above, so it will be replaced with that information.

Meanwhile, even though all components constituting the embodiments of the present invention have been described as being combined or operating in combination, the present invention is not necessarily limited to such embodiments. That is, within the scope of the purpose of the present invention, all of the components may be selectively combined and operated one or more times. In addition, although all of the components may be implemented as individual independent hardware, some or all of the components may be selectively combined and implemented as a computer program having program modules that perform some or all of the functions of the combined hardware in one or more pieces. The codes and code segments constituting the computer program can be easily inferred by those skilled in the art of the present invention. Such a computer program may be stored in a non-transitory computer-readable storage medium and read and executed by a computer, thereby implementing the embodiments of the present invention.

Here, the non-transitory readable storage medium refers to a medium that permanently stores data and can be read by a device, rather than a medium that stores data for a short period of time, such as a register, cache, or memory. Specifically, the above-described programs may be stored and provided on a non-transitory readable storage medium, such as a CD, DVD, hard disk, Blu-ray disc, USB, memory card, or ROM.

Although the preferred embodiments of the present invention have been illustrated and described above, the present invention is not limited to the specific embodiments described above, and various modifications may be made by those skilled in the art without departing from the spirit or scope of the present invention as claimed in the claims. Furthermore, such modifications should not be understood individually from the technical idea or prospect of the present invention.

Claims (8)

As a device to prevent phishing scams, A communication interface unit that receives data of a phone call or text message performed on a user terminal device; and a control unit that verifies the received data to determine whether it is phishing, and if phishing is suspected, receives authentication from a third-party terminal device to block the user's financial transaction and blocks the financial transaction; including, The above control unit, If the above-mentioned phone calls suspected of being phishing continue for more than a predetermined first standard period of time, Causing the user terminal device to output a first warning as a voice or visual element, If the phone call suspected of being the above phishing continues for more than the second predetermined standard time, Causes the user terminal device to repeatedly output a second warning at predetermined time intervals; Each time the above second warning is output, the predetermined time interval of the above second warning is adjusted to be narrowed by a predetermined length, If a financial transaction is identified after the first or second warning above, Transmitting a predetermined number of first authentication requests to the user terminal device, Transmitting a predetermined number of second authentication requests to the third party terminal device; If a financial transaction is identified after the first or second warning above, and the number of mentions of a predetermined specific word or phrase identified during the duration of the call is below a predetermined threshold, Transmitting a predetermined number of third authentication requests to the user terminal device, Transmitting a predetermined number of fourth authentication requests to the third party terminal device; The number of the third authentication requests is smaller than the number of the first authentication requests, which is a predetermined number; The above fourth authentication request is smaller in number compared to the predetermined number of second authentication requests. A device for preventing phishing scams, characterized by: In the first paragraph, The above control unit verifies the voice content of the phone call to identify words suspected of voice phishing and determines whether or not it is phishing, and when URL (Uniform Resource Locator) information sent as a text message is clicked, verifies the URL information to determine whether or not it is suspicious URL information and determines whether or not it is phishing. This is a device for preventing phishing fraud. In the first paragraph, The above control unit further verifies the caller's phone number or the device identification information of the caller's terminal device to determine whether or not the call is phishing, and when phishing is suspected, a device for preventing phishing fraud is provided to the user's terminal device. In the first paragraph, The above control unit is a device for preventing phishing fraud, which automatically connects a call to a third party terminal device when a call suspected of being voice phishing continues for a specified period of time, thereby notifying the user that a call suspected of being voice phishing is in progress. A step in which the communication interface unit receives data of a phone call or text message performed on a user terminal device using a service for preventing phishing fraud; and A step in which the control unit verifies the received data to determine whether it is phishing, and if phishing is suspected as a result of the determination, and if there is a financial transaction by the user due to the suspected phishing, the control unit blocks the financial transaction by receiving authentication from a third party designated by the user to prevent phishing fraud; Including, but not limited to, The above control unit, If the above-mentioned phone calls suspected of being phishing continue for more than a predetermined first standard period of time, Causing the user terminal device to output a first warning as a voice or visual element, If the phone call suspected of being the above phishing continues for more than the second predetermined standard time, Causes the user terminal device to repeatedly output a second warning at predetermined time intervals; Each time the above second warning is output, the predetermined time interval of the above second warning is adjusted to be narrowed by a predetermined length, If a financial transaction is identified after the first or second warning above, Transmitting a predetermined number of first authentication requests to the user terminal device, Transmitting a predetermined number of second authentication requests to the third party terminal device of the third party; If a financial transaction is identified after the first or second warning above, and the number of mentions of a predetermined specific word or phrase identified during the duration of the call is below a predetermined threshold, Transmitting a predetermined number of third authentication requests to the user terminal device, Transmitting a predetermined number of fourth authentication requests to the third party terminal device; The number of the third authentication requests is smaller than the number of the first authentication requests, which is a predetermined number; The above fourth authentication request is smaller in number compared to the predetermined number of second authentication requests. Featuring, A method of operating a device to prevent phishing scams. In paragraph 5, The steps to determine whether the above is phishing are: A step of verifying the voice content of the above phone call to check for words suspected of voice phishing and determine whether it is phishing; and A step for verifying the URL information sent via text message when it is clicked to determine whether it is a suspicious URL information and whether it is phishing; A method for operating a device for preventing phishing fraud, including: In paragraph 5, A step of further verifying the caller's phone number or device identification information of the caller's terminal to determine whether the above is phishing; and A step of warning the user terminal of phishing when phishing is suspected; A method of operating a device for preventing phishing fraud, the method comprising: In paragraph 5, A method for operating a device for preventing phishing fraud, further comprising: a step of automatically connecting a call to a third party terminal device when a call suspected of being voice phishing continues for a specified period of time to notify the user that a call suspected of being voice phishing is in progress.