| https://twitter.com/RachelTobac | |
| https://www.instagram.com/racheltobac/ | |
| Website | https://www.socialproofsecurity.com/ |
| Pronouns | she/her |
Episode 22: Social Engineering, Gas Mark 4, and AGAs with Rachel Tobac!
Tib3rius & Andy Swift are joined by @racheltobac to talk social engineering war stories...and more!
Spotify: https://open.spotify.com/show/3PeV2Fhf87zLtQ8LjuMrsb
Apple Podcasts: https://podcasts.apple.com/us/podcast/across-the-pondcast/id1789463186
Amazon Music: https://music.amazon.com/podcasts/cfa2092b-c00b-4804-b9b1-6de7c105b820/across-the-pondcast
YouTube: https://www.youtube.com/channel/UC5L2Q76DgZhP2V8S6qx8knA
*New CNN Live Zoom Call Deepfake Video*
An engineering org sent $25 Million to scammers who deepfaked the finance team in a live video call. Are your colleagues, family & friends ready to catch this AI attack?
I demo'd a live Zoom deepfake to CNN's Clare Duffy to help you spot the signs.
These live video call or audio call deepfakes are increasing in the business world. Most often, an exec is deepfaked to the team that supports them asking for money, passwords, MFA codes, etc:
- $25M sent to scammers in Arup video call deepfake attack https://cnn.com/2024/05/16/tech/arup-deepfake-scam-loss-hong-kong-intl-hnk
- Fraudsters Cloned Company Director's Voice In $35 M Heist: https://forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/
- Wiz CEO says company was targeted with deepfake attack that used his voice: https://techcrunch.com/2024/10/28/wiz-ceo-says-company-was-targeted-with-deepfake-attack-that-used-his-voice/
We're also seeing a large increase in attackers using AI to voice clone an exec and target their team to steal money, data, or access, like in this example I did for 60 Minutes: https://x.com/RachelTobac/status/1976308961684189576
Many recommend using a verbal "passphrase" with colleagues, family and friends to verify that person you're talking to is who they say they are.
A verbal passphrase could work in some scenarios, especially the ones that aren't super dire or extreme. But, in the scenarios tricking families, where a child is deepfaked to a grandparent/parent/sibling etc and is in extreme distress, screaming, and crying -- remembering passphrases will be hard to do in the moment.
That is because we know from neuroscience that the amygdala in the brain takes over during times of crisis, making it challenging to remember anything at all except the present moment.
If you've ever been through a true crisis at home then you may know that it's hard to even remember your own ADDRESS to report to 911 during an actual emergency. The brain goes blank.
What I recommend instead is: if your family, friends, or colleagues get a terrified phone call from "you" asking for money (for example), stay on the line and use another method of communication to verify authenticity of the request while offering words of support.
Even a quick text, chat, or DM (even while the call is ongoing!) can verify that the call is a scam (and your loved one is actually safe) before sending money.
Share this example with family, friends & your team to ensure everyone is on the same page about Being Politely Paranoid and using another method of communication to verify people are who they say they are:
CNN: https://edition.cnn.com/2025/10/07/business/video/deepfake-scam-ai-zoom-call-digvid
Right now, AI voice clone scam calls are increasing for orgs.
I give it 1 year before criminals increase use of live video call deepfakes in their scams. Get your team and folks prepared now.
*New live hack demo: hacking bank security questions with AI voice clone calls*
At @defcon I went on the @scammerpayback Payback podcast and hacked the host by calling his friends & stealing answers to his bank's password reset identity questions using a voice clone within 10 seconds!
The Scammer Payback podcast was one of my favorite interviews of all time because I got to:
- do hard OSINT on Daniel, present my findings live and shock the glasses off him multiple times
- live hack his bank account in front of him by calling his friends and using AI voice clones to take over his account
- talk about how hacking has changed in the past year
- discuss how AI psychosis happens from a neuroscience perspective
- tell a never before heard story about how I almost took the worst job in history
- and what we can do to protect people from scammers in 2025 in our personal and professional life
This is also probably the funniest interview I've done in years.
I haven't gotten to laugh this hard on camera in a while.
Watch the full Scammer Payback interview on YouTube here: https://www.youtube.com/watch?v=xEdZwLRJttQ
What happens when one of the worldâs top ethical hackers takes on the defenses of a modern enterprise? In this live, eye-opening session, renowned social engineer Rachel Tobac exposes how AI-assisted impersonation attacks are bypassing traditional technical defenses and exploiting human trust at scale. From HR onboarding to IT service desk calls, identity is being compromised before itâs even authenticated. You'll witness real-time tactics used in modern impersonation and social engineering campaigns â the same methods behind high-profile breaches at companies like Marks & Spencer, Qantas, and WestJet, and recent attacks linked to North Korean operatives targeting the Fortune 500. We'll then get actionable and focus on how you can stop these attackers in their tracks. Donât miss this virtual showdown between todayâs most advanced attacks and most resilient defenses. Youâll walk away with an understanding of how to spot the latest AI-powered attacks at both the human and technical level.
See lots of scam messages via text & apps lately? Youâre not alone!
Scammers are using people's economic anxiety to trick with lures that are too good or too dire to be true! They're also using AI to create attacks.
Here are the latest August 2025 messaging scams + how to catch them.
Thank you WhatsApp for partnering with me to build this PSA and get the word out about the latest messaging scams, how AI is being used within the scams, and how to shut them down.
Let's talk about how AI is being used in these scams. We know about this thanks to OpenAI's research and Meta's investigation:
1. The scammer uses ChatGPT to generate the first text message which contains a link to a WhatsApp Chat with a âlucrative opportunity to make moneyâ
2. Once on the WhatsApp chat, the scammer directs the target to a Telegram chat. The scammer uses multiple platforms to evade scam detection tools and avoid any organization having a full view into their scam operation.
3. Once on Telegram, the scammer provides the instructions to âstart the lucrative opportunity to make moneyâ and itâs activities such as: liking videos on TikTok and other strange "jobs"
4. Finally, the scammer tells the target their next task is to buy some cryptocurrency and transfer it to a âmerchantâ, apparently to "help everyone understand crypto better". Here is where they're stealing your money under the guise of you making more money.
*How do we help our friends and family avoid these types of messaging scams that take place across the internet and steal money or data?*
Show them the video and let them know to:
- PAUSE: Pause before you respond, take a beat. The attackers use the principle of Urgency against you, donât take the bait.
- QUESTION: Is this too good to be true? What about too dire to be true? Are they offering high pay for little work? Are they rushing you into taking action like sending data/money, clicking, downloading, etc? These are signs that the request is a scam.
- VERIFY: If the person messaging you is claiming to be someone you know, make sure that they are who they say they are by contacting that person using another method of communication.
AnneH
Across the Pondcast