←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 1 comments | 24 Mar 20 17:25 UTC | HN request time: 0.213s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

1. BlackFly ◴[25 Mar 20 12:18 UTC] No.22683840[source]
I always thought the point of fire drills was to inure people to them so that in case of an emergency they would just blasély treat it like a drill instead of panicking: you want them to treat a real positive like a false positive.

Injecting false positives generally can impair quality and whether or not quality will be impaired or improved with false positives is really context dependent. Indeed, low false positive rates are often used as a measure of quality, so in generally you don't want to increase them carelessly.

In the case of things like phishing training, I imagine (but I could be wrong) that the injection of false positives just causes the people who recognize phishing emails to ignore them instead of reporting them: there is too much noise and too little signal. The people who don't recognize them will continue to fall victim. In that case, inuring the knowledgeable seems detrimental since you lose the likelihood of receiving a report.

I follow inbox zero practices and routinely delete all my email. Since forwarding a phishing email to security is a lot more complicated then hitting the delete key (like I probably just did for another email) I'm personally most likely to delete phishing emails unless I am getting them very rarely or it seems especially pernicious. Indeed, most of the phishing emails I receive lack a certain phishy feeling (like lacking a DKIM signature or other weird mail header shenanigans). I generally just assume they are these sorts of false positives.