Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Is there a consumer phishing testing service for non-technical people?
4 points by jryb 6 months ago | hide | past | favorite | 3 comments
A friend's mother recently fell for an obvious phishing scam, and I was hoping there was some service you could sign up for where they occasionally send fake phishing emails/texts to whoever you designate, and if they engage with them they'll get chided by the system, and you'd get metrics about how often your parents fall for these simulated attacks. This kind of thing is common in corporate settings, but it doesn't appear like there's one available for individuals.

Is there a legal barrier to running a service like this, or did I just fail in my google search when looking for one? And if there are no barriers, could someone please make this? I will never have the bandwidth.




It is a great idea. As a person who has published a book about similar topic [https://www.amazon.com/dp/B0CR7T5N5V], I am knowing the importance of this kind of practical knowledge.

All enterprises are using similar functionalities provided by big cyber security companies as a part of employee training program.

But to be able to run this kind of B2C business there are several down sides of the topic. I am listing them below as they pop up to my mind.

1. Your servers that you send e-mails may easily be blacklisted or marked as spam that may cause too much operational headache with your providers.

2. It must be both affordable for the subscribers and profitable for the business.

3. Even though it is relatively low, you may attract the attention of some cyber law enforcement teams and may need to give some explanations

4. The Personal Data Privacy related issues. The terms and conditions should be so structured that either European or any local Data Privacy Regulations should not be causing a headache in the long run.

On top of these potential issues, bootstrapping an untested idea is not coming too logical. I did not tried to devalue your idea and pain point, but even though I do not have a bandwidth to build a service like that, I wanted to highlight critical points for anyone may realize this idea.


Related: is there any evidence that this sort of testing actually works (reduces engagement with genuine phishes/spam)?

Corporate information security training feels like someone guessed at what should work, without checking that their hunch was right.


is there any evidence that this sort of testing actually works

Yes. I don't have the reports and graphs and would not be permitted to share them even if I did, but I worked for a company that handles as-sensitive-as-it-gets data. We did phishing tests multiple times per year. A percentage of people would click on the links and a sub-set of them would enter corporate credentials. Those employees were required to attend security training. There were incentives for leadership to get the numbers down and down they went year over year. The greatest focus on re-training was applied to those with access to customer data, production and development environments.

I do not have an answer for OP's question however. I think lawyers and legal agreements would be required for people outside of a company that have not signed vaguely worded terms of employment documents. I personally would not perform such testing at the risk of landing in the bog of eternal stench. a legal quagmire




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: