Identify and Respond to Email Threats
Faster with KnowBe4 PhishER

Somerford Associates Limited
5 min readJun 22, 2020


PhishER helps security teams analyse, prioritise and manage emails that employees have reported as suspicious. With PhishER, Information Security teams can identify the most dangerous threats faster and more efficiently. The platform also helps Information Security teams quickly process the emails that have been reported as suspicious but are actually legitimate and need to be actioned or responded to by the employee.

Phishing remains the most widely used cyber-attack vector. In the region of 10 to 15 percent of current spam and malicious emails make it past currently installed email filters.

Companies who have invested in training their employees with the latest forms of security awareness training, including simulated phishing tests and have deployed the free KnowBe4 Phish Alert Button can still run into problems accurately identifying a spam email versus a phishing email or other type of malicious email.

Many of these emails are reported by employees to Information Security teams and require review as quickly as possible. Since each message requires some level of analysis and possible human intervention to prioritise, companies with limited security resources need a quick and easy way to respond to and mitigate these emails.

Incident response orchestration can deliver immediate efficiencies to an Information Security or Security Operations team. With the right strategy and planning, a company can build a fully orchestrated and intelligent SOC that can contend with today’s threats. PhishER is a critical element to help Incident Response and Information Security teams work together to mitigate the phishing threat.

Our Information Security and Security Operations teams spend a significant amount of time and resource checking suspected Phishing emails. Can PhishER help me?

PhishER is a lightweight Security Orchestration, Automation and Response platform designed to orchestrate your threat response and manage the high volume of potentially malicious email messages being reported by your employees.
With automatic prioritisation for emails, PhishER helps Information Security and Incident Response teams cut through the email noise and respond to the most dangerous threats more quickly.

Additionally, with PhishER you are able to automate the management of the 90% of reported emails that are not threats. Incident Response orchestration can easily deliver immediate efficiencies to your Information Security team, but the potential value is much greater than that.
With the right strategy and planning, your company can build a fully orchestrated and intelligent Security Operations Centre that can contend with today’s threats. PhishER is a critical element to help your Information Security and Incident Response teams work together to mitigate the phishing threat and is suited for any company that wants to automatically prioritise and manage potentially malicious messages — accurately and fast.
PhishER is available as a stand-alone product or as an add-on option for existing KnowBe4 customers.

So, I understand the benefits that PhishER can bring to my company — but how does it actually work?

PhishER is a simple web-based platform with critical functionality that serves as your phishing emergency room to identify and respond to employee-reported messages. PhishER helps you quickly prioritise and analyse which messages are legitimate and which messages are not. With PhishER, your team can prioritise, analyse, and manage a large volume of emails — fast! The key goal is to help you prioritise as many messages as possible automatically, with an opportunity to review PhishER’s recommended focus points and take the actions you desire.

This all makes sense, but can you provide some more information on how the prioritisation, rules and tagging work?

Automatic Message Prioritisation:

PhishER will help you prioritise every reported message into one of three categories: Clean, Spam, or Threat. Through rules you set, PhishER helps you develop your process to automatically prioritise as many messages as possible without human interaction.
With automatic prioritisation of emails that are not threats, PhishER helps you respond to the most dangerous threats more quickly. PhishER easily integrates with KnowBe4’s email add-in button, Phish Alert, and also works by forwarding to a dedicated mailbox. PhishER reviews attributes of reported messages and stack ranks the most critical messages based on priority.

Simple and Advanced Rule Creation:

A rule is a logical expression used to disposition emails forwarded to the PhishER inbox. You can create custom rules or modify and use the built-in system rules.


KnowBe4’s new PhishML is a PhishER machine-learning module that helps you identify and assess the suspicious messages that are reported by your employees, at the beginning of your message prioritisation process. PhishML analyses every message coming into the PhishER platform and gives you the information to make your prioritisation process easier, faster, and more accurate.
PhishML is constantly learning based on the messages that are tagged, not only by you but also by other members of the PhishER user community. That means that the learning model is being fed new data to constantly improve its accuracy and more messages can be automatically prioritised based upon PhishER’s categorisation, saving you even more time.

Emergency Rooms:

PhishER features “Emergency Rooms” to help you identify similar messages reported by your employees. Emergency Rooms consist of pre-filtered views of your messages that are unresolved in your PhishER inbox. These messages are dynamically grouped by commonalities and include system pre-filtered views for messages by Top Subject Lines, Top Senders, Top Attachments, and Top URLs.

Each room is interactive, allowing you to drill down into filtered inbox views of the messages and take action across all associated messages at the same time. The overview of the Emergency Rooms allows you to immediately prioritise which room contains the most messages and is in need of attention.
In addition, you can define criteria to create your own room and highlight what means the most to your company. Interested in how many messages are spoofing your executives or how many legitimate HR notices are being reported by your employees? How about finding out if there is a widespread generic phish campaign that many employees are reporting? Emergency Rooms will give you all that and more.



Somerford Associates Limited

Specialist in innovative disruptive technologies with business focused consultants.