Hacker News new | past | comments | ask | show | jobs | submit login
Launch HN: Riot (YC W20) – Phishing training for your team
114 points by BenjaminN on March 24, 2020 | hide | past | favorite | 91 comments
Ahoy Hacker News! I'm Ben, founder of Riot (https://tryriot.com), a tool that sends phishing emails to your team to get them ready for real attacks. It's like a fire drill, but for cybersecurity.

Prior to Riot, I was the co-founder and CTO of a fintech company operating hundred of millions of euros of transactions every year. We were under attack continuously. I was doing an hour-long security training once a year, but was always curious if my team was really ready for an attack. In fact, it kept me up at night thinking we were spending a lot of money on protecting our app, but none on preparing the employees for social engineering.

So I started a side project at that previous company to test this out. On the first run, 9% of all the employees got scammed. I was pissed, but it convinced me we needed a better way to train employees for cybersecurity attacks. This is what grew into Riot.

For now we are only training for phishing, but our intention is to grow this into a tool that will continuously prepare your team for good practices (don't reuse passwords for example) and upcoming attacks (CEO fraud is next), in a smart way.

Your questions, feedback, and ideas are most welcome. Would love to hear your war stories on phishing scams, and how you train your teams!




> Would love to hear your war stories on phishing scams, and how you train your teams!

I was working on anti-phishing in 2003, before it had the name phishing. We were trying to teach our users not to fall for the scams.

It didn't work. People will fall for the same scam over and over.

The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.

I wish you luck, but don't get discouraged if it doesn't work. We've been trying to educate people about phishing for 17+ years. :)

We shifted our focus to tracking the phishing sites and then tying that back to which user accounts were hacked, and disabling the hacked accounts and notifying the users before damage could be done.

PayPal actually holds the patent on what we built, along with a ton of other anti-phishing and phishing site tracking patents.


> The conclusion we came to was that the only solution to phishing was education, and education was also nearly impossible to get 100% coverage.

A friend works for a company that fires employees after failing three phishing tests.

It doesn’t solve the problem for those people, but it does work for that company. What has priority depends on your management style :)


The only way to pass the phishing tests at my employer is to never click links in email. But then we also have a number of official systems sending emails with links in them (bug tracking, code review, Zoom invites, HR portal, etc).

The only way this kind of policy makes sense is if you have to actually give the phishing site some kind of credential in order to fail, vs. merely opening on it.

If someone has a Chrome zero-day, we're done anyway. Just post it on HN.


This is my major concern. Heaps of legitimate companies send emails with links to things like 'http://dh380.<third party server>.com'. We're being trained to accept this sort of silliness


I don't think it's realistic to live in constant fear of browser sandbox escapes, or to consider visiting an arbitrary URL "silliness." If your threat model includes people willing to burn Chrome 0-days on you, you need an air gap.

The much more relevant battle is preventing credential theft, which you can solve completely at the technical level with U2F. And if you can't, user education on "check the URL before typing your password" is a little more realistic than "don't open links from email ever."


While I agree with you, I'm far less concerned for my family/friends/colleagues about a sandbox escape compared to accidentally putting information in to a malicious site


Yes, and "consider the URL and how you got there before typing in your password or credit card" is a lot more realistic than "don't click links." Still, clicking the link fails the phishing test all by itself.


Then I would have gotten fired. That's a ridiculous policy. Do they fire people for making mistakes too?

As a security engineer in a previous life, I always open the links in phishing emails (in an isolated and secure VM). I would fail the tests at work every time, but luckily the person in charge of them knew what I was doing and didn't care.


I actually started coding in 2000 trying to hack my brother, so I can relate: phishing has been a never-ending story.

It's still worth trying though!


Definitely worth trying! Just want to help you set expectations. :)


Did you try punitive disincentives?


A better approach is to turn it into a game: reward those who report suspected phishing emails, security breaches, tailgating into secure areas, USB devices left around, etc. and have red teams doing this stuff periodically. Punitive measures don't really work. Friendly competition with rewards does work, though.


that's a good point :D


In our case we were educating and protecting our customers. It's usually bad policy to carry out punitive punishment on your customers. :)

In fact, the worst offenders were actually rewarded. They were the only ones who had two factor auth for their eBay accounts. Back then we didn't have soft tokens -- the only way to do 2 factor was to get a physical RSA token, which cost about $10 at the time. So only the "best" customers were worth the cost.


The company sends out fake phishing emails. The same people keep falling for it... I suppose the outlined punishments are not strictly enforced.


Thanks!


According to Wikipedia, the term phishing (or fishing) originated in the mid-1990s


The term was coined in the 90s, but didn't get widespread usage until the mid-2000s. So yes, technically it had that name already, but no one used it then.


If you wouldn't mind I'd really like to get your opinion on this proposed hardware solution I posted a while back:

https://news.ycombinator.com/item?id=22343786


I'd have to think about it more, but if feels overly complex. You've essentially taken the idea of a DMZ network and put it in an individual computing device.

DMZ networks are hard to get right and hard to admin, and almost always end up getting some sort of exception for certain business needs.

Asking a user to admin that, or having no admin at all, feels almost impossible.


How do you work with the service providers you use to host your platform and send out emails (e.g. Heroku / Mailgun) to let them know you are not a malicious phishing company, but an anti-phishing company?

I say this because I ended up reporting the phishing email I received from you guys to Mailgun, and I believe accidentally got your account disabled. Sorry about that.


YES you did!

I called them just right after that, and I have to say they've been great so far. We agreed I would pay for a dedicated IP, and they now fully support Riot. And having a dedicated IP is actually better, because you can now remove the unexpected warning on Gmail.


Your dedicated IP is going to get flagged as more and more users report it. I run phishing as part of red team exercises and have a constant need for new fresh IPs.


This is amazing. As long as none of your "unsuspecting" "victims" notice you have a dedicated IP lol


If you reported their email you probably passed the test anyways


> "I was pissed"

How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?

There is some interesting research from the UK Government in this space - https://www.ncsc.gov.uk/blog-post/trouble-phishing#section_3

The relevant bit:

"If just one user reports a phish, you can get a head start on defending your company against that phishing campaign and every spotted email is one less opportunity for attackers...but phishing your own users isn't your only option.

Try being more creative; some companies have had a lot of success with training that gets the participants to craft their own phishing email, giving them a much richer view of the influence techniques used. Others are experimenting with gamification, making a friendly competition between peers, rather than an 'us vs them' situation with security."


1. There's an option to hide the names of the employees. It would replace all the names with random animal name + a color. It's great if you don't want to know which employees are falling for attacks.

2. I love the idea to actually make the employees create their own attacks, but seems a bit hard to do and pretty much time consuming for a company.


Its not the actual individuals - its the culture it creates, "HA! We caught you, you dumbass, here's 2hrs of training". This means people are afraid to report or take ownership over looking out for phishing as it creates no benefit for them, its just there to make the security team smug.

Having been part of and designed these campaigns before (with open source options like https://getgophish.com/), there is no way to report as phishing or reward users who detected but therefore didn't interact with it. This means in your example - did the other 81% just not open it, ignored it, or actively thought it was phishing? These are key metrics a company needs to know their potential attack surface.


>How do you balance/deal with "security shaming", which is proven to put you further at risk as an organization?

I've had this happen to me, not for phishing, but for the kensington lock thing. Probably not that common any more, at least not in the west, but some workplaces have aggressive laptop locking policies. Workplace tried this stunt of confiscating laptops that were not locked, and everyone had to meet some manager type person. It was completely asinine. This is a typical badge access controlled workplace with additional security personnel. The laptop locks were a total overkill.


I work at a large professional services firm (think Big 4), so the risk of any single breach in our network is taken pretty seriously. Our IT department added an Outlook plugin years ago that you can use to immediately reporting phishing attempts to them. As a bonus, they'll sometimes send these "tests" and if you select to "Report Phishing", you'll get a atta-boy type notification. I would assume at a macro level, they have stats on everyone and know who the "riskier" employees are. I have no idea if this is done inhouse at other large companies.

Sidenote/ question for you: some of the "test" attacks my company sends are very specific to the work we're doing and can sometimes sound very convincing. Do you have a catalogue of "attacks" based on industry or department (procurement might fall for something completely different than sales or marketing)? I'm sure with enough tests, you could measure the effectiveness of attacks (or maybe the difficulty of detection)... then you can start rating organizations not just based on what percentage of folks fell for it, but what specifically they fell for, or what was more likely to get them to bite. Almost like targeted training?

Cool idea overall and wish you guys the best.


1. I've talked with a lot of companies (Stripe for example) who do that internally and it takes a tremendous amount of time to set up.

2. For now attacks are very generic, but will soon be sector-based and department-based.

3. Yes for sure it's probably worth adapting the pace of the attacks depending on the level of the employees.

Thanks for the kind words!


Hi Ben - cool product! Speaking as the lead for Riot.im, I would recommend picking another name asap, if nothing else because Riot Games has an awful lot of lawyers (as we know first hand, unfortunately).


Damn!


that was our thought too :/ On the plus side, you can come join our secret treehouse alongside the nice people at https://riot.js.org/ and https://www.riot-os.org/ who have RG hanging over their heads...


Everyone's vulnerable to phishing, no matter how technically literate. It's too easy to click through an email during a moment of inattention. I've often thought that the only way to reliably prevent phishing is to enforce the use of a password manager browser extension, which will refuse to enter a saved password except on the original domain. Nobody should ever be manually typing passwords, or even copy-pasting passwords (in the rare case copying becomes necessary, it should be done with a big bold warning).

A safer, phish-proof enterprise password manager may be your killer product here.


For some reason I thought this was the pitch and I LOVE this idea. Is it possible for a password manager plugin to capture your "paste" and verify the window url? I know there's an onpaste clipboard event so sure seems like this would be possible.


Password managers that have browser integration already function this way -- you have to go out of your way to copy-paste your password. The main problem is that some sites design their login forms to make this kind of functionality harder (such as putting the password and username fields on different pages, or having strange layouts where you need to also input your last name, and so on).

I personally use KeepassXC which has a browser plugin that does this for you (and it's nice that the plugin doesn't have access to your passwords directly -- it has to request access from the password manager which be default gives you a popup asking for permission to share specific credentials).


Pricing feedback. I would love this type of training for our small team of 12 people BUT at this time, I cannot spend $199/Month even though one could argue that there is no cost high enough for security. Perhaps add another smaller tier for companies with 20 or less employees in the 2 digit range ?


100% agree. CEO of 13 people services biz here. We're currently priced out of this when it could actually be useful. One thing of note: when we consider security tools / training, monthly is not the right frame of reference. It's either brought back to a daily expense (i.e. how does it compare in my daily costing vs. billed revenue per day), or annually, compared to an insurance premium. I know ho much my cyber liability insurance costs me and it's easier to compare on a yearly basis. FWIW, it would be an instant buy for us at 199 per year. Above this, it'll fall in the budget security bucket and under comparison with others.


Sure! Pricing is actually very hard to set up.


At the company I work at they send phishing training emails every now and then. Luckily, the email headers have special fields, so that the IT firewall lets the "spam" through. I managed to set up a rule in my outlook to catch these headers and move all the emails to a special "Phish" folder.


I wonder if you can comment on the weirdly pro-phishing behavior of many US banks who, if I didn't know better, appear to be trying hard to make their customers vulnerable to phishing attacks ...

- TIAA Bank redirects customers, after login, to "cibng.ibanking-services.com".

- US Bank, depending on which account you log into will redirect you to "loansphereservicingdigital.bkiconnect.com".

- Union Bank will redirect you to "unionbank.customercarenet.com" if you look at a mortgage account.

These are big, serious US Banks and these domain jumpings (to domains that almost look like parodies of an actual bank domain) occur to every online banking customer.

They are training their customers to be phished.

FWIW, I have never seen Wells Fargo do this ...


My bank in Ireland (Ulster Bank) has a notice on the login page: "You will NEVER need your card reader [their 2FA] to log in". Last year they changed their login flow so you are asked to use your card reader to log in. I complained about it on Twitter but got a meaningless response about customer safety/new regulations.

If they wanted to train their customers to be phished, I can't think how they could do a better job.


I always thought the point of fire drills was to inure people to them so that in case of an emergency they would just blasély treat it like a drill instead of panicking: you want them to treat a real positive like a false positive.

Injecting false positives generally can impair quality and whether or not quality will be impaired or improved with false positives is really context dependent. Indeed, low false positive rates are often used as a measure of quality, so in generally you don't want to increase them carelessly.

In the case of things like phishing training, I imagine (but I could be wrong) that the injection of false positives just causes the people who recognize phishing emails to ignore them instead of reporting them: there is too much noise and too little signal. The people who don't recognize them will continue to fall victim. In that case, inuring the knowledgeable seems detrimental since you lose the likelihood of receiving a report.

I follow inbox zero practices and routinely delete all my email. Since forwarding a phishing email to security is a lot more complicated then hitting the delete key (like I probably just did for another email) I'm personally most likely to delete phishing emails unless I am getting them very rarely or it seems especially pernicious. Indeed, most of the phishing emails I receive lack a certain phishy feeling (like lacking a DKIM signature or other weird mail header shenanigans). I generally just assume they are these sorts of false positives.


This is a hot area, but there are already huge competitors. How do you differentiate?


Great question!

1. From Gophish: you need to be technical and you need at least a week off to prepare the attacks. With Riot, you can be sending attacks in a matter of minutes.

2. From Knowbe4, …: those are products made for enterprise companies, that are trying somehow to adapt to smaller companies. Riot is doing the opposite: it was built with smaller companies in mind.

Overall, I think there's a huge need today for product-centric cybersecurity companies, where most of the big players are sales-centric companies.


> Overall, I think there's a huge need today for product-centric cybersecurity companies, where most of the big players are sales-centric companies.

Totally agreed, and I love this. High five from a Techstars 2020 company doing a similar product-first approach to cyber security program planning and implementation for small businesses. We use Webroot as a vendor to supply phishing right now but would love to talk. brian@havocshield.com


So, to summarize, it's phishing training for small companies. Makes sense.


My company uses Knowbe4, and I'm constantly frustrated how it considers it a fail if I only click a link vs entering in credentials. Sometimes it's tough to tell if something is phishing when your checking email on your phone. Does Riot work the same way? Or do you test to see if users notice issues once they've actually opened something in the browser?


That's not a knowbe4 thing, that's your company's choice.

opened/clicked/creds and so forth are various levels. Your company has decided that a mere click is a fail. also, in gmail, if you 'report phishing' (without clicking), gmail will "click" it for you as part of their back-end analysis. this will show up in the click report. this type of click is distinguishable from a user click, but it's not obvious and knowbe4 has zero docs on it.

Keep in mind, a mere click can in fact be a fail. There are still drive-by attacks that work simply by clicking.


> I'm constantly frustrated how it considers it a fail if I only click a link vs entering in credentials

That is a failure. There is currently a Windows font parsing vulnerability that is being exploited in the wild just like this. If you click the link, you are subjecting your browser and OS to an attacker crafted payload.


Love the idea! Unfortunately the IT group in my company is swamped with COVID-19 related work at the moment. But will be sure to bring it up with them once things calm down a little.

My company recently had a user fall for a very poor phishing attack (entered password into a Google Sheets request) so something like this could save IT and the company a lot of money.


Since everyone is moving to remote right now, hackers are enjoying the overall disorganization of companies. I've seen a growing number of phishing attacks for the past few weeks.

I wouldn't be surprised if we get a major data leak caused by COVID-19 in the coming days.

PS: great username by the way.


Honestly I mixed this with riot.im


That's because you're not a LoL player ;-)


heh, I appreciate you leaning into it.


Great idea, just some copywriting fixes:

1. "runs the latest scams techniques on your team" should be "runs the latest scam techniques on your team"

2. "trainings" while technically a word, native English speakers will find it odd as you rarely see it used. use "training" instead, ex: "We get it: trainings are annoying" to "We get it: training is annoying"

3. "Riot offers an interactive, tailor-made 5-minutes training your employees will actually enjoy and learn from." to "Riot offers an interactive, tailor-made, 5-minute training your employees will actually enjoy and learn from."

4. "Riot will perform attacks and trainings on your team" to "Riot will perform attacks and training for your team"


That's an unfortunate business name


Definitely bad timing. My experience with names: they are never good enough.

What I look for in a name:

1. If I say it out loud, you know how to write it.

2. If I say it out loud today, you remember it tomorrow.

On that 2 criteria, Riot works quite well I think.


It's bad in that there's already a very popular game company named Riot (Games) which everyone refers to as 'Riot'.


Disagree, I have serious doubts you could confuse the two. I can see almost no context where 'Riot (Games)' and 'Riot (Anti-Phish Company)' could be meaningfully confused.


Some people know League of Legends, most don't know Riot Games. And I double checked: Riot Games don't own a trademark for anything related to cybersecurity.


Unfortunately that doesn't seem to stop them going after companies with Riot in their name (even though Riot is also a dictionary word) :(


Way more people already know riot games and league of legends than will ever know about your security startup, so I don't see what they're upset about for you. Hand-wringing, perhaps?


True story (except for the last two lines):

Boss: install this antivirus and run it: [link].

Me: I dunno, that seems like a phishing attempt... is that really you, boss? What's the code word?

Boss: DO IT OR YOU ARE FIRED!

Me: oh yeah, definitely you; installing it right now.


The only time that a phishing attempt actually worked for our company (afaik) occurred when someone emailed an executive in our company (ugh) with a docusign looking email with content that he was EXPECTING. it redirected him to a fake Active Directory sign in link that he fell for. Immediately after entering his password his outlook spammed his entire contact list with the same phish except addressed to them specifically from his actual email, with a link that looked like a shared Office 365 document. It wasn't good.


I had this exact same attack in my previous company, and it spread quite rapidly.


Curious how you differ from Cofense Phishme? https://cofense.com/


One that is happening in nearly every parish is that scammers are using church bulletins to get the personal info and then sending a "message" from the priest to those people. So while not CEO fraud it is very similar. A great setup and one that you could find a way that you charge when teams are doing the right thing... have the test be free and the training have a cost


It’s been honestly pretty fun to run this at BackerKit. Sad to say it caught my COO, but actually more inspiring seeing my team banding together and fighting back and letting folks know in Slack. Also, a bonus, a really cool lean use of Drift which inspired us to use that tool better.


Great to have BackerKit on board!


Seems to be a hot topic recently. I first discovered https://www.hoxhunt.com/, there are probably some other competitors as well, what makes you different?


I would be interesting in this answer as well. There is actually quite heave competition in this space: PhishMe, PhishLabs, IronScales, MediaPro, KnowBe4, Wombat (acquired by ProofPoint).

What convinced YC to invest in your company?


Not OP, but I will say, of those companies, only two or so really focus on this as the market is incredibly saturated. For example, Attack Simulator via Microsoft was recently announced, and their O365 brand is one of the most abused. Most have acquired other organizations to find higher ground.


How do you differentiate yourself with places like https://www.knowbe4.com/ which offer free services against phishing.


I tried Knowbe4, I think it's a horrible product.

I heard once you try the "free service" they call you daily to sign you up for the paid plan.


like sibling, i found knowbe4 to be pretty good. easy to setup, easy to use, great support, pretty comprehensive.

not perfect, mind you, but still pretty good.

they do bug the hell out of you but who cares? it's just one of dozens of calls i have to ignore on the daily. i told them to back off and they did.

i'll tell you what product is actually horrible, and perhaps ironically so. SANS security training (phishing part relevant here, but the entire suite is horrid). just stay away, don't waste a minnit evaluating it.


i used knowbe4 before and I found their product to be very good and easy to use. also i like that they had training videos and assessment tests as part of their packages. i didn't see anything on your site pertaining to this.


You are double the price of knowbe4. How do you expect to possibly compete?


The pricing is a work in progress.


How do avoid spam filters when sending your fake phishing emails?


Depending on your email provider (most of the time it's Google), you need to whitelist the IP address I use to send the emails. It takes probably no more than 4 minutes to do.


What are the steps necessary to get this up and running?

Step 1, 2, 3... Besides signing up. ESP if you have O365 or GApps for mail.


1. Import the list of your employees.

2. Whitelist the IP address we use to send the emails.

3. Activate the "phishing simulation" module.

4. Wait and see.

Takes 5 minutes.


Why is this any better than product offerings from PhishMe, Wombat, or KnowBe4?


Most of them target big companies. It makes a very different product.

I have a fun story with Wombat: I tried to use the product in my previous company (100 employees), had 4 different calls, with 4 different sales persons, during 2 months. At the end they just forgot about me.


don't know about wombat and the other, but how can you say knowbe4 targets big companies? Their SCORM integration is horrible.


The copy in your post is great. I understood what you do straight away.


Thanks!


I invented this space. Ask me anything. Aaron Higbee


So we have Riot Games, Riot.im, and now this. As if two wasn't enough confusion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: