Hacker Conversations: Rachel Tobac and the Art of Social Engineering – Source: www.securityweek.com

July 1, 2025
Post Author / Publisher: securityweek.com

CISO2CISO post categories: Cyber Security News, FEATURED, Hacker Conversations, rss-feed-post-generator-echo, securityweek

Rate this post

Source: www.securityweek.com – Author: Kevin Townsend

Social engineering is the art of persuasion. Mostly, this is a good thing. Misused, it can have disastrous effects.

Rachel Tobac is a cyber social engineer. She is skilled at persuading people to do what she wants, rather than what they know they ought to do. Does this make her a hacker? “Yes. I am a hacker. I hack people. I hack people over the phone, via email, by text message, across social media – and occasionally in person.” Social engineers hack people rather than computers.

She is now co-founder and CEO of SocialProof Security.

SecurityWeek spoke with Tobac to better understand this concept of people hacking. Specifically, the ‘what’ and ‘how’ of social engineering. The ‘why’ part is simple. Social engineering is the starting point for almost all adversarial cyberattacks.

Social engineering is widely misunderstood and often underrated. “It is part of the fabric of society,” explained Tobac. It is the oil that makes society run smoothly, the natural mediation between different points of view that allows conciliation and mutual cooperation. Its purpose is beneficial, and its process of natural give and take is hardwired into the human psyche.

But this conciliation can be abused with the addition of deception. “Sometimes it’s used to get kids to eat their veggies,” said Tobac. That’s conciliation. “And sometimes it’s used to convince somebody that you really are ‘IT support’, and you need their password to solve their problem.”

Deceptive social engineering is not a new phenomenon. It was social engineering that enabled Rebekah to trick Isaac into bestowing Esau’s birthright inheritance on Jacob – as outlined in Genesis chapters 25-27.

Deceptive persuasion, but in the context of cyber, is the version of social engineering we’re discussing here. But we should remember that conciliatory social engineering is something we all do and accept every day; and is the reason that deceptive social engineering is so successful and difficult to detect and ignore.

Social engineering uses variations on the seven psychological principles outlined in Robert Cialdini’s Principles of Persuasion. These include reciprocity, commitment, social proof, respect, authority, and scarcity. That last is often manipulated as ‘urgency’ and ‘greed’ (act now, or we miss out) by the social engineer.

Advertisement. Scroll to continue reading.

Amygdala hijacking

“Creating a time box imposes a sense of urgency, and everything I need is available through OSINT,” explained Tobac. “I can discover the target’s business superior through LinkedIn. I could create a voice clone of that person using gen-AI and a soundtrack lifted from YouTube. I can add relevant background noise to the conversation.”

(See Cyber Insights 2025: Social Engineering Gets AI Wings, for further information on the effect of AI on social engineering.)

The precise details would depend on the response required. It could be details of an M&A project, or a new product development or simply a link to an important document. In this instance, the target receives a phone call from a colleague whose voice is recognizable asking for urgent information before boarding an airplane. Multiple Cialdini principles of persuasion are present: authority (it’s the boss talking), unity (there’s a common business purpose), and scarcity (in this case a scarcity of time because of imminent departure).

“It sounds silly,” continued Tobac, “but about 50% of the time when I create a time box sense of urgency, and the target can hear the sound of a plane taking off in the background (which I’m just playing on YouTube), they truly do believe they need to give me that information immediately. It overrides something called the amygdala.”

This is amygdala hijacking and is an important part of social engineering. The amygdala is the part of the brain that processes emotions. By using the principles of persuasion, the social engineer can trick the amygdala into providing the required emotional response– in this case, a need to comply immediately’. Social engineers will often strengthen the urgency aspect using ‘fear’ and ‘greed’ – fear that any delay will cause a loss or missed opportunity.

Entree

“About ten years ago,” she explained, “my husband took me to DEF CON. I was already in tech, doing UX research. But at DEF CON, I was introduced to the social engineering village where contestants were closed off in glass booths in front of 500 spectators, and they hacked other people over the phone. He told me, ‘It’s not very different to what you already do when you try to get the bill from the cable company reduced.’”

So, she watched; and was immediately captivated. “As soon as I saw it, I thought, oh, this is so me! It combines all the things that I love, improv (you must be able to improvise on the fly when you’re hacking people over the phone); research (you need to research the target in advance, generally through OSINT); and acting (something I’ve always enjoyed – I used to be in musicals as a kid). Okay,” she thought, “this is going to be great.”

So, at a subsequent DEF CON she applied to take part in the social engineering competition and was one of 14 selected from around 400 applicants. “I got my target, I did my research, I got help from so many people in the community – and I ended up getting second place in my first time competing. Then I also got second place in the second and third time I competed.”

Rachel Tobac was now a proven and confirmed social engineer.

Motivation

Motivation plays an important part in determining whether a hacker breaks good or breaks bad. But hacker motivation is a complex issue involving many factors. Sometimes it is simple curiosity – a need to understand how an object or process works. Sometimes it is the desire to improve something, to make it work better for everyone’s benefit. Sometimes it is socioeconomic pressure driving a need to gain income through cyber extortion. Sometimes it is geopolitical patriotism. And sometimes it is simply a military order.

None of these factors explain Tobac’s personal motivation, nor even her view of the wider hacker motivations. “I think a lot of hackers, me included, see hacking as a fun game. It’s a bit like a puzzle to determine how you’re going to gain access to something where you don’t already have authorized access. I’m an ethical hacker, so I have consent to gain access, but ‘consented’ isn’t ‘authorized’. That’s the puzzle and fun of social engineering – how to gain access without authorization.”

But has she ever been tempted to break bad, and use those skills to steal data for her own pecuniary benefit? “No,” she says. “There’s so much positive money to be made by hacking legally that I think sometimes cybercriminals subsequently break good because they realize, ‘Hang on – I could probably make similar money with a stable career in ethical hacking and cybersecurity.’ No, I have never been tempted to break bad.”

There’s another incentive for breaking from bad to good. For those who start bad, the most common motivation is financial. Some don’t care about money– the motivation for hacktivists is usually political or moral. Regardless, “A lot of times, people start hacking and they get caught,” said Tobac. “They go to jail, and then they reform themselves, and they break good. Sometimes people don’t get caught but just realize they could be making the same money or more, doing this in an ethical fashion without worrying about the FBI knocking down their door. I think a lot of times the stress of being a criminal just gets to people, and if you can make the same amount of money doing it legally, why not?”

There’s an interesting question here. Are people naturally and inherently good, and only learn to be bad through external pressures?

People hacking career

Competitive success at DEF CON is one thing – becoming a successful and legal social engineering careerist is another. For Tobac, it just happened, almost organically.

“After competing three years in a row and getting second place three years in a row, people started to recognize me. They would come to me and ask questions about what I did and how I did it. By the third time, I already had multiple job offers and speaking requests. People wanted to learn how to avoid falling for my tricks. But to do that, I knew I needed to be an LLC; so, I founded SocialProof Security LLC in 2017. It really was as simple and organic as that.”

Hers is not a large company. She remains a hands-on practitioner rather than a business administrator. “I get to hack people all the time – at least once a week. I do penetration testing, and I give keynotes about the work and the latest scams, and how to avoid falling for them. I have a team of people I work with on pentests, but I’m still on that team. I’m still hacking –I have a new pentest coming up next week.”

“A bank may come to me wanting to know if the people who answer the phone at the bank are easily susceptible to social engineering.”

The first step is to understand the context: how do the staff currently verify that the people who call them are genuinely the people they claim to be. “So, if Joan Smith calls and says, ‘I have an account, but I need to change my email address and phone number for that account’, how do you verify this really is Joan Smith?” For an ethical pentest you can simply ask the bank – in real life, a few attempts by different people will rapidly expose the verification requirements. In this example the bank’s staff simply ask for the caller’s date of birth and home address, both of which are on record at the bank.

“That’s a problem,” said Tobac, “because an attacker can easily find that information on data broker sites. If I want to take over someone’s account at the bank, I can falsely verify my identity. I can find Smith’s email address and phone number, and now I’m her. I also have her date of birth, so I can demonstrate to the bank how I can take over accounts by calling customer support, spoofing a phone number, changing the caller ID (that’s easy to do using an app available on the App Store, costs less than $1)… and then I get on the phone, and I pretend to be Smith.”

This is the pretexting element of social engineering, the creation of a false situation designed to trick the victim (similar in concept to Rebekah disguising herself as Esau and mimicking his voice to trick Isaac). Tobac is calling from the expected phone number and has the identity verification details – she has effectively become Joan Smith.

“That’s how I take over someone’s bank account,” she continued, “or their cable company account, or mortgage, or whatever it is that I think is interesting that I want to access.” It’s a combination of basic back end hacking, pretexting and spoofing.

We often think of social engineering as the less sophisticated part of hacking. That is a mistake. It involves manipulating the human brain, which remains far more complex than current computers. And it has been practiced for thousands of years rather than the relatively few decades of computer hacking. Rebekah deceiving Isaac into bestowing Esau’s inheritance on Jacob is just one early example of pretexting and voice emulation combined in social engineering.

The longevity of the practice coupled with the sophistication of its delivery to a mind that is psychologically inclined to believe what it is told, explains the success of social engineering and the impossibility of defending against it. The only way to defeat social engineering would be to train everybody to distrust everything – which would threaten the very nature of our humanity and the existence of society.

Rachel Tobac, social engineer, proves this hypothesis.