DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1, 6-11, and 16-20 are currently pending and rejected.
	Claims 2-5 and 12-15 are canceled.

Claim Rejection – 35 U.S.C. 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 1-11 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  Claim 1 recites the amended feature “collect…geographic location of the registration”.  Claim 11 recites similar limitation.  This limitation is not mentioned in the specification.

Claim Rejection – 35 U.S.C. 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6-14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Binns et al. (Pub. No.: US 2018/0308099), in view of Varghese et al. (Pub. No.: US 2006/0282660), Srivastava et al. (Pub. No.: US 2012/0096553), Zeppenfeld (Pub. No.: US 2012/0254243), Barnhardt et al. (Pub. No.: US 2018/0181962), and Nagashima (JP-2006285844-A).
As per claim 1 and 11, Binn teaches a system that combines payment data and cyber fraud indicators to identify potential fraud in payment requests from a client, the system comprising:
a memory that stores and maintains a list of known fraud characteristics and cyber fraud indicators associated with activities prior to a payment instruction (see paragraph 0029 for memory; paragraph 0014 and 0022 teach “fraud marker”, which is indicator of fraud; see paragraph 0037, “Fraud marker engine 202 generally creates and stores fraud markers”, and paragraph 0041, “activity monitoring engine 206 receives and stores some or all of the fraud markers created by fraud marker engine 202 and uses them to determine matches against the monitored activity 207”; also see paragraph 0037-0038, “fraud marker engine 202 assists with analyzing activity 203 between payors and payees (which could be some or all of activity 112, e.g., activity occurring prior to activity 207, on a different network, etc.) to determine fraud markers 108 that can identify fraudulent or likely fraudulent activity”); and
a computer processor, coupled to the memory, programmed to (see paragraph –28):
 	receive, via an electronic input, a legitimate payment instruction from the client (see paragraph 0007 and 0013, “the legitimate (and often willing) payor creates a seemingly legitimate transaction to payee”…”even though the transaction was properly initiated, it may still have been fraudulently induced by the beneficiary of that payment (i.e., the payee)”; see paragraph 0041, activity monitoring and matching engine receive/monitor transaction data between payor and payee);

identify a plurality of cyber fraud indicators, from one or more of a social engineering attack and a business email compromise attack against a client prior to the legitimate payment instruction that cause the client to initiate the legitimate payment instruction on fraudulent grounds, the social engineering attack and the email compromise attack based on leveraging information about the client acquired on a plurality of websites (see paragraph 0013-0014, 0037, 0041-0043. 0050-0059, prior art teaches monitoring payor and payee activities occurring prior to transaction to detect fraudulent pattern, and generate fraud markers/indicators that are associated with detected or potential fraudulent activities; see paragraph 0013 and 0084, “phishing scam via email”, prior art teaches detecting phishing scam, which is a social engineering attack and an email attack against a client),
and the plurality of cyber fraud indicators comprise an IP address associated with prior fraudulent activity (see paragraph 0051-0052 and 0073, fraud markers can be email address, IP address, phone number, etc., associated with prior fraudulent activities; “the one or more” language requires only one of the listed fraud indicators); 
determine whether to release a transaction or proceed with a transaction (see paragraph 0003-0005, “institute on the monitored activity, based on the fraud score, at least one of a block…a cancellation…and a hold”; also see paragraph 0014, 0025, 0044-0045, and 0069-0070) and determine whether a requesting domain name associated with the received legitimate payment instruction from the client has been potentially compromised (see paragraph 0073, “if fraudulent activity is identified as a transaction to a payee account having a particular email address or domain name, then past, current, or future activity involved with that email address or domain name”).
whereby identified characteristics of potentially fraudulent activities are applied to downstream decisioning (see paragraph 0014, 0037, and 0041-0043, activity monitoring engine and activity management engine monitors and compares transaction data to previously identified/generated fraud markers to detect fraud; in other words, identified fraud characteristics are applied to downstream decisioning); 
apply analytics, based on known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, to the correlated one or more cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity (see paragraph 0003, 0020-0021, and 0026, “payee data database 120 stores account information about particular payees and information about payees taken from activity (e.g., activity 206, such as transactions) initiated by payors” and “Payee database 120 stores, in some embodiments, data related to all transactions previously identified as fraudulent or potentially fraudulent”; also see paragraph 0041, “Activity monitoring and matching engine (“activity monitoring engine”) 206 generally monitors activity 207 of affecting payor and/or payee accounts and determines when certain activity matches one or more fraud markers”; both payor and payee activities are monitored and analyzed);
generate a risk score to determine whether the legitimate payment instruction will result in an illegitimate payment (see paragraph 0002-0003, 0013-0014, 0023, 0039, 0059, and 0065, prior art teaches generating a fraud score, which is the same as risk score);
determine an action based on the risk score, the actions comprising one of completing a payment, denying a payment, and allowing a payment with continued monitoring of the payment (see paragraph 0003, 0014 ,0043, and 0069, prior art teaches determining whether to block, cancel, place on hold, or allow a transaction based on the risk score);
add one or more new cyber fraud indicators identified in the received payment instruction to the list of known fraud characteristics and cyber fraud indicators (see paragraph 0037, 0050-0059, detected fraud markers/indicators are stored by fraud marker engine or activity monitoring engine).
Examiner notes however, Binn does not teach the plurality of cyber fraud indicators comprise an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, an automatic number identification that determines an origination telephone number associated with fraudulent activity, and a look alike domain accessed by the device used by the victim prior to the payment instruction, and one or more voice biometrics.  Examiner argues these fraud indicators were well-known prior to the present invention, and the present claims do not combine them in an unconventional way to produce unexpected result.
Varghese teaches the plurality of cyber fraud indicator comprise an autonomous system number (ASN) associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction (see paragraph 0090, 0108, and 0181, “ASN in device profile – Whether there was a prior successful login from this ASN for this device”).
Srivastava teaches the plurality of cyber fraud indicator comprise a malware indicator originating from the victim’s device indicating a risk of fraud (see paragraph 0019-0020, 0023, 0030, 0032, 0037-0038, 0051, and 0054-0055, prior art teaches comparing IP address against a database of previously archived malicious domain names, malwares, and IP addresses), and a look alike domain accessed by the device used by the victim prior to the payment instruction (see paragraph 0042-0049, prior art teaches detecting look alike domain “constructed to fraudulently pose as other, legitimate websites”).
Zeppenfeld teaches the plurality of cyber fraud indicator comprise an automatic number identification that determines an origination telephone number associated with fraudulent activity, and one or more voice biometrics (see paragraph 0027, 0035, 0043, 0052, 0054, 0060-0061, 0101, 0119, and 0128).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Varghese, Srivastava, and Zeppenfeld to include the plurality of cyber fraud indicators comprise an autonomous system number associated with a high risk that has not been previously visited by a device used by the victim to initiate the payment instruction, a malware indicator originating from the victim’s device indicating a risk of fraud, an automatic number identification that determines an origination telephone number associated with fraudulent activity, and a look alike domain accessed by the device used by the victim prior to the payment instruction, and one or more voice biometrics.  The modification would have been obvious, because it is merely applying a known technique (i.e. use well-known fraud indicator to detect cyber fraud) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. use fraud indicators that are well understood in the industry so that one skilled in the art would be able to implement immediately).
Examiner knows however, Binn does not teach apply payment decisioning, based on learning analytics, to correlate the plurality of cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.
Srivastava teaches apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics (see paragraph 0049 and 0052, prior art teaches using machine learning to analyze data and to generate risk score; false positives are fed back to the machine learning algorithm to optimize scoring process).
Barnhardt teaches apply learning analytics, based on one or more of known fraudulent activity and suspected fraudulent activity involving both a payor and payment beneficiary, including fraud-based information from a plurality of payment instructions from one or more other clients, to the correlated plurality of cyber fraud indicators and legitimate payment instruction to determine that the legitimate payment instruction is likely originating from fraudulent activity, the determination made by the learning analytics is also based on a historical set of behavior for the client (see paragraph 0059, prior art teaches modeling large amounts of transaction and account data coming from a very large, general population of people and their transactions, and the risk analysis also identify characteristics of transaction from the perspective of a payer, a payee and both the payer and payee together; specific past transactions identified as fraudulent are analyzed to identified those characteristics of transactions).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava and Barnhardt to include apply payment decisioning, based on learning analytics, to correlate the one or more cyber fraud indicators to the legitimate payment instruction, generate a risk score based on the applied learning analytics, and perform feedback analysis via the learning analysis on known good transactions, known fraud, and the one or more new cyber fraud indictors to further train, refine, and improve the functioning of the learning analytics.  The modification would have been obvious, because it is merely applying a known technique (i.e. machine learning and feedback analysis) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. continuously improve the accuracy of the system by training the machine with known fraud data).
Examiner further notes that Binn does not teach wherein the accuracy of the risk score is based on a number of indicators considered in the analysis and the number of indicators considered is determined based on the payment instruction, the client providing the payment instruction, and a geographic location for the payment instruction.  Examiner argues however, it is common sense to one of ordinary skill in the art that the higher the number of indicators are being considered in risk analysis, the higher the accuracy of the risk score will be, and higher number of indicators usually comes with higher cost in terms of processing time and resource usage.  Thus, it would have been obvious to use different level of scrutiny/security depends on situation.
Varghese teaches the concept of using higher security for transaction in location where fraud rate is high and where user device has suspicious pattern (see paragraph 0069, 0078, 0120, 0138, 0142, “a rule may specify that where there is receipt of a request from a user device of an amount of money over a certain threshold and where the device is resides in a location, determined by the geolocation information, known for an larger than normal volume of fraudulent activity, the action to be take is to present a predetermined higher security”; also see paragraph 0149, “The selection criteria may include a plurality of usability and security factors…This can be reflected in rules specific to the service provider, or to a particular user, or to a particular transaction type”; also see paragraph 0181 for exemplary rules, which are similar to fraud factors in the present claims).  
It would have been It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Varghese to include wherein the accuracy of the risk score is based on a number of indicators considered in the analysis and the number of indicators considered is determined based on the payment instruction, the client providing the payment instruction, and a geographic location for the payment instruction.  The modification would have been obvious, because it is merely applying a known technique (i.e. consider higher number of indicators when transaction takes place in higher risk geolocation) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. balance between risk detection accuracy and detection cost/processing time).
The combination of Binns, Varghese, Srivastava, Zeppenfeld and Barnhardt does not explicitly teach apply logic rules to determine look alike domain names by comparing one or more registered domain names to a list of known legitimate domain names; collect, to the extent not protected by a privacy shield, associated information relevant to each look alike domain name registration comprising a registration entity, when the registration was made, and geographic location of the registration; determine if each look alike domain name registration is fraudulent, the determination depending at least in part on the associated information for each look alike domain name registration; apply the look alike domain registrations as one of the plurality of cyber fraud indicators to the business email compromise attack against the client prior to the legitimate payment instruction, and by applying the look alike domain name as one of the plurality of cyber fraud indicators.
Nagashima teaches apply logic rules to determine look alike domain names by comparing one or more registered domain names to a list of known legitimate domain names;
See page 1 – “As a second option, Whole Security, headquartered in Austin, Texas, USA, announced a phishing prevention program. According to a published article, the program analyzed the web address, recently registered URLs and domain names that could lead to fraudulent sites, operators using free web hosting services, etc.”
See page 19 – “The invention of the present application comprises a company domain information registration center established to operate a phishing prevention system and registers company domain information by a computer, and an information processing device capable of information processing of preprocessing and operation processing, and a preprocessing step In the case of a registered company, a company that has been identified by a digital certificate or the like as a genuine company is registered as a white company , and at the same time, all domain names of the registered white companies are registered. In the operation process, the received mail or web information is compared with the registered domain information, and the “spoofing degree” or “spoofed site” is evaluated and judged by a judgment algorithm from the viewpoint of multiple checks. and, to display the "impersonation of" the "bogus site", to prevent the phishing scams To provide a phishing fraud prevention system to butterflies.”
“The invention of the present application enables identity verification even by using a domain registration information search service provided by a supplementary institution in the pre-processing step as the identity verification method. More specifically, at least as a supplemental domain registration information search service, Antiquary license approval notification information as stipulated in Article 8-2 of the Antiquarian Business Law, which has been delivered to the prefectural public safety committees nationwide, the registered copy information of the company, and electronic certification registry information from the Civil Legal Affairs Association website, A phishing prevention system including all services of JPNIC information, JPRS information, and other public institution information.”
“In the present invention, when verifying the identity in the pre-processing step, the recognition pattern of the judgment standard is checked with the company name and the domain name as a pair pattern to check whether or not it is registered. A phishing anti-phishing system with a pair of company name and IP address is provided.”
“The present invention includes check processing software that uses a proxy POP method so that mail determination processing can be performed in operation processing. This mail determination processing includes registration domain / address check, blacklist domain / address check, SMTP and FROM address check, country Domain and time domain zone check, HTML mail anchor check, phishing prevention system including URL check, and domain registration information provided by a supplementary organization when domain information to be attached to received mail does not exist in the registered domain information A search system is used to provide an anti-phishing system that enables e-mail determination.”
“The invention of the present application is provided with check processing software that adopts a plug-in method so that a website determination process can be performed in the operation process. This website determination process is a supplementary registration such as registration domain / address check, JPRS / Public Safety Commission, etc. Phishing fraud prevention system including domain check, blacklist domain / address check, and domain registration information provided by a supplementary institution when domain information such as HP domain name does not exist in the registered domain information Providing a phishing prevention system that makes it possible to determine websites using search services.”
See page 37 - “The present invention determines whether the mail is true or false based on the coincidence with the domain name or IP address of the authentic company recorded in the authentication center if the domain name or IP address of the mail header information matches in the previous section. And providing a phishing prevention system including a method of displaying a warning to a mail recipient if false.”
collect, to the extent not protected by a privacy shield, associated information relevant to each look alike domain name registration comprising a registration entity, when the registration was made, and geographic location of the registration;
See page 2 - “Each time the client software accesses the Web server, it checks whether it is compatible with PhishWall by referring to the database, and if it is a compatible server, it notifies on the screen. When the user instructs the client software to register the Web server, the registration certificate is acquired from the Web server. From the next access, use this certificate to check whether it is a fake site. The client software adds a toolbar to the Web browser (1.0 Internet Explorer only). The toolbar has a part that displays the safety of the site in three colors, a part that displays the domain information of the Web site, and a part that displays the country information of the domain name with a national flag. The three colors for identifying safety indicate that red is a site that does not match the registration information, yellow is a PhishWall-compatible but unregistered site, and blue is a PhishWall-compatible registered site.”
See page 6 - “The company domain information registration center 30 has a company name (declares Japanese and English trade names), domain name (multiple registrations are possible: all domain names used by companies), and public safety committee antiquarian (such as online auctions) license number. , Representative name, address (including zip code), phone number, date of establishment, presence / absence of registration with JPRS (Japan Registry Service Co., Ltd.), electronic certificate with electronic signature, pre-registration of company including registered copy Each database in which information of content 31 is recorded and stored, and domain information for each registered company includes registration ID, password, company name, domain name, Public Safety Commission / authorization number, telephone number, postal code, address, etc. Corporate domain information Each database recorded and accumulated including domain information 21 consisting of the connection URL of the registration center is provided. In addition, the corporate domain information registration center 30 is connected to each prefectural public safety committee 40, the civil legal association 41, the electronic certification registry office 42, the Japan Network Information Center (JPNIC) and the Japan Registry Service 43. The websites of each prefectural public safety committee 40, civil legal association 41, electronic certification registry office 42, Japan Network Information Center and Japan Registry Service 43, etc. Connected to 42 and 43, respectively. As a result, the above-mentioned database is stored in the corporate domain information registration center 30 as the license information 35 from the prefectural public safety committee website 40 as the public security committee license information 35 through the linked URL 34 and as the domain information 36 such as JPRS. Similarly, registered copy information from the civil legal association homepage 41, electronic certification registration information from the electronic certification registry 42, and domain registration from the Japan Network Information Center, Japan Registry Services Co., Ltd. homepage 43 Each information can be recorded and accumulated in the corporate domain information registration center 30. At that time, the company domain information registration center 30 can be searched with public institutions such as the prefectural public safety committees 40 via the Internet.”
See page 42 – “In addition, as another method in the identity verification S2, one is to check whether or not the registered company copy of the registered company can be searched online from the registration information providing center provided by the Civil Legal Affairs Association 41 (FIG. 1). Yes, also in this case, a copy is recorded when it is confirmed by a search. In some areas that do not support the Internet, scan the registered copy presented by the filing company and record the result of digital conversion. Further, in the case of a company that does not have an electronic certificate attached to the determination of the presence or absence of the electronic certificate in S22 and does not support the electronic certificate, this is a processing method that temporarily takes the following method. . (A) It is checked whether the same company name and domain name pair is registered in JPRS. Complete identity verification when registered as a company name and domain name pair. In JPRS, if a corporation is registered at the time of registration, registration confirmation is performed and registration can be omitted. Similarly, it may be confirmed whether or not it is registered in the antiquarian merchant notification company information (company name, URL, permission number, etc.) in the Public Safety Commission notification. (B) A confirmation document will be mailed to the company location (provided that it matches the registered copy address) and the arrival will be confirmed. In this case, a company that does not match the registered copy address is not a genuine company. Then, the registration is rejected, the rejection is notified, and the declaration content of the company is registered in the declaration rejection information. (C) In addition, identity verification can be performed by telephone to the company. (D) After the confirmations in (b) and (c) above, if further strictness is required, other necessary procedures such as comp.”
See page 44 - “In SMTP and FROM address check M66, if both the domain name of the mail address and the SMTP and FROM address related to the registered domain information do not match, 50 points are deducted from the evaluation point. Then, the process proceeds to the country domain for checking the coincidence of the next country domain name corresponding TIMEZONE and the TIMEZONE check M67.”
determine if each look alike domain name registration is fraudulent, the determination depending at least in part on the associated information for each look alike domain name registration;
See page 12 - “The above is totaled from the stage evaluation of the mail, and the mail is determined as follows from the total score. 50 points or more are OK. 20 points or more and less than 50 points are "substantially OK", -10 points or more and less than 0 points are "needed to judge", and the risk is 10%. -26 points or more-Less than 10 points are "Caution" and the risk is 30%. -50 points or more and less than -26 points are "suspicious" and the risk is 50%. -Less than 50 points is "false", the risk is 100%. Based on the determination from the total score, the certificate authority server executes the following processing. (1) The risk level of 50% or higher is recorded on the black list. (2) The degree of risk less than 50% to 30% or more is recorded on the warning HP. (3) Search for relevant homepages with a risk level of 50% or higher, record (including search date, search (start / end) time), and store. This search and record storage is a record storage for certifying at a later date from when to when the corresponding home page existed. Therefore, once a home page is blacklisted, it is automatically searched at least once a day and repeated until it cannot be searched. Therefore, it becomes the end date / time in which the date / time that could be searched before the search became impossible. The certification authority reports information that is determined to be “suspicious” (having a risk of 50% or more) and stored in the blacklist database to the authentic company. In addition, in the mail determination algorithm, “mail safety” is determined by passing filtering elements in parallel, not by stepwise distribution. The above-mentioned risk level is displayed on the terminal. The present invention check processing software has a learning function based on user judgment and distribution. Suspicious emails are reported to the certificate authority server so that the certificate authority server creates a new blacklist.
See page 37 - “The present invention determines whether the mail is true or false based on the coincidence with the domain name or IP address of the authentic company recorded in the authentication center if the domain name or IP address of the mail header information matches in the previous section. And providing a phishing prevention system including a method of displaying a warning to a mail recipient if false.”
apply the look alike domain registrations as one of the plurality of cyber fraud indicators to the business email compromise attack against the client prior to the legitimate payment instruction, and by applying the look alike domain name as one of the plurality of cyber fraud indicators.
See page 2 - “Each time the client software accesses the Web server, it checks whether it is compatible with PhishWall by referring to the database, and if it is a compatible server, it notifies on the screen. When the user instructs the client software to register the Web server, the registration certificate is acquired from the Web server. From the next access, use this certificate to check whether it is a fake site. The client software adds a toolbar to the Web browser (1.0 Internet Explorer only). The toolbar has a part that displays the safety of the site in three colors, a part that displays the domain information of the Web site, and a part that displays the country information of the domain name with a national flag. The three colors for identifying safety indicate that red is a site that does not match the registration information, yellow is a PhishWall-compatible but unregistered site, and blue is a PhishWall-compatible registered site.”
See page 12 - “The above is totaled from the stage evaluation of the mail, and the mail is determined as follows from the total score. 50 points or more are OK. 20 points or more and less than 50 points are "substantially OK", -10 points or more and less than 0 points are "needed to judge", and the risk is 10%. -26 points or more-Less than 10 points are "Caution" and the risk is 30%. -50 points or more and less than -26 points are "suspicious" and the risk is 50%. -Less than 50 points is "false", the risk is 100%. Based on the determination from the total score, the certificate authority server executes the following processing. (1) The risk level of 50% or higher is recorded on the black list. (2) The degree of risk less than 50% to 30% or more is recorded on the warning HP. (3) Search for relevant homepages with a risk level of 50% or higher, record (including search date, search (start / end) time), and store. This search and record storage is a record storage for certifying at a later date from when to when the corresponding home page existed. Therefore, once a home page is blacklisted, it is automatically searched at least once a day and repeated until it cannot be searched. Therefore, it becomes the end date / time in which the date / time that could be searched before the search became impossible. The certification authority reports information that is determined to be “suspicious” (having a risk of 50% or more) and stored in the blacklist database to the authentic company. In addition, in the mail determination algorithm, “mail safety” is determined by passing filtering elements in parallel, not by stepwise distribution. The above-mentioned risk level is displayed on the terminal. The present invention check processing software has a learning function based on user judgment and distribution. Suspicious emails are reported to the certificate authority server so that the certificate authority server creates a new blacklist.
See page 18, “As mentioned above, online fraud has increased dramatically in recent years while online transactions have increased dramatically. Specifically, a person who performs the fraud creates a homepage (hereinafter abbreviated as HP) that looks exactly like a famous company in advance. This spoofing HP may be created as “chimachi” in a similar manner, but most of them find the target HP through the Internet. Next, the searched target HP is recorded on its own computer by “save it with a name”. Thereafter, the stored HP is tampered with at will, and the spoofed HP is completed by launching it on the server intended by the fraudster. Due to recent technological innovation, the spoofed HP can be searched for several hours later by a general search engine “Google, Yahoo, etc.”. Furthermore, when a general user searches for a keyword by a general user, a fraudster also makes full use of a technology that can display “spoofed HP” before the genuine HP and at the top of the search result. The searcher does not realize that it is a fake HP and tells the other party important confidential information (bank account number, personal identification number, date of birth, card number, password, etc.). When you notice it is a later festival. This is the first phishing scam. Next, scammers steal a large amount of confidential information more skillfully in a short time by skillfully guiding them to the HP, which has been skillfully recreated. Specifically, a fake HP URL is included in the text that includes information that the other party jumps on (such as winning big money, hitting a popular product, lending to the first person at 0% interest rate, meeting a famous talent, etc.) Paste and email a lot. One person should be caught by 1000 people. Using the information stolen in this way, the person can be impersonated and withdraw the deposit in an instant. Also, fraud such as buying in a short time with a credit card is performed. Until now, such scams have rarely occurred. In recent years, it has occurred frequently in the United States, and recently, many aspects have been reported in Japan. If this is the case, it is clear that such scams are rampant, and the safety of online transactions will be shaken and the number of victims will increase. Accordingly, provision of the present invention is awaited.”
determine whether a requesting domain name associated with the received legitimate payment instruction from the client has been potentially compromised.
See page 19 – “The invention of the present application comprises a company domain information registration center established to operate a phishing prevention system and registers company domain information by a computer, and an information processing device capable of information processing of preprocessing and operation processing, and a preprocessing step In the case of a registered company, a company that has been identified by a digital certificate or the like as a genuine company is registered as a white company , and at the same time, all domain names of the registered white companies are registered. In the operation process, the received mail or web information is compared with the registered domain information, and the “spoofing degree” or “spoofed site” is evaluated and judged by a judgment algorithm from the viewpoint of multiple checks. and, to display the "impersonation of" the "bogus site", to prevent the phishing scams To provide a phishing fraud prevention system to butterflies.
It would have been obvious to one of ordinary skill in the art at the time of invention modify the combination of Binns, Varghese, Srivastava, Zeppenfeld and Barnhardt with teaching from Nagashima to include apply logic rules to determine look alike domain names by comparing one or more registered domain names to a list of known legitimate domain names; collect, to the extent not protected by a privacy shield, associated information relevant to each look alike domain name registration comprising a registration entity, when the registration was made, and geographic location of the registration; determine if each look alike domain name registration is fraudulent, the determination depending at least in part on the associated information for each look alike domain name registration; apply the look alike domain registrations as one of the plurality of cyber fraud indicators to the business email compromise attack against the client prior to the legitimate payment instruction, and by applying the look alike domain name as one of the plurality of cyber fraud indicators, and determine whether a requesting domain name associated with the received legitimate payment instruction from the client has been potentially compromised.  The modification would have been obvious, because it is merely applying a known technique (i.e. checking look alike domain against registered domain to determine whether the look alike domain is fraudulent) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. detect look alike domain fraud).
As per claim 2 and 12, Binn teaches wherein the one or more cyber fraud indicators comprise an originating IP address (see paragraph 0052).
As per claim 3 and 13, Binn does not teach wherein the one or more cyber fraud indicators comprise malware indicators.
Srivastava teaches cyber fraud indicators comprise malware indicators (see paragraph 0019-0020, 0023, 0030, 0032, 0037-0038, 0051, and 0054-0055, prior art teaches comparing IP address against a database of previously archived malicious domain names, malwares, and IP addresses).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava to include cyber fraud indicators comprise malware indicator.  The modification would have been obvious, because it is merely applying a known technique (i.e. including malware indicator as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 4 and 14, Binn does not teach wherein the one or more cyber fraud indicators comprise look alike domain names.
Srivastava teaches cyber fraud indicators comprise look alike domain names (see paragraph 0042-0049, prior art teach look alike domain “constructed to fraudulently pose as other, legitimate websites”).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Srivastava to include cyber fraud indicators comprise look alike domain names.  The modification would have been obvious, because it is merely applying a known technique (i.e. including domain name as fraud indicator) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve accuracy for risk scoring).
As per claim 6 and 16, Binn teaches an interactive user interface that enables the client to view the risk score and determine a payment action in response (see paragraph 0075-0076).
As per claim 7 and 17, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 8 and 18, Binn does not explicitly teach wherein the computer processor is further programmed to: apply learning analytics from a first user of the client to a second user of a second client different from the client.
Barnhardt teaches apply learning analytics from a first user of the client to a second user of a second client different from the client (see paragraph 0051, machine learning can be apply to data of any client).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include apply learning analytics from a first user of the client to a second user of a second client different from the client.  The modification would have been obvious, because it is merely applying a known technique (i.e. applying machine learning to data of different users) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. provide service to more users).
As per claim 9 and 19, Binn does not explicitly teach wherein the payment instruction further comprises a request for access to client sensitive information.
Barnhardt teaches a request for access to client sensitive information (see paragraph 0028, 0035, 0045, and 0054 prior art teaches accessing client’s social security number, which is considered sensitive information).
It would have been obvious to one of ordinary skill in the art at the time of invention to modify Binn with teaching from Barnhardt to include a request for access to client sensitive information.  The modification would have been obvious, because it is merely applying a known technique (i.e. accessing sensitive information) to a known system (i.e. cyber fraud detection system) ready to provide predictable result (i.e. improve fraud detection accuracy).
As per claim 10 and 20, Binn teaches wherein the computer processor is further programmed to leverage a separate and distinct risk score generated based on beneficiary account data elements (see paragraph 0060 and 0065).

Response to Remarks
In the response filed on 04/19/2022, Applicant amended independent claims 1 and 11 by adding a few limitations related to look alike domain.  Examiner cites a new prior art Nagashima (JP-2006285844-A) to address the added limitations.  Updated rejection is provided in this Office Action.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAO FU whose telephone number is (571)270-3441.  The examiner can normally be reached on 9:00 AM - 6:00 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christine Behncke can be reached on (571) 272-8103.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HAO FU/Primary Examiner, Art Unit 3697                                                                                                                                                                                                        
MAY-2022