←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 1 comments | 24 Mar 20 17:25 UTC | HN request time: 0s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

Show context
rsync ◴[24 Mar 20 20:10 UTC] No.22678450[source]
I wonder if you can comment on the weirdly pro-phishing behavior of many US banks who, if I didn't know better, appear to be trying hard to make their customers vulnerable to phishing attacks ...

- TIAA Bank redirects customers, after login, to "cibng.ibanking-services.com".

- US Bank, depending on which account you log into will redirect you to "loansphereservicingdigital.bkiconnect.com".

- Union Bank will redirect you to "unionbank.customercarenet.com" if you look at a mortgage account.

These are big, serious US Banks and these domain jumpings (to domains that almost look like parodies of an actual bank domain) occur to every online banking customer.

They are training their customers to be phished.

FWIW, I have never seen Wells Fargo do this ...

replies(1): >>22679883 #
1. dmurray ◴[24 Mar 20 22:45 UTC] No.22679883[source]
My bank in Ireland (Ulster Bank) has a notice on the login page: "You will NEVER need your card reader [their 2FA] to log in". Last year they changed their login flow so you are asked to use your card reader to log in. I complained about it on Twitter but got a meaningless response about customer safety/new regulations.

If they wanted to train their customers to be phished, I can't think how they could do a better job.