←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 3 comments | 24 Mar 20 17:25 UTC | HN request time: 0.679s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

1. igammarays ◴[24 Mar 20 22:54 UTC] No.22679949[source]
Everyone's vulnerable to phishing, no matter how technically literate. It's too easy to click through an email during a moment of inattention. I've often thought that the only way to reliably prevent phishing is to enforce the use of a password manager browser extension, which will refuse to enter a saved password except on the original domain. Nobody should ever be manually typing passwords, or even copy-pasting passwords (in the rare case copying becomes necessary, it should be done with a big bold warning).

A safer, phish-proof enterprise password manager may be your killer product here.

replies(1): >>22680024 #
2. jujodi ◴[24 Mar 20 23:07 UTC] No.22680024[source]
For some reason I thought this was the pitch and I LOVE this idea. Is it possible for a password manager plugin to capture your "paste" and verify the window url? I know there's an onpaste clipboard event so sure seems like this would be possible.
replies(1): >>22681399 #
3. cyphar ◴[25 Mar 20 02:16 UTC] No.22681399[source]
Password managers that have browser integration already function this way -- you have to go out of your way to copy-paste your password. The main problem is that some sites design their login forms to make this kind of functionality harder (such as putting the password and username fields on different pages, or having strange layouts where you need to also input your last name, and so on).

I personally use KeepassXC which has a browser plugin that does this for you (and it's nice that the plugin doesn't have access to your passwords directly -- it has to request access from the password manager which be default gives you a popup asking for permission to share specific credentials).