Ahoy Hacker News! I'm Ben, founder of Riot (<a href="https://tryriot.com" rel="nofollow">https://tryriot.com</a>), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.<p>Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.<p>So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.<p>For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.<p>Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!
> Would love to hear your war stories on phishing scams, and how you train your teams!<p>I was working on anti-phishing in 2003, before it had the name phishing. We were trying to teach our users not to fall for the scams.<p>It didn't work. People will fall for the same scam over and over.<p>The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.<p>I wish you luck, but don't get discouraged if it doesn't work. We've been trying to educate people about phishing for 17+ years. :)<p>We shifted our focus to tracking the phishing sites and then tying that back to which user accounts were hacked, and disabling the hacked accounts and notifying the users before damage could be done.<p>PayPal actually holds the patent on what we built, along with a ton of other anti-phishing and phishing site tracking patents.
How do you work with the service providers you use to host your platform and send out emails (e.g. Heroku / Mailgun) to let them know you are not a malicious phishing company, but an anti-phishing company?<p>I say this because I ended up reporting the phishing email I received from you guys to Mailgun, and I believe accidentally got your account disabled. Sorry about that.
> "I was pissed"<p>How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?<p>There is some interesting research from the UK Government in this space - <a href="https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3" rel="nofollow">https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3</a><p>The relevant bit:<p>"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.<p>Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."
I work at a large professional services firm (think Big 4), so the risk of any single breach in our network is taken pretty seriously. Our IT department added an Outlook plugin years ago that you can use to immediately reporting phishing attempts to them. As a bonus, they'll sometimes send these "tests" and if you select to "Report Phishing", you'll get a atta-boy type notification. I would assume at a macro level, they have stats on everyone and know who the "riskier" employees are. I have no idea if this is done inhouse at other large companies.<p>Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?<p>Cool idea overall and wish you guys the best.
Hi Ben - cool product! Speaking as the lead for Riot.im, I would recommend picking another name asap, if nothing else because Riot Games has an awful lot of lawyers (as we know first hand, unfortunately).
Everyone's vulnerable to phishing, no matter how technically literate. It's too easy to click through an email during a moment of inattention. I've often thought that the only way to reliably prevent phishing is to enforce the use of a password manager browser extension, which will refuse to enter a saved password except on the original domain. Nobody should ever be manually typing passwords, or even copy-pasting passwords (in the rare case copying becomes necessary, it should be done with a big bold warning).<p>A safer, phish-proof enterprise password manager may be your killer product here.
Pricing feedback. I would love this type of training for our small team of 12 people BUT at this time, I cannot spend $199/Month even though one could argue that there is no cost high enough for security. Perhaps add another smaller tier for companies with 20 or less employees in the 2 digit range ?
At the company I work at they send phishing training emails every now and then. Luckily, the email headers have special fields, so that the IT firewall lets the "spam" through. I managed to set up a rule in my outlook to catch these headers and move all the emails to a special "Phish" folder.
I wonder if you can comment on the weirdly pro-phishing behavior of <i>many</i> US banks who, if I didn't know better, appear to be <i>trying hard</i> to make their customers vulnerable to phishing attacks ...<p>- TIAA Bank redirects customers, after login, to "cibng.ibanking-services.com".<p>- US Bank, depending on which account you log into will redirect you to "loansphereservicingdigital.bkiconnect.com".<p>- Union Bank will redirect you to "unionbank.customercarenet.com" if you look at a mortgage account.<p>These are big, serious US Banks and these domain jumpings (to domains that almost look like <i>parodies</i> of an actual bank domain) occur to every online banking customer.<p>They are training their customers to be phished.<p>FWIW, I have never seen Wells Fargo do this ...
I always thought the point of fire drills was to inure people to them so that in case of an emergency they would just blasély treat it like a drill instead of panicking: you want them to treat a real positive like a false positive.<p>Injecting false positives generally can impair quality and whether or not quality will be impaired or improved with false positives is really context dependent. Indeed, low false positive rates are often used as a measure of quality, so in generally you don't want to increase them carelessly.<p>In the case of things like phishing training, I imagine (but I could be wrong) that the injection of false positives just causes the people who recognize phishing emails to ignore them instead of reporting them: there is too much noise and too little signal. The people who don't recognize them will continue to fall victim. In that case, inuring the knowledgeable seems detrimental since you lose the likelihood of receiving a report.<p>I follow inbox zero practices and routinely delete all my email. Since forwarding a phishing email to security is a lot more complicated then hitting the delete key (like I probably just did for another email) I'm personally most likely to delete phishing emails unless I am getting them very rarely or it seems especially pernicious. Indeed, most of the phishing emails I receive lack a certain phishy feeling (like lacking a DKIM signature or other weird mail header shenanigans). I generally just assume they are these sorts of false positives.
My company uses Knowbe4, and I'm constantly frustrated how it considers it a fail if I only click a link vs entering in credentials. Sometimes it's tough to tell if something is phishing when your checking email on your phone. Does Riot work the same way? Or do you test to see if users notice issues once they've actually opened something in the browser?
Love the idea! Unfortunately the IT group in my company is swamped with COVID-19 related work at the moment. But will be sure to bring it up with them once things calm down a little.<p>My company recently had a user fall for a very poor phishing attack (entered password into a Google Sheets request) so something like this could save IT and the company a lot of money.
Great idea, just some copywriting fixes:<p>1. "runs the latest scams techniques on your team" should be "runs the latest scam techniques on your team"<p>2. "trainings" while technically a word, native English speakers will find it odd as you rarely see it used. use "training" instead, ex: "We get it: trainings are annoying" to "We get it: training is annoying"<p>3. "Riot offers an interactive, tailor-made 5-minutes training your employees will actually enjoy and learn from." to "Riot offers an interactive, tailor-made, 5-minute training your employees will actually enjoy and learn from."<p>4. "Riot will perform attacks and trainings on your team" to "Riot will perform attacks and training for your team"
True story (except for the last two lines):<p>Boss: install this antivirus and run it: [link].<p>Me: I dunno, that seems like a phishing attempt... is that really you, boss? What's the code word?<p>Boss: DO IT OR YOU ARE FIRED!<p>Me: oh yeah, definitely you; installing it right now.
The only time that a phishing attempt actually worked for our company (afaik) occurred when someone emailed an executive in our company (ugh) with a docusign looking email with content that he was EXPECTING. it redirected him to a fake Active Directory sign in link that he fell for. Immediately after entering his password his outlook spammed his entire contact list with the same phish except addressed to them specifically from his actual email, with a link that looked like a shared Office 365 document. It wasn't good.
One that is happening in nearly every parish is that scammers are using church bulletins to get the personal info and then sending a "message" from the priest to those people. So while not CEO fraud it is very similar. A great setup and one that you could find a way that you charge when teams are doing the right thing... have the test be free and the training have a cost
It’s been honestly pretty fun to run this at BackerKit. Sad to say it caught my COO, but actually more inspiring seeing my team banding together and fighting back and letting folks know in Slack. Also, a bonus, a really cool lean use of Drift which inspired us to use that tool better.
Seems to be a hot topic recently. I first discovered <a href="https://www.hoxhunt.com/" rel="nofollow">https://www.hoxhunt.com/</a>, there are probably some other competitors as well, what makes you different?
How do you differentiate yourself with places like <a href="https://www.knowbe4.com/" rel="nofollow">https://www.knowbe4.com/</a> which offer free services against phishing.