The Rythm glossary. The terms, defined.

A deterministic filter that requires unknown senders to pay a small Cover charge to reach the inbox. Rythm is an email paywall for Gmail and Outlook.

ExampleA new contact emailing you for the first time pays about four cents to land in your inbox. Subsequent emails from them are auto-approved on your guest list.

Related:Cover charge, Guest list, Dual-layer deterministic filter · See also:How it works, Best email paywall for Gmail

Rythm's filtering architecture: Layer 1 is identity (the Guest list); Layer 2 is cost (the Cover charge). Both are user-controlled. Binary logic, no guessing.

ExampleA known sender walks in free (Layer 1). An unknown sender pays the cover or waits in line (Layer 2).

Related:Guest list, Cover charge, Deterministic filtering · See also:How it works, Best deterministic email filter

Your personal list of approved senders. Built once at signup from a one-time auto-scan of your contacts, sent folder, starred messages, and inbox frequency. Adapts continuously after that based on your email actions (replying, starring, marking as important, or rescuing a held message). Always editable by you.

ExampleYou reply to a new sender once. They are now on your guest list and walk in free for every future email.

Related:Cover charge, Waiting room, Sender reputation · See also:How it works

The small payment an unknown sender pays to reach your inbox. You set the amount (default about four cents). The payment settles directly to your wallet.

ExampleA salesperson cold-emailing you pays four cents. The four cents lands in your Lightning wallet within seconds. The email lands in your inbox.

Related:Guest list, Cashu token, Lightning Network · See also:Pricing, How it works

A small, curated list of high-importance, low-velocity domains (a handful of major banks, court eFiling systems, the IRS and other government domains, shipping carriers) that Rythm allows through without a cover charge, with DKIM verification on every message. Distinct from your personal Guest list. Intentionally short. Not a blanket pass-through for every transactional or 2FA email.

ExampleA wire-instruction email from a major bank or an IRS notice arrives unrecognized. The managed allow list lets it through after DKIM verifies the domain is authentic.

Related:Guest list, DKIM, Domain impersonation · See also:Security

The plain-English name for the RYTHM: REJECTED folder. Where unknown senders sit if they did not pay. Nothing is deleted. You can rescue any message with one click, which adds the sender to your Guest list forever.

ExampleYou glance at the waiting room once a week, rescue two real messages, and ignore the rest.

Related:RYTHM: REJECTED, Guest list, Bounce-back · See also:How it works

The Gmail or Outlook label applied to emails from unknown senders who paid the cover charge.

ExampleYou see RYTHM: PAID on a cold email and instantly know the sender put four cents on the line.

Related:RYTHM: REJECTED, Cover charge, Paid label

The label applied to emails from unknown senders who did not pay. Nothing is deleted; think of it as a waiting room.

ExampleA bot blasting your inbox with cold spam ends up in RYTHM: REJECTED. You skim the folder once a week.

Related:Waiting room, Bounce-back, Rejection notice

The visible signal on emails from unknown senders who completed payment. The label is RYTHM: PAID. It tells you, at a glance, that the sender valued reaching you enough to pay.

Related:RYTHM: PAID, Cover charge

The polite reply Rythm sends to an unknown sender from notify@mail.rythm.xyz explaining how to pay the cover charge. Customizable in your dashboard. Rate-limited and never sent to obvious automated or transactional addresses.

ExampleA new sender gets a one-line reply with a payment link. They pay or move on. Either way, your inbox stays calm.

Related:Bounce-back, Waiting room, RYTHM: REJECTED · See also:How it works

The auto-reply an unknown sender sees when they hit your paywall. Sent from notify@mail.rythm.xyz. Tells them the cover-charge amount and how to pay.

Related:Rejection notice, Waiting room

A filtering approach where the decision is binary and rule-based: the sender is either on your list, or has paid the cover, or is held. No probability score, no machine-learning guess. Compare to Probabilistic filtering.

ExampleA spam filter that "guesses" with 90% confidence is probabilistic. Rythm is deterministic: known sender, paid, or held.

Related:Probabilistic filtering, Dual-layer deterministic filter · See also:Best deterministic email filter

Filtering that scores a message based on patterns and assigns a likelihood that it is spam. Most modern spam filters (Gmail native, SaneBox, Microsoft Defender) work this way. Better content beats the score.

ExampleA well-written cold email that mimics a legitimate vendor passes the score and lands in your inbox.

Related:Deterministic filtering, Sender reputation

A design principle: if the protection layer breaks, email delivers normally. You never miss a message because of Rythm.

ExampleIf a Rythm Lambda crashes mid-process, the email is left in your inbox rather than held. Fail-open means delivery is the safe default.

Related:Non-custodial, In-memory processing · See also:Security

Rythm never holds your money or your email content. Payments flow directly from sender to your Lightning wallet. Content is scanned in-memory and discarded in milliseconds.

ExampleA sender pays. The token verifies. The sats land in your Lightning wallet. Rythm is never in the money path.

Related:Cashu, Lightning Network, In-memory processing · See also:Security, Best non-custodial inbox protection

A small amount set aside from each payment to cover Lightning routing fees. Any unused buffer becomes 'keep the change' revenue for Rythm.

Related:Routing fee, Lightning Network

Email content and payment tokens are read into a Lambda process, scanned for one thing, and discarded when the function exits. Nothing is written to a database, log, or disk.

Related:Non-custodial, Token detection · See also:Security

A category of email filtering where unknown senders must put real money on the line to reach the inbox. Orthogonal to content-based filters. Rythm is the first email paywall for mainstream Gmail and Outlook users in this category.

Related:Email paywall, Cover charge

The step in Rythm where the email body is parsed for a valid Cashu token. If found, the token is verified and melted to your wallet. If not, the message is held for review.

Related:Cashu token, Melt, In-memory processing

An attack where the attacker gains access to a real email account (via phishing, credential stuffing, or session theft) and uses it to send malicious mail from inside. Often called ATO.

ExampleAn attacker compromises a vendor inbox, then emails the vendor's clients with new wire instructions. The mail passes SPF, DKIM, and DMARC because it really is from the vendor.

Related:BEC, Credential stuffing, Vendor email compromise · See also:BEC protection

Business Email Compromise. A phishing attack where the attacker impersonates a known contact (CEO, vendor, lawyer) to redirect payment, steal data, or harvest credentials. Average cost per incident is around $125,000. Rythm's economic gate makes mass BEC attempts financially infeasible.

ExampleAn attacker spoofs your CFO and emails accounts payable with new wire instructions. A successful BEC averages a six-figure loss.

Related:CEO fraud, Vendor email compromise, Wire fraud · See also:BEC protection

A BEC variant where the attacker impersonates an executive and pressures a junior employee to act fast. Often a wire transfer, gift cards, or credentials.

ExampleA new finance hire gets an urgent email from "the CEO" asking them to buy gift cards for a client. The email is a forgery.

Related:BEC, Whaling, Domain impersonation

A BEC variant where the attacker takes over a vendor's mailbox and emails the vendor's clients with new payment instructions. Hard to catch because the email is authentic at the protocol level.

ExampleYour contractor's email account is compromised. The attacker emails you a "new" bank account for the next invoice.

Related:BEC, Account takeover, Wire fraud

Any attack that tricks you into giving up credentials, money, or data via a message. Email is the most common vector. Modern phishing is nearly indistinguishable from real correspondence.

Related:Spear phishing, Whaling, Smishing · See also:Phishing protection

Phishing targeted at a specific individual, customized with personal details. Higher success rate than spray-and-pray phishing.

ExampleAn attacker references your real coworker and a real project, then asks you to "approve" a malicious link.

Related:Phishing, Whaling, BEC

Spear phishing targeted at executives or high-net-worth individuals. Higher payoff if it lands.

Related:Spear phishing, CEO fraud

Phishing over SMS. Same playbook, different channel.

Related:Phishing, Vishing, Quishing

Phishing over voice (phone calls). The "call to verify your account" pattern.

Related:Phishing, Smishing

Phishing using QR codes. The QR points to a credential-harvesting page. Common in printed material that asks you to scan to "verify" something.

Related:Phishing, Smishing

PhaaS. Subscription kits that let unskilled attackers run polished phishing campaigns. Lowers the cost floor for spam and BEC at scale.

Related:Phishing, BEC

Trying leaked username/password combos against many services to find re-used pairs. A common path to email account takeover.

ExampleA password leaked from a 2018 forum breach gets tried against your Gmail, your Outlook, your bank. If you re-used the password, the attacker is in.

Related:Account takeover, MFA, Passkeys

A domain that looks like the real one but is not. Cyrillic letters, swapped characters, or extra hyphens. Often used to spoof brands without violating any anti-spoofing record.

Examplerytrhm.xyz, rythm-inc.com, or a Cyrillic "а" replacing the Latin "a" in a brand name.

Related:Homoglyph attack, Typosquatting, Domain impersonation · See also:Lookalike domain generator

A spoof that uses characters that look identical but are not, often pulled from another script (Cyrillic, Greek). A subtype of Lookalike domain.

Related:Lookalike domain, Typosquatting

Registering domains that match common typos of a real brand (gnail, microsft, paypall). Catches users who fat-fingered the address.

Related:Lookalike domain, Homoglyph attack

Forging the sender field so an email looks like it came from someone else. Modern anti-spoofing relies on SPF, DKIM, and DMARC.

Related:SPF, DKIM, DMARC, Header forgery

A class of spoof where the attacker manipulates From, Reply-To, or other headers to mislead the recipient or bypass filters.

Related:Email spoofing, Reply-to attack

A spoof where the From line shows a trusted name but the Reply-To line points to the attacker. The first reply goes to the attacker, not the real contact.

Related:Header forgery, Email spoofing

Any attack that makes mail look like it came from a brand or domain it did not. Covers spoofing, lookalike domains, and display-name tricks. Distinct from Brand impersonation, which is broader.

Related:Lookalike domain, Email spoofing, Brand impersonation

An attack that mimics a brand's voice, logo, or template to deceive the recipient, regardless of the actual sending domain.

Related:Domain impersonation, Phishing

MFA. Adding a second proof of identity (a code, a hardware key, a biometric) on top of a password. Substantially reduces account-takeover risk.

Related:Passkeys, WebAuthn, Account takeover

A passwordless login standard built on public-key cryptography (WebAuthn). The site stores only your public key; the matching private key never leaves your device.

Related:MFA, WebAuthn

The open W3C standard underneath passkeys and hardware security keys. Phishing-resistant by design, because the private key only signs for the original site.

Related:Passkeys, MFA

An attack targeted at Accounts Payable. The attacker impersonates a vendor and sends updated banking details for the next invoice. Closely related to Vendor email compromise.

Related:Vendor email compromise, BEC, Wire fraud

Fraud carried out using a wire transfer, often the payout step of a successful BEC. Real-estate closings and law-firm escrow accounts are frequent targets.

Related:BEC, AP email scam · See also:Wire fraud prevention

Sender Policy Framework. A DNS record that lists which servers are allowed to send mail for a domain. Receivers check incoming mail against the SPF record and reject mismatches.

Related:DKIM, DMARC, Email spoofing · See also:DKIM/SPF/DMARC checker

DomainKeys Identified Mail. A cryptographic signature on every outgoing message that lets the receiver confirm the message was authorized by the sending domain and was not tampered with in transit.

Related:SPF, DMARC, Email spoofing · See also:DKIM/SPF/DMARC checker

Domain-based Message Authentication, Reporting, and Conformance. A DNS policy that tells receivers what to do when SPF or DKIM fails (none, quarantine, reject) and where to send aggregate or forensic reports.

Related:SPF, DKIM, DMARC reports · See also:DKIM/SPF/DMARC checker

Aggregate (RUA) and forensic (RUF) reports that domain owners receive about authentication results across the internet. Useful for spotting impersonation attempts.

Related:DMARC, RUA, RUF

The aggregate-report address in a DMARC record. Daily summaries of authentication results.

Related:DMARC, RUF

The forensic-report address in a DMARC record. Per-failure samples for investigation. Less commonly used than RUA.

Related:DMARC, RUA

Mail Exchanger record. The DNS entry that tells the world where to deliver mail for a domain. Changing MX is invasive. Rythm does not require an MX change.

Examplerythm.xyz points at Gmail or Outlook for delivery, the same way it did before Rythm. Rythm sits on top via OAuth, not in front via MX.

Related:SMTP, OAuth

Pointing a domain's MX record to a third-party provider so all mail flows through that provider before reaching the real mailbox. Common with legacy email-security gateways. Rythm avoids this entirely.

Related:MX record, Secure Email Gateway

Simple Mail Transfer Protocol. The protocol mail servers use to send mail to each other. Standardized in the 1980s.

Related:IMAP, POP3, TLS for email

Internet Message Access Protocol. The protocol mail clients use to read messages from a server while leaving them on the server. Most modern clients use IMAP or a vendor API.

Related:SMTP, POP3

Post Office Protocol v3. An older retrieval protocol that downloads mail to one device and removes it from the server. Largely superseded by IMAP.

Related:IMAP, SMTP

Encryption between mail servers in transit. STARTTLS is the most common trigger; MTA-STS raises the bar by requiring TLS for senders.

Related:STARTTLS, MTA-STS

A command that upgrades an SMTP connection to TLS mid-conversation. Opportunistic. Falls back to plaintext if either side does not support it.

Related:TLS for email, MTA-STS

Mail Transfer Agent Strict Transport Security. A policy a domain publishes to require TLS for inbound mail and reject downgrade attempts.

Related:STARTTLS, TLS for email

A spam tactic where the receiver temporarily rejects unknown senders. Real mail servers retry; many spam tools do not. Coarse, frustrating, and unrelated to Rythm's gating.

Related:Sender reputation, Bounce categories

A legacy concept: a server that sits in front of your mailbox at the MX layer and inspects incoming mail. Often part of a larger appliance or hosted product.

Related:Secure Email Gateway, MX rerouting

SEG. The category name for products like Proofpoint and Mimecast: an inbound email inspection layer at the MX record level. Sales-led, IT-deployed, and priced per user.

Related:Email gateway, MX rerouting

The score mailbox providers assign to a sending domain or IP based on engagement, complaints, and authentication history. Lower reputation means more mail to spam folders or hard rejects.

Related:DMARC, Email warming

Hard bounces (permanent failure, e.g. address does not exist) versus soft bounces (temporary failure, e.g. mailbox full or server error). Distinct from Rythm\'s Bounce-back auto-reply.

Related:Hard bounce, Soft bounce, Bounce-back

A permanent delivery failure. Mailbox does not exist, domain does not exist, or the receiver permanently refused the message.

Related:Soft bounce, Bounce categories

A temporary delivery failure. Mailbox full, server timeout, or transient policy. Senders typically retry.

Related:Hard bounce, Bounce categories

The practice of slowly ramping up volume from a new sending domain or IP to build sender reputation before sending at scale. Often a sign of someone preparing to do cold outreach.

Related:Sender reputation, Cold email

Delivery rate measures whether the mail server accepted the message. Inbox placement measures whether it actually reached the inbox (versus the spam folder). Big senders care about the difference.

Related:Sender reputation, DMARC

Unsolicited email to a stranger. May be legitimate sales outreach or low-effort spam. Rythm treats both the same: pay the cover or wait in line.

Related:Cover charge, Phishing, Sender reputation · See also:Best cold email blocker for Gmail

An architecture where a third party holds your funds, credentials, or content on your behalf. The opposite of Non-custodial. Crypto exchanges and most bank apps are custodial.

Related:Non-custodial

E2EE. Encryption where only the sender and recipient hold the keys. Distinct from Non-custodial: a service can be non-custodial of funds but still see content (or vice versa). They are two different properties.

ExampleSignal is end-to-end encrypted. Rythm is non-custodial. Different problems, different guarantees.

Related:Non-custodial, Forward secrecy, Zero-knowledge proof

A property where session keys are ephemeral, so a compromise of long-term keys later does not let an attacker decrypt past traffic.

Related:End-to-end encryption

A cryptographic proof that a statement is true without revealing the underlying data. Powers privacy systems where you want to prove "I am authorized" without revealing who you are.

Related:Blinded signature, ecash

Metadata is the envelope (sender, recipient, time, size). Content is the message body. Many "encrypted" systems still leak metadata. Rythm is built so metadata stays minimal: we never store content, and we keep only what is required to apply the Guest list and run billing.

Related:End-to-end encryption, PII, Data minimization · See also:Security

A model where you (not a platform) hold the keys to your identity. Adjacent to non-custodial: the same philosophical move applied to identity rather than money.

Related:Non-custodial, Passkeys

A privacy principle (and GDPR requirement): collect only what you need to perform the service, and keep it only as long as required. Rythm follows this strictly: no email content, hashed PII in logs, OAuth tokens encrypted at rest with KMS.

Related:PII, GDPR, Right to be forgotten · See also:Privacy policy

Your right under GDPR (and similar laws) to have your personal data deleted on request. Rythm honors deletion requests for stored data; email content is never stored in the first place.

Related:GDPR, Data minimization

A specific list of attackers and attacks a system is built to defend against. Without a threat model, "secure" is a marketing word. Rythm's threat model is centered on cold outreach, AI phishing, and BEC, not nation-state interception.

Related:BEC, Phishing, Privacy by design

A principle from regulator-friendly privacy frameworks: privacy is the default state, baked into the architecture, not bolted on. Rythm is non-custodial and in-memory by default.

Related:Data minimization, Non-custodial

A property of a system that lets a user deny having sent or received a particular message. Some chat protocols are deniable by design; email is not.

Related:End-to-end encryption, Forward secrecy

Cloud Application Security Assessment. Google's third-party security framework for apps that request sensitive Gmail OAuth scopes. Rythm completed a CASA Tier-2 audit with all 39 of 39 test cases passed. Distinct from SOC 2 and ISO 27001.

Related:SOC 2, ISO 27001, OAuth scope · See also:Security

A widely cited audit framework (American Institute of CPAs) for service organizations handling customer data. Type I attests to a snapshot in time; Type II covers a continuous period (usually 6 to 12 months).

Related:ISO 27001, CASA

An international standard for information security management systems. Certification is heavier and more process-driven than SOC 2 Type II.

Related:SOC 2, CASA

Business Associate Agreement. A HIPAA-required contract between a covered entity (provider, plan) and any service that handles protected health information.

Related:HIPAA, Sub-processor

Data Processing Agreement. A GDPR-required contract between a controller (you) and a processor (us) covering how personal data is handled. Standard terms available on request.

Related:GDPR, Sub-processor

U.S. Health Insurance Portability and Accountability Act. Sets rules for handling protected health information. Rythm is not currently a HIPAA-covered tool; we do not sign BAA agreements at this time.

Related:BAA, PII

EU General Data Protection Regulation. Sets rules on lawful basis, data minimization, deletion, and international transfer of personal data. Applies to anyone serving EU residents.

Related:DPA, Right to be forgotten, Data minimization

California Consumer Privacy Act (and its successor CPRA). Grants California residents rights similar to GDPR around access, deletion, and opt-out of sale of personal data.

Related:GDPR, PII

A third party a service uses to deliver part of its work (a cloud provider, a payment processor, an email infrastructure layer). Sub-processors must be disclosed under GDPR.

Related:DPA, GDPR · See also:Rythm sub-processors

Personally Identifiable Information. Anything that identifies a person on its own (email, phone, government ID) or in combination (full name plus city plus employer).

Related:GDPR, CCPA, Data minimization

Where your data physically lives. Rythm runs in AWS us-east-1. Data residency obligations vary by jurisdiction and by contract.

Related:GDPR, Sub-processor

The base monetary network. Open, neutral, settles globally. Rythm does not hold Bitcoin and is not a Bitcoin product. The Lightning Network is built on top of it; Rythm rides on Lightning for the final-mile settlement of cover-charge payments.

Related:Lightning Network, Sat

A payment network built on top of Bitcoin that enables fast, low-cost payments. Rythm uses Lightning for sender-to-recipient payment settlement.

Related:Bitcoin, LNURL, Cashu, Routing fee · See also:Lightning Network basics

LSP. A service that helps Lightning wallets open channels, manage liquidity, and route payments. Most consumer Lightning wallets rely on an LSP under the hood.

Related:Lightning Network, Lightning channel

A two-party payment channel between Lightning nodes that lets the two sides settle off-chain payments instantly. The base unit of Lightning routing.

Related:Lightning Network, HTLC, Routing fee

A small fee Lightning nodes charge to forward a payment along a multi-hop route. Usually fractions of a cent. Rythm covers routing fees from the safety buffer.

Related:Safety buffer, Lightning Network, HTLC

Hashed Timelock Contract. The cryptographic primitive that lets a Lightning payment hop multiple nodes and either succeed atomically or refund cleanly.

Related:Lightning channel, Lightning Network

Satoshi. The smallest unit of Bitcoin. 100 million sats equals 1 BTC. A typical Rythm cover charge is on the order of 50 to 200 sats.

Related:Bitcoin, Cover charge

An open ecash protocol built on top of the Lightning Network. A Cashu token is cryptographic proof that a payment was made.

Related:ecash, Mint, Cashu token · See also:Cashu protocol basics

The technical specification for Cashu. Defines mint operations (issue, swap, melt), token formats (V3 cashuA, V4 cashuB), and the blinded-signature scheme that makes payments private.

Related:Cashu, Mint, Bearer token, Blinded signature · See also:Cashu protocol basics

A form of digital cash using Blinded signature, so payments can move between two parties without the issuer knowing who transacted. Rythm uses ecash for privacy-preserving payment verification.

Related:Blinded signature, Cashu

A public issuer of Cashu token instances. The mint holds the backing Lightning funds; users hold only the blinded-signature tokens. Senders fund tokens by paying the mint over Lightning.

Related:Cashu, Cashu token, Melt

A cryptographic proof that a payment was made to a Mint. Transferable, redeemable, privacy-preserving. Rythm validates tokens and melts them instantly.

Related:Mint, Melt, Bearer token

A token where possession is the proof of ownership. Whoever holds the token can spend it. Cashu tokens are bearer instruments: they live in the email body, and Rythm redeems them on receipt.

Related:Cashu token, Mint

David Chaum's 1982 cryptographic primitive: the issuer signs a value without seeing it. The user later unblinds the signature, producing a token the issuer can verify but cannot link back to the original transaction. The basis of every modern ecash protocol, including Cashu.

Related:ecash, Cashu, Zero-knowledge proof

The act of redeeming a Cashu token back into a Lightning payment. Rythm melts incoming tokens directly to the user's Lightning wallet.

Related:Mint, Cashu token, Lightning Network

A protocol for generating Lightning payment requests from a static URL. Rythm supports any LNURL-compatible wallet (Cash App, Strike, Blink, Primal, Tether Wallet).

Related:Lightning Network, Sat

The chore of sorting through new mail, deciding what to read, what to ignore, and what to act on. Most knowledge workers spend twenty minutes a day on it, which works out to about 86 hours a year.

Related:Inbox zero, Notification fatigue, Email deflection

A productivity goal where the inbox is emptied at the end of every session. Rythm does not require this and does not promote it. The Rythm philosophy is fewer messages arriving, not more aggressive sorting once they have arrived.

Related:Inbox triage, Email deflection

The cognitive cost of being interrupted constantly by alerts. Email is a major source. Reducing inbound volume reduces interruptions.

Related:Inbox triage, Knowledge worker email overhead

The compound cost of triage, context-switching, and decision fatigue email imposes on people whose job is thinking. Often invisible because no single email feels expensive.

Related:Inbox triage, Notification fatigue

Stopping email before it lands, rather than sorting it after it lands. Rythm is an email-deflection tool: the cover charge stops mass outreach at the door instead of routing it to spam.

Related:Cover charge, Inbox triage

The nagging worry that a probabilistic spam filter is hiding something important in the spam folder. Deterministic filtering eliminates this, because nothing was decided by guess.

Related:Probabilistic filtering, Deterministic filtering

An open standard for delegated access. You grant a third-party app limited permission to your account without sharing your password. Rythm uses Google OAuth for Gmail and Microsoft OAuth for Outlook.

Related:OAuth scope, Refresh token, Service account

A specific permission an app requests under OAuth. Scopes are scoped (per their name) to one capability. Rythm requests three Google scopes (userinfo.email, gmail.modify, contacts.readonly) and the Microsoft Graph equivalents (Mail.ReadWrite, Contacts.Read, offline_access, openid, email, profile, User.Read).

Related:OAuth, CASA · See also:Security

A long-lived OAuth credential that lets a service obtain new short-lived access tokens without prompting the user again. Rythm stores refresh tokens encrypted at rest in DynamoDB with KMS-managed keys.

Related:OAuth, OAuth scope

A non-human identity used by software to authenticate to other services. Distinct from a user account; commonly used for server-to-server work.

Related:OAuth

A web-based system through which patients access health information, message providers, and view results. Notification email from a portal is high-stakes; spoofing it is a known phishing vector.

Related:HIPAA, PII, Phishing · See also:Rythm for doctors

Electronic filing with a court system or government agency. Notifications from e-filing systems are time-sensitive and frequently impersonated. Often a candidate for the managed allow list.

Related:Managed allow list, Domain impersonation · See also:Rythm for lawyers

The bank account and routing information used to send a wire transfer. Real estate and law firms see a high rate of BEC attacks targeting wire instructions specifically.

Related:Wire fraud, BEC, Vendor email compromise · See also:Wire fraud prevention, Rythm for realtors

A class of attack where the attacker compromises a site or channel a target audience already trusts, then uses it to deliver malware or credential traps. Email-adjacent: the lure is often delivered by mail.

Related:Phishing, Spear phishing