PhishER Turns Golden Hour Into Golden Minute

Evangelists-Roger GrimesHospital emergency rooms around the world are fine-tuned to meet the requirements of the “Golden Hour”. The Golden Hour is a well-accepted medical fact that critically injured or ill patients fare far better when they are assessed, transported, and appropriately treated in an Emergency Room within 1-hour of their first complaint. Every minute past 60 minutes increases the odds of a more negative outcome for the patient. Speed is a key component for success.

Certainly, the same is true in the cybersecurity world. The quicker someone responds to an active cyberthreat the more likely a lower cost outcome. KnowBe4’s PhishER™ helps cybersecurity defenders respond quicker and more efficiently to existing threats, especially when minutes count. It can even use real-world threats to gauge your organization’s true risk and to provide focused education about active threats.

PhishER is simple to use and configure and will save hours of time in responding to threatening emails.


How PhishER Works

PhishER is a commercial offering from KnowBe4, which creates an effective workflow from reporting of a possible phishing email to its ultimate remediation and risk removal across the entire enterprise. It begins with a user reporting a phishing email to PhishER. Users are encouraged to use our free Phish Alert Button, which installs a “fish hook” button to allow users to easily and quickly report suspected phishing emails. Alternately, any method that allows a suspected phishing email to be reported to a common email address for evaluation is supported.

It's important to note that these reported suspected phishing messages are only the ones that made it through all your other email- and content-filtering services and products to the end-user. These are top risks where the user is the last bastion of defense. It is tip of the spear!

PhishER will be handling and evaluating what all the other tools and methods missed despite their best efforts. PhishER is learning, reacting, and being taught how to spot and react to the suspected phishing emails that all the other tools missed.

Once a message has been sent to PhishER, it is immediately evaluated by PhishML™, PhishER’s machine-learning module. It contains built-in rules for detecting phishing emails and for discriminating between true phishing and other types of emails (e.g., spam, clean, unknown).

PhishER’s machine-learning rules are updated based on your additional selections and the selections of anyone else who uses PhishER. Future detecting and tagging is based on your organization's experience with its own real phishing attacks. Your organization’s experience is enhanced by other savvy PhishER users. If some other part of the PhishER community notices and flags a new type of phishing campaign, that crowdsourcing knowledge can update your PhishML model.

PhishER’s goal is to automatically and correctly categorize 90% or more submitted emails. PhishER admins can use their own experience and confidence in PhishER’s automation and adjust Confidence Thresholds to fine-tune how much trust is given to the automated handling actions done by PhishER’s machine-learning module (as exampled below). As you gain trust in PhishER’s automation, you can modify the Confidence Thresholds to automatically handle more submissions.

PhishML Enabled

PhishER admins can create new customized rules helping to automate the process of identifying and handling future submitted emails, which can help their organization and the rest of the PhishER community.


PhishRIP™ is a fantastic workflow feature that allows a PhishER administrator to quickly protect their environment against any identified email threat. Once you’ve identified a threat, you can use PhishRIP to quarantine or remove all similar emails from all users’ mailboxes (e.g., Inbox, Sent, Trash, Deleted Items, etc.). A customer warning message can also be sent to all users with a similar message.

Note: PhishRIP works with Microsoft O365™ and Google Workspace™ environments.


PhishFlip™ allows any identified email in PhishER to be safely used in a simulated phishing campaign to see how your entire user base would have successfully handled a real-world phishing attack launched against your organization. You can PhishRIP the real phishing email from anyone’s email mailboxes and then send out a “de-fanged” version to see who would have clicked on the email if it had reached them to be evaluated. You can send the newly created safe version to just users who received the real malicious email or send out to your entire organization (or any other subset). You can view the results and actions of how the simulated phishing test concluded (example shown below). No other method can give as much real-world risk detail as a PhishFlip’d phishing email.

PhishFLIP Example

PhishER integrates with your existing SIEM and SOAR products and can interface with external threat intelligence services like Google’s VirusTotal.

Workflow Time Savings

PhishER is ultimately a last chance detection and response workflow designed to save you hours of time. It catches and reacts to the email threats that all other inline tools missed. PhishER admins can handle dozens of suspected phishing emails in under a minute, saving everyone time and money.

Confirmed phishing emails can be removed from everyone’s email mailboxes significantly reducing risk to the environment. Safe, simulated phishing campaigns can be made from real-world phishing emails to show everyone how much damage would have been done if the real phishing email had interacted with the entire organization.

PhishER is the best way to shorten response times and lessen the risk from a suspected phishing email that made it past all your other anti-phishing tools. PhishER allows the quickest response with the least amount of risk possible. If you want to save the patient, quick is good. Save yourself time and money with PhishER.

Live Demo: Identify and Respond to Email Threats Faster with PhishER

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you not only handle the phishing attacks and threats—and just as importantly—effectively manage the other 90% of user-reported messages accurately and efficiently? PhishER.


To learn how, get a product demonstration of the new PhishER Security Orchestration, Automation and Response (SOAR) platform. In this live one-on-one demo we will show you how easy it is to identify and respond to email threats faster:

  • Automate prioritization of email messages by rules you set that categorize messages as Clean, Spam, or Threat
  • Augment your analysis and prioritization of messages with PhishML, a PhishER machine-learning module
  • Search, find, and remove email threats with PhishRIP, PhishER’s new email quarantine feature for Microsoft 365 and G Suite
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily integrate with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Request A Demo

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews