Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.
So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.
For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.
Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!
opened/clicked/creds and so forth are various levels. Your company has decided that a mere click is a fail. also, in gmail, if you 'report phishing' (without clicking), gmail will "click" it for you as part of their back-end analysis. this will show up in the click report. this type of click is distinguishable from a user click, but it's not obvious and knowbe4 has zero docs on it.
Keep in mind, a mere click can in fact be a fail. There are still drive-by attacks that work simply by clicking.
That is a failure. There is currently a Windows font parsing vulnerability that is being exploited in the wild just like this. If you click the link, you are subjecting your browser and OS to an attacker crafted payload.