Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Hacker Conversations: Rachel Tobac and the Art of Social Engineering

Posted on June 30, 2025June 30, 2025 By CWS

Social engineering is the artwork of persuasion. Principally, it is a good factor. Misused, it may have disastrous results.

Rachel Tobac is a cyber social engineer. She is expert at persuading folks to do what she desires, fairly than what they know they must do. Does this make her a hacker? “Sure. I’m a hacker. I hack folks. I hack folks over the telephone, through electronic mail, by textual content message, throughout social media – and sometimes in individual.” Social engineers hack folks fairly than computer systems.

She is now co-founder and CEO of SocialProof Safety.

SecurityWeek spoke with Tobac to raised perceive this idea of individuals hacking. Particularly, the ‘what’ and ‘how’ of social engineering. The ‘why’ half is easy. Social engineering is the start line for nearly all adversarial cyberattacks.

Social engineering is extensively misunderstood and sometimes underrated. “It’s a part of the material of society,” defined Tobac. It’s the oil that makes society run easily, the pure mediation between completely different factors of view that enables conciliation and mutual cooperation. Its objective is helpful, and its means of pure give and take is hardwired into the human psyche.

However this conciliation could be abused with the addition of deception. “Typically it’s used to get children to eat their veggies,” stated Tobac. That’s conciliation. “And generally it’s used to persuade anyone that you simply actually are ‘IT help’, and also you want their password to unravel their drawback.” 

Misleading social engineering shouldn’t be a brand new phenomenon. It was social engineering that enabled Rebekah to trick Isaac into bestowing Esau’s birthright inheritance on Jacob – as outlined in Genesis chapters 25-27.

Misleading persuasion, however within the context of cyber, is the model of social engineering we’re discussing right here. However we should always do not forget that conciliatory social engineering is one thing all of us do and settle for day by day; which explains that misleading social engineering is so profitable and tough to detect and ignore.Commercial. Scroll to proceed studying.

Social engineering makes use of variations on the seven psychological ideas outlined in Robert Cialdini’s Ideas of Persuasion. These embody reciprocity, dedication, social proof, respect, authority, and shortage. That final is commonly manipulated as ‘urgency’ and ‘greed’ (act now, or we miss out) by the social engineer.

Amygdala hijacking

“Making a time field imposes a way of urgency, and all the things I would like is obtainable by OSINT,” defined Tobac. “I can uncover the goal’s enterprise superior by LinkedIn. I might create a voice clone of that individual utilizing gen-AI and a soundtrack lifted from YouTube. I can add related background noise to the dialog.”

(See Cyber Insights 2025: Social Engineering Will get AI Wings, for additional data on the impact of AI on social engineering.)

The exact particulars would rely on the response required. It could possibly be particulars of an M&A challenge, or a brand new product growth or just a hyperlink to an vital doc. On this occasion, the goal receives a telephone name from a colleague whose voice is recognizable asking for pressing data earlier than boarding an airplane. A number of Cialdini ideas of persuasion are current: authority (it’s the boss speaking), unity (there’s a typical enterprise objective), and shortage (on this case a shortage of time due to imminent departure).

“It sounds foolish,” continued Tobac, “however about 50% of the time once I create a time field sense of urgency, and the goal can hear the sound of a airplane taking off within the background (which I’m simply taking part in on YouTube), they honestly do imagine they should give me that data instantly. It overrides one thing referred to as the amygdala.”

That is amygdala hijacking and is a vital a part of social engineering. The amygdala is the a part of the mind that processes feelings. Through the use of the ideas of persuasion, the social engineer can trick the amygdala into offering the required emotional response– on this case, a must comply instantly’. Social engineers will usually strengthen the urgency facet utilizing ‘worry’ and ‘greed’ – worry that any delay will trigger a loss or missed alternative.

Entree

“About ten years in the past,” she defined, “my husband took me to DEF CON. I used to be already in tech, doing UX analysis. However at DEF CON, I used to be launched to the social engineering village the place contestants had been closed off in glass cubicles in entrance of 500 spectators, they usually hacked different folks over the telephone. He informed me, ‘It’s not very completely different to what you already do whenever you attempt to get the invoice from the cable firm decreased.’”

So, she watched; and was instantly captivated. “As quickly as I noticed it, I believed, oh, that is so me! It combines all of the issues that I really like, improv (it’s essential to have the ability to improvise on the fly whenever you’re hacking folks over the telephone); analysis (you’ll want to analysis the goal prematurely, typically by OSINT); and appearing (one thing I’ve at all times loved – I was in musicals as a child). Okay,” she thought, “that is going to be nice.”

So, at a subsequent DEF CON she utilized to participate within the social engineering competitors and was one among 14 chosen from round 400 candidates. “I acquired my goal, I did my analysis, I acquired assist from so many individuals in the neighborhood – and I ended up getting second place in my first time competing. Then I additionally acquired second place within the second and third time I competed.”

Rachel Tobac was now a confirmed and confirmed social engineer.

Motivation

Motivation performs an vital half in figuring out whether or not a hacker breaks good or breaks unhealthy. However hacker motivation is a fancy situation involving many components. Typically it’s easy curiosity – a necessity to know how an object or course of works. Typically it’s the need to enhance one thing, to make it work higher for everybody’s profit. Typically it’s socioeconomic strain driving a necessity to realize earnings by cyber extortion. Typically it’s geopolitical patriotism. And generally it’s merely a army order.

None of those components clarify Tobac’s private motivation, nor even her view of the broader hacker motivations. “I feel quite a lot of hackers, me included, see hacking as a enjoyable recreation. It’s a bit like a puzzle to find out the way you’re going to realize entry to one thing the place you don’t have already got approved entry. I’m an moral hacker, so I’ve consent to realize entry, however ‘consented’ isn’t ‘approved’. That’s the puzzle and enjoyable of social engineering – tips on how to achieve entry with out authorization.”

However has she ever been tempted to interrupt unhealthy, and use these abilities to steal information for her personal pecuniary profit? “No,” she says. “There’s a lot optimistic cash to be made by hacking legally that I feel generally cybercriminals subsequently break good as a result of they understand, ‘Dangle on – I might in all probability make comparable cash with a steady profession in moral hacking and cybersecurity.’ No, I’ve by no means been tempted to interrupt unhealthy.”

There’s one other incentive for breaking from unhealthy to good. For many who begin unhealthy, the most typical motivation is monetary. Some don’t care about cash– the motivation for hacktivists is often political or ethical. Regardless, “Numerous occasions, folks begin hacking they usually get caught,” stated Tobac. “They go to jail, after which they reform themselves, they usually break good. Typically folks don’t get caught however simply understand they could possibly be making the identical cash or extra, doing this in an moral style with out worrying in regards to the FBI pulling down their door. I feel quite a lot of occasions the stress of being a felony simply will get to folks, and if you can also make the identical amount of cash doing it legally, why not?”

There’s an fascinating query right here. Are folks naturally and inherently good, and solely study to be unhealthy by exterior pressures?

Individuals hacking profession

Aggressive success at DEF CON is one factor – changing into a profitable and authorized social engineering careerist is one other. For Tobac, it simply occurred, nearly organically.

“After competing three years in a row and getting second place three years in a row, folks began to acknowledge me. They might come to me and ask questions on what I did and the way I did it. By the third time, I already had a number of job affords and talking requests. Individuals wished to learn to keep away from falling for my tips. However to try this, I knew I wanted to be an LLC; so, I based SocialProof Safety LLC in 2017. It actually was as easy and natural as that.” 

Hers shouldn’t be a big firm. She stays a hands-on practitioner fairly than a enterprise administrator. “I get to hack folks on a regular basis – not less than as soon as every week. I do penetration testing, and I give keynotes in regards to the work and the most recent scams, and tips on how to keep away from falling for them. I’ve a staff of individuals I work with on pentests, however I’m nonetheless on that staff. I’m nonetheless hacking –I’ve a brand new pentest developing subsequent week.”

A easy social engineering pentest

“A financial institution could come to me desirous to know if the individuals who reply the telephone on the financial institution are simply vulnerable to social engineering.” 

Step one is to know the context: how do the employees presently confirm that the individuals who name them are genuinely the folks they declare to be. “So, if Joan Smith calls and says, ‘I’ve an account, however I would like to alter my electronic mail deal with and telephone quantity for that account’, how do you confirm this actually is Joan Smith?” For an moral pentest you’ll be able to merely ask the financial institution – in actual life, a couple of makes an attempt by completely different folks will quickly expose the verification necessities. On this instance the financial institution’s employees merely ask for the caller’s date of beginning and residential deal with, each of that are on file on the financial institution.

“That’s an issue,” stated Tobac, “as a result of an attacker can simply discover that data on information dealer websites. If I wish to take over somebody’s account on the financial institution, I can falsely confirm my id. I can discover Smith’s electronic mail deal with and telephone quantity, and now I’m her. I even have her date of beginning, so I can display to the financial institution how I can take over accounts by calling buyer help, spoofing a telephone quantity, altering the caller ID (that’s simple to do utilizing an app out there on the App Retailer, prices lower than $1)… after which I get on the telephone, and I fake to be Smith.”

That is the pretexting component of social engineering, the creation of a false state of affairs designed to trick the sufferer (comparable in idea to Rebekah disguising herself as Esau and mimicking his voice to trick Isaac). Tobac is looking from the anticipated telephone quantity and has the id verification particulars – she has successfully turn out to be Joan Smith. 

“That’s how I take over somebody’s checking account,” she continued, “or their cable firm account, or mortgage, or no matter it’s that I feel is fascinating that I wish to entry.” It’s a mixture of fundamental again finish hacking, pretexting and spoofing.

We regularly consider social engineering because the much less refined a part of hacking. That could be a mistake. It includes manipulating the human mind, which stays much more advanced than present computer systems. And it has been practiced for 1000’s of years fairly than the comparatively few a long time of pc hacking. Rebekah deceiving Isaac into bestowing Esau’s inheritance on Jacob is only one early instance of pretexting and voice emulation mixed in social engineering.

The longevity of the observe coupled with the sophistication of its supply to a thoughts that’s psychologically inclined to imagine what it’s informed, explains the success of social engineering and the impossibility of defending in opposition to it. The one strategy to defeat social engineering could be to coach everyone to mistrust all the things – which might threaten the very nature of our humanity and the existence of society.

Rachel Tobac, social engineer, proves this speculation.

Associated: Hacker Conversations: Stephanie ‘Snow’ Carruthers, Chief Individuals Hacker at IBM X-Power Purple

Associated: Hacker Conversations: David Kennedy – an Atypical Typical Hacker

Associated: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Trainer

Associated: Hacker Conversations: HD Moore and the Line Between Black and White

Security Week News Tags:Art, Conversations, Engineering, Hacker, Rachel, Social, Tobac

Post navigation

Previous Post: 10 Best Malware Analysis Tools
Next Post: 25 Best Managed Security Service Providers (MSSP)

Related Posts

Chrome 137 Update Patches High-Severity Vulnerabilities Security Week News
Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities Security Week News
Qantas Data Breach Impacts Up to 6 Million Customers  Security Week News
Casie Antalis Named Executive Director of CISA Security Week News
Bonfy.AI Raises $9.5 Million for Adaptive Content Security Platform Security Week News
CISA Says Russian Hackers Targeting Western Supply-Lines to Ukraine Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors
  • In Other News: Hacker Helps Kill Informants, Crylock Developer Sentenced, Ransomware Negotiator Probed
  • Critical HIKVISION ApplyCT Vulnerability Exposes Devices to Code Execution Attacks
  • Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks
  • Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors
  • In Other News: Hacker Helps Kill Informants, Crylock Developer Sentenced, Ransomware Negotiator Probed
  • Critical HIKVISION ApplyCT Vulnerability Exposes Devices to Code Execution Attacks
  • Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks
  • Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News