Rachel Tobac tells SMBs how to defend themselves from increasingly sophisticated cyber attacks.
Even with strong cybersecurity protections in place, a small or midsize business is still vulnerable to attacks that prey on human psychology. Business leaders and IT professionals responsible for keeping their businesses safe need to understand the wide variety of devious ways attackers manipulate employees to compromise digital security, and what steps to take to protect your data.
Rachel Tobac, CEO of SocialProof Security, and an ethical hacker[1], helps businesses defend against phishing, whaling, business email compromises, and other types of social engineering schemes.[2] As these attacks become more sophisticated—especially as hackers harness artificial intelligence to increase their ability to steal, encrypt, or delete data—you need to know how to defend your business now more than ever.
Ethical versus criminal hackers: What’s the difference?
Tobac calls herself an “ethical hacker.” Her company, SocialProof Security, does social engineering prevention through live and video training and is often asked to do penetration testing, in which she tries to hack into her clients’ systems.
“The only difference between what ethical hackers do versus criminal ones, is that an ethical hacker has permission before they attack."
Rachel Tobac
Ethical hacker and CEO of SocialProof Security
SMB cybersecurity attacks using social engineering on the rise
As cyber attacks on SMBs continue to intensify, criminals increasingly use social engineering to trick employees (particularly, new hires) over the phone and use email or SMS messages to gain access to their accounts.[3] Once they get into the system, hackers move swiftly to infiltrate critical applications and sensitive data, doing significant harm to businesses in a short amount of time.
What is social engineering in cybersecurity? It refers to criminals manipulating individuals into performing actions and divulging confidential information that aren’t in their best interests, typically by exploiting human psychology rather than exploiting software or hardware vulnerabilities.
For example, the infamous 2020 Twitter hack leveraged social engineering. It started with attackers pretending to be from Twitter’s IT help desk, calling various Twitter employees and giving them false instructions to change their passwords, for security reasons. Upon finding a gullible victim, the hackers were then able to steal multifactor authentication codes and gain access to Twitter’s back-end system administrative tools. Among the accounts hacked were those of numerous celebrities, including former President Barack Obama and Elon Musk (before he bought and became CEO of Twitter).[4]
People are used to hearing about attacks starting with email, but there’s been a huge uptick in cybercriminals using phone calls, text messages, and direct messages to attack.
“The 2022 Uber hack started over WhatsApp, with a criminal also pretending to be IT support,” says Tobac.
Cybercriminals are branching out from email-based attack methods as email security tools have gotten stronger (often catching attackers in the act) and has directed their malice towards other methods, like phone calls, text messages, direct messages and more.
According to Capterra’s 2022 SMS Scams Survey,* 85% of employees use a personal device for work activities, with 93% of them getting at least one suspicious SMS message in the previous three months, and 74% at least one within the last 30 days.
Indeed, the problem is so severe that the average SMB employee received eight suspicious SMS messages in the last three months, and 13% received more than 15.
AI lends hackers a helping hand
“The rather frenzied pace of innovation in the AI arena is also complicating matters,” says Tobac. “AI allows cybercriminals to both scale their attacks and make them more believable.”
For example, in the past hackers would have to look on LinkedIn, Glassdoor, and a variety of other sites to collect information on potential victims and companies. But now, ChatGPT and other AI tools can empower bad actors to find data on individuals and businesses swiftly, and to emulate the way people talk within an office. They can create believable messages, even in languages the hackers don’t speak.
“No longer can you spot cyber criminals by their bad grammar or spelling, because today’s AI-generated emails and text messages have good subject-verb agreement and all the commas in the right places,” says Tobac.
Couple that with the fact that criminals can use AI to automate phishing message creation, data collection on victims, and even voice cloning—and SMBs have a serious problem.
Educate your most vulnerable employees, and other advice
Which employees are most vulnerable to social engineering might surprise SMB leaders. It’s not older people. In fact, older women are the hardest to trick, Tobac has found. Instead, brand new employees are most likely to be gullible to attacks.
“Perhaps a new employee changed their LinkedIn profile to say they’d started a job at a particular company,” says Tobac.
“They might receive an SMS or email from someone who says they’re the CEO, welcomes them to the business, and asks them to hand over personal information,” continues Tobac. “That’s difficult, because the new hire doesn’t yet know the company culture, or what would be considered normal.”
According to Capterra’s 2022 SMS Scams Survey,* 50% of the HR professionals surveyed reported that employees encountered a new-hire phishing scam, with 75% of the incidents involving contact via SMS.
How can you protect your SMB against this?
“Education,” says Tobac. “As soon as you send the offer letter, warn your future employee that they will likely receive a message that seems to be from an executive at the company asking for a favor...and that favor turns out to be gift cards in most cases.”
How to grow quickly without compromising security
The easiest way to protect yourself is to focus on the human element—again, through education—and upgrade your basic security tools. It doesn’t have to cost a lot.
“If you don’t have a huge budget, start with the low-hanging fruit,” says Tobac. “First, update your human defenses. Sit down with customer support, finance, HR, and even IT workers, and show them how to verify someone is who they say they are with multiple methods of communication before taking any action.”
You want to make sure that person is exactly who they say they are, which can be done through an internal chat, phone call, direct message, or email on a trusted thread.
“You want to make the human factor less vulnerable,” says Tobac. “When people know how to be politely paranoid and use 2 methods of communication to verify identity before taking action, they catch hackers. I often get caught when these human protocols are in place!”
Rachel Tobac
From there, upgrade your technical tools. Start with an MFA solution and a password manager. A good password manager should tell you if a site you are about to click on is malicious and won’t put your password in.
“Above all,” says Tobac. “Don’t try to scare people straight. People tend not to learn when they’re afraid.”
"One of the biggest mistakes we see is when companies use the stick instead of the carrot by punishing employees who fall for a scam. Instead, create an educational system in which failing isn’t a big deal. Keep all security exercises educational and positive, catch people doing things right!"
According to Capterra’s 2023 Security Features Survey,** a lack of security can be a “deal breaker” for SMBs when investing in new technologies. The survey found that half (50%) of all U.S. software buyers consider security as influential in the buying process—more than any other factor. Security also plays a factor in companies deciding to discontinue the use of software, as almost half (45%) stopped using a specific software platform due to security concerns.
When advising SMBs on what to look for when purchasing new software, Tobac stresses multi-factor authentication (MFA) encryption, password managers, and biometrics.
"Always encrypt messaging,” says Tobac. “Don’t reuse passwords; use a password manager. Use the right multifactor authentication for your threat model—for many organizations, that's at least app-based MFA. Passkeys, SSO, and biometrics are also great options to consider."
SMBs are catching on. The survey also found that 39% of software buyers look for biometric authentication—for example, fingerprint or facial recognition—when evaluating software, and one in three (33%) actively seek ways of authenticating users without using passwords.**
Encouraging women to go into security roles
Tobac got her start at DEF CON, the world's largest hacker conference, where in front of a 500-person live audience, she had to hack into a company target using social engineering techniques, using only her phone. She ended up winning second place in that competition three years in a row. From this, she was asked to speak and lead security training at companies around the world.
Astonishingly, Tobac has never written a single line of code. When in middle and high school, she wanted to learn programming, but her guidance counselor said that was for boys only and steered her into home economics and sewing classes.
“I naively listened to them. But that was the world that I grew up in, and that's what I’m trying to change,” Tobac says.
Tobac mentions that when she started working in security, she didn't see a lot of women in the field. “Now, of course, I have to wait in line for the bathroom at DEF CON, which is pretty cool,” she says.
She’s passionate about helping other women grow in the profession. As chair of the board of the non-profit organization Women in Security and Privacy (WISP), she’s especially excited about its scholarship program, which sends women to security training and conferences all over the world.[5]
“We also do education workshops, training, and mentorship programs, so there's a lot of cool things that we spend our time on,” she says. “It’s an awesome cause to be involved in.”
Don’t be vulnerable to cyberattacks
As socially engineering related cyber attacks become more common and more sophisticated—especially with the penetration of AI into the criminal mainstream—SMBs must learn how to defend themselves. According to Tobac, it doesn’t need to be difficult or costly.
Focus on educating your employees on the psychological tricks that cyber criminals use and how to catch them in the act. Evaluate new software for its security features. And invest in basic security tools such as MFA and password managers.
“Anything you can do to make hacking your business more difficult for criminals will work in your favor,” says Tobac.
Want to learn more about the cyberthreats out there and how you can protect against them? Check out the following Capterra resources: