←back to thread

Launch HN: Riot (YC W20) – Phishing training for your team

114 points BenjaminN | 1 comments | 24 Mar 20 17:25 UTC | HN request time: 0.291s | source

Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!

Show context
jedberg ◴[24 Mar 20 18:01 UTC] No.22676967[source]
> Would love to hear your war stories on phishing scams, and how you train your teams!

I was working on anti-phishing in 2003, before it had the name phishing. We were trying to teach our users not to fall for the scams.

It didn't work. People will fall for the same scam over and over.

The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.

I wish you luck, but don't get discouraged if it doesn't work. We've been trying to educate people about phishing for 17+ years. :)

We shifted our focus to tracking the phishing sites and then tying that back to which user accounts were hacked, and disabling the hacked accounts and notifying the users before damage could be done.

PayPal actually holds the patent on what we built, along with a ton of other anti-phishing and phishing site tracking patents.

replies(5): >>22677184 #>>22677438 #>>22678979 #>>22679434 #>>22683925 #
nothrabannosir ◴[24 Mar 20 21:03 UTC] No.22678979[source]
> The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.

A friend works for a company that fires employees after failing three phishing tests.

It doesn’t solve the problem for those people, but it does work for that company. What has priority depends on your management style :)

replies(2): >>22679536 #>>22680243 #
closeparen ◴[24 Mar 20 22:03 UTC] No.22679536[source]
The only way to pass the phishing tests at my employer is to never click links in email. But then we also have a number of official systems sending emails with links in them (bug tracking, code review, Zoom invites, HR portal, etc).

The only way this kind of policy makes sense is if you have to actually give the phishing site some kind of credential in order to fail, vs. merely opening on it.

If someone has a Chrome zero-day, we're done anyway. Just post it on HN.

replies(1): >>22680404 #
anitil ◴[24 Mar 20 23:58 UTC] No.22680404[source]
This is my major concern. Heaps of legitimate companies send emails with links to things like 'http://dh380.<third party server>.com'. We're being trained to accept this sort of silliness
replies(1): >>22681683 #
closeparen ◴[25 Mar 20 03:21 UTC] No.22681683[source]
I don't think it's realistic to live in constant fear of browser sandbox escapes, or to consider visiting an arbitrary URL "silliness." If your threat model includes people willing to burn Chrome 0-days on you, you need an air gap.

The much more relevant battle is preventing credential theft, which you can solve completely at the technical level with U2F. And if you can't, user education on "check the URL before typing your password" is a little more realistic than "don't open links from email ever."

replies(1): >>22699402 #
anitil ◴[27 Mar 20 00:29 UTC] No.22699402[source]
While I agree with you, I'm far less concerned for my family/friends/colleagues about a sandbox escape compared to accidentally putting information in to a malicious site
replies(1): >>22722210 #
1. closeparen ◴[29 Mar 20 20:05 UTC] No.22722210[source]
Yes, and "consider the URL and how you got there before typing in your password or credit card" is a lot more realistic than "don't click links." Still, clicking the link fails the phishing test all by itself.