This is a hot area, but there are already huge competitors. How do you differentiate?
replies(1):
Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.
So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.
For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.
Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!
1. From Gophish: you need to be technical and you need at least a week off to prepare the attacks. With Riot, you can be sending attacks in a matter of minutes.
2. From Knowbe4, …: those are products made for enterprise companies, that are trying somehow to adapt to smaller companies. Riot is doing the opposite: it was built with smaller companies in mind.
Overall, I think there's a huge need today for product-centric cybersecurity companies, where most of the big players are sales-centric companies.
My company recently had a user fall for a very poor phishing attack (entered password into a Google Sheets request) so something like this could save IT and the company a lot of money.
I wouldn't be surprised if we get a major data leak caused by COVID-19 in the coming days.
PS: great username by the way.
I say this because I ended up reporting the phishing email I received from you guys to Mailgun, and I believe accidentally got your account disabled. Sorry about that.
I was working on anti-phishing in 2003, before it had the name phishing. We were trying to teach our users not to fall for the scams.
It didn't work. People will fall for the same scam over and over.
The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.
I wish you luck, but don't get discouraged if it doesn't work. We've been trying to educate people about phishing for 17+ years. :)
We shifted our focus to tracking the phishing sites and then tying that back to which user accounts were hacked, and disabling the hacked accounts and notifying the users before damage could be done.
PayPal actually holds the patent on what we built, along with a ton of other anti-phishing and phishing site tracking patents.
I called them just right after that, and I have to say they've been great so far. We agreed I would pay for a dedicated IP, and they now fully support Riot. And having a dedicated IP is actually better, because you can now remove the unexpected warning on Gmail.
How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?
There is some interesting research from the UK Government in this space - https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3
The relevant bit:
"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.
Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."
What I look for in a name:
1. If I say it out loud, you know how to write it.
2. If I say it out loud today, you remember it tomorrow.
On that 2 criteria, Riot works quite well I think.
2. I love the idea to actually make the employees create their own attacks, but seems a bit hard to do and pretty much time consuming for a company.
Having been part of and designed these campaigns before (with open source options like https://getgophish.com/), there is no way to report as phishing or reward users who detected but therefore didn't interact with it. This means in your example - did the other 81% just not open it, ignored it, or actively thought it was phishing? These are key metrics a company needs to know their potential attack surface.
Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?
Cool idea overall and wish you guys the best.
I have a fun story with Wombat: I tried to use the product in my previous company (100 employees), had 4 different calls, with 4 different sales persons, during 2 months. At the end they just forgot about me.
2. For now attacks are very generic, but will soon be sector-based and department-based.
3. Yes for sure it's probably worth adapting the pace of the attacks depending on the level of the employees.
Thanks for the kind words!
What convinced YC to invest in your company?
- TIAA Bank redirects customers, after login, to "cibng.ibanking-services.com".
- US Bank, depending on which account you log into will redirect you to "loansphereservicingdigital.bkiconnect.com".
- Union Bank will redirect you to "unionbank.customercarenet.com" if you look at a mortgage account.
These are big, serious US Banks and these domain jumpings (to domains that almost look like parodies of an actual bank domain) occur to every online banking customer.
They are training their customers to be phished.
FWIW, I have never seen Wells Fargo do this ...
Totally agreed, and I love this. High five from a Techstars 2020 company doing a similar product-first approach to cyber security program planning and implementation for small businesses. We use Webroot as a vendor to supply phishing right now but would love to talk. brian@havocshield.com
opened/clicked/creds and so forth are various levels. Your company has decided that a mere click is a fail. also, in gmail, if you 'report phishing' (without clicking), gmail will "click" it for you as part of their back-end analysis. this will show up in the click report. this type of click is distinguishable from a user click, but it's not obvious and knowbe4 has zero docs on it.
Keep in mind, a mere click can in fact be a fail. There are still drive-by attacks that work simply by clicking.
not perfect, mind you, but still pretty good.
they do bug the hell out of you but who cares? it's just one of dozens of calls i have to ignore on the daily. i told them to back off and they did.
i'll tell you what product is actually horrible, and perhaps ironically so. SANS security training (phishing part relevant here, but the entire suite is horrid). just stay away, don't waste a minnit evaluating it.
A friend works for a company that fires employees after failing three phishing tests.
It doesn’t solve the problem for those people, but it does work for that company. What has priority depends on your management style :)
Boss: install this antivirus and run it: [link].
Me: I dunno, that seems like a phishing attempt... is that really you, boss? What's the code word?
Boss: DO IT OR YOU ARE FIRED!
Me: oh yeah, definitely you; installing it right now.
The only way this kind of policy makes sense is if you have to actually give the phishing site some kind of credential in order to fail, vs. merely opening on it.
If someone has a Chrome zero-day, we're done anyway. Just post it on HN.
If they wanted to train their customers to be phished, I can't think how they could do a better job.
A safer, phish-proof enterprise password manager may be your killer product here.
As a security engineer in a previous life, I always open the links in phishing emails (in an isolated and secure VM). I would fail the tests at work every time, but luckily the person in charge of them knew what I was doing and didn't care.
In fact, the worst offenders were actually rewarded. They were the only ones who had two factor auth for their eBay accounts. Back then we didn't have soft tokens -- the only way to do 2 factor was to get a physical RSA token, which cost about $10 at the time. So only the "best" customers were worth the cost.
DMZ networks are hard to get right and hard to admin, and almost always end up getting some sort of exception for certain business needs.
Asking a user to admin that, or having no admin at all, feels almost impossible.
That is a failure. There is currently a Windows font parsing vulnerability that is being exploited in the wild just like this. If you click the link, you are subjecting your browser and OS to an attacker crafted payload.
I personally use KeepassXC which has a browser plugin that does this for you (and it's nice that the plugin doesn't have access to your passwords directly -- it has to request access from the password manager which be default gives you a popup asking for permission to share specific credentials).
The much more relevant battle is preventing credential theft, which you can solve completely at the technical level with U2F. And if you can't, user education on "check the URL before typing your password" is a little more realistic than "don't open links from email ever."
I've had this happen to me, not for phishing, but for the kensington lock thing. Probably not that common any more, at least not in the west, but some workplaces have aggressive laptop locking policies. Workplace tried this stunt of confiscating laptops that were not locked, and everyone had to meet some manager type person. It was completely asinine. This is a typical badge access controlled workplace with additional security personnel. The laptop locks were a total overkill.
Injecting false positives generally can impair quality and whether or not quality will be impaired or improved with false positives is really context dependent. Indeed, low false positive rates are often used as a measure of quality, so in generally you don't want to increase them carelessly.
In the case of things like phishing training, I imagine (but I could be wrong) that the injection of false positives just causes the people who recognize phishing emails to ignore them instead of reporting them: there is too much noise and too little signal. The people who don't recognize them will continue to fall victim. In that case, inuring the knowledgeable seems detrimental since you lose the likelihood of receiving a report.
I follow inbox zero practices and routinely delete all my email. Since forwarding a phishing email to security is a lot more complicated then hitting the delete key (like I probably just did for another email) I'm personally most likely to delete phishing emails unless I am getting them very rarely or it seems especially pernicious. Indeed, most of the phishing emails I receive lack a certain phishy feeling (like lacking a DKIM signature or other weird mail header shenanigans). I generally just assume they are these sorts of false positives.
1. "runs the latest scams techniques on your team" should be "runs the latest scam techniques on your team"
2. "trainings" while technically a word, native English speakers will find it odd as you rarely see it used. use "training" instead, ex: "We get it: trainings are annoying" to "We get it: training is annoying"
3. "Riot offers an interactive, tailor-made 5-minutes training your employees will actually enjoy and learn from." to "Riot offers an interactive, tailor-made, 5-minute training your employees will actually enjoy and learn from."
4. "Riot will perform attacks and trainings on your team" to "Riot will perform attacks and training for your team"