Determining Personalized Content To Be Inserted Into A Phishing Document Template: Non-technical

The application underlying the discussed decision concerns a method for the automated creation of personalized phishing documents, intended for corporate security awareness training, that uses two separate databases and a hierarchical matching process to select tailored content for a target person. The central features at issue were the hierarchically organized property database with associated relevance values and the multi-step selection process (features M3 to M13) for determining suitable personalized content to be inserted into a phishing document template. The Board considered these features to be non-technical, characterizing them as a “business method” for selecting cognitive content aimed at psychologically deceiving the document recipient.

Here are the practical takeaways from the decision: T 1908/23 (Personalisiertes Phishing-Dokument/IT-SEAL) of 17 September 2025, of the Technical Board of Appeal 3.5.05.

Key takeaways

A hierarchical database structure and relevance-value-based matching process used to select personalized cognitive content for phishing simulation documents constitutes a non-technical “business method” under the COMVIK approach (T 641/00). The mere use of technically undefined database structures and parameter comparisons does not establish a technical contribution sufficient for inventive step when the underlying purpose is selecting psychologically effective content for a human recipient.

The invention

The Board of Appeal summarized the invention as follows:

The invention relates to a method for the automated creation of phishing documents that are personalized to a specific target person, primarily for use in corporate security awareness training. Personal data of the target person is stored in a personal database, while anonymous and categorizable personal properties of any number of persons are stored in a separate, hierarchically organized property database. Each property in the property database is assigned a relevance value. The method performs an automated comparison to check whether any of the target person’s properties (called “correspondence properties”) are hierarchically subordinate to a phishing-document-specific default property. If so, the subordinate correspondence property becomes a “creation property.” In a subsequent creation step, the system checks whether the relevance value of the creation property matches a predefined target relevance value. If it matches, the creation property is used directly as a “preparation property” for the phishing document. If it does not match, a hierarchically superior property whose relevance value does match is selected instead, ensuring that a personalized term is always available. The phishing document is then generated based on a template document using the selected preparation property. For example, if a person is associated with “TU Darmstadt” but the template requires a more general term, the system would traverse the hierarchy upward and select “University” instead.

Main Request - Claim 1 of the patent as granted (translation)

A method for the automated creation of a phishing document (5) directed at a predefined person,

wherein personal data of the person is stored in a personal database (4),

wherein anonymous and categorizable personal properties (2) of any number of persons are stored in a hierarchically organized property database (1),

wherein a relevance value (3) is assigned to each personal property (2),

wherein at least one property of the person contained in the personal data has a correspondence in the property database (1),

wherein said correspondence forms a correspondence property in each case,

wherein in a checking step (6), by means of an automated comparison of the correspondence properties and the personal properties (2) stored in the property database, it is checked whether one of the correspondence properties is hierarchically subordinate to a phishing-document-specific default personal property,

wherein said subordinate correspondence property forms a creation property,

wherein the phishing document (5) is created in a subsequent creation step (7) on the basis of the creation property, if said requirement is met,

wherein in the creation step it is checked whether the relevance value (3) of the creation property corresponds to a predefined target relevance value,

wherein the creation property is selected as a preparation property and is used for preparing the phishing document (5) if the assigned relevance value (3) corresponds to the target relevance value,

wherein a personal property (2) arranged hierarchically above the creation property, the relevance value (3) of which corresponds to the target relevance value, is selected as a preparation property and is used for preparing the phishing document (5) if the relevance value (3) assigned to the creation property does not correspond to the target relevance value,

and wherein, after the determination of the preparation property, the phishing document (5) is created on the basis of a predefined template document using the preparation property.

Is it patentable?

The Opposition Division’s position

The Opposition Division revoked the patent for lack of inventive step under Article 56 EPC. Starting from D1 (US 2015/0288717 A1), which already disclosed a method for the automated creation of phishing documents directed at specific persons, the Opposition Division found that the distinguishing features M3 to M13 merely represented a modification of the underlying “business method” of D1’s system. In particular, the hierarchically organized property database, the relevance values, and the multi-step property selection and matching process were considered to define a non-technical content-selection strategy rather than a technical improvement. Since the remaining technical implementation was deemed obvious, the patent was revoked.

The Appellant’s arguments

The patent proprietor (Appellant) argued that the distinguishing features should not be dismissed as merely non-technical. In particular, the Appellant contended that:

1. Feature M2 (the personal database) must not be considered in isolation from feature M3 (the hierarchically organized property database), because the use of two databases with different structures was driven by technical considerations. Personal data such as names and affiliations cannot be hierarchically organized, necessitating a separate personal database, whereas the property database benefits from hierarchical organization for efficient automated matching.
2. From a purely non-technical perspective, there would be no advantage in using two databases; the two-database architecture therefore reflects a technical design choice aimed at enabling “simple and efficient determination of creation properties.”
3. The hierarchical tree structure (e.g., “professional affiliation – University – TU Darmstadt”) ensures that a solution for adapting the template document is always found, even without a highly relevant direct match. If, for example, “TU Darmstadt” does not match with sufficient relevance, the system traverses the hierarchy upward to select “University” instead, guaranteeing that personalized content is always available.

The Board’s analysis

The Board dismissed the appeal and confirmed the revocation. Its reasoning was as follows:

1. D1 already discloses a method for the automated creation of personalized phishing documents (feature M1). D1’s paragraph [0070] mentions that the internet provides an easy way to collect information about target persons and that data collection can be automated. A “personal database” is neither mentioned nor strictly necessary in D1, but the Board considered this immaterial given the overall assessment.
2. Even assuming that all of features M2 through M13 are distinguishing features over D1, the Board found that claim 1 follows a prescribed “business method” concerned with selecting the cognitive, i.e., non-technical, content for a personalized phishing document. The purpose is to psychologically deceive the recipient into trusting the document, thereby training personnel against real phishing attacks. Whether a recipient perceives the term “University” as more trustworthy than “TU Darmstadt” is a matter of human cognition, not technology.
3. The Board held that abstract, technically undefined units such as a “personal database,” a “hierarchically organized property database,” “relevance values,” and various types of “properties” (correspondence, creation, preparation) cannot credibly lead to “simple and efficient” data determination or “high-quality” phishing documents based on their cognitive content. The claim does not specify what technical effect the hierarchical organization has on the method steps or how the hierarchy is technically structured (e.g., no tree structure is actually claimed).
4. Applying the COMVIK approach (T 641/00, headnote II), the Board concluded that the objective technical problem is merely to implement the above-defined business method in a technically efficient manner.
5. Starting from this objective problem, it would be a routine measure for the skilled person in digital security technology to use some form of property matching with relevance values stored in a (separate, hierarchical) property database. Hierarchical databases as such were common general knowledge at the relevant date, which the Appellant did not dispute. Likewise, comparing a computed relevance value against a target value and selecting either the matched property or a hierarchically superior one is a straightforward implementation choice.
6. The Board further noted that the alternative problem formulation proposed by the Appellant during the oral proceedings, namely ensuring that at least one personal property is always available for template customization, would have given the skilled person even more reason to arrive at the claimed solution.

Conclusion

The Board confirmed the Opposition Division’s revocation of the patent. The features distinguishing the claimed method from D1 were found to define a non-technical “business method” for selecting personalized cognitive content for phishing training documents. Under the COMVIK approach, these non-technical aspects were excluded from the inventive step assessment. The remaining technical implementation, including the use of hierarchical databases and relevance-value comparisons, was considered a routine measure within the skill of the ordinary practitioner. Consequently, the claimed invention lacked inventive step under Article 56 EPC, and the appeal was dismissed.

More information

You can read the full decision here: T 1908/23 (Personalisiertes Phishing-Dokument/IT-SEAL) of 17 September 2025, of the Technical Board of Appeal 3.5.05.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.