Ahead of Consensus.
Intelligence across tech and capital markets, for investors, policymakers, and business leaders.
5 minute read
Social engineering attacks are evolving into the most formidable cybersecurity threat facing businesses today. Rachel Tobac, co-founder and CEO of SocialProof Security, specializes in exploiting human psychology rather than computer systems, describing her role bluntly: “I am a hacker. I hack people.”
The cybersecurity landscape shifts dramatically as attackers abandon simple email phishing for sophisticated, AI-enhanced campaigns across multiple channels. These attacks leverage detailed online research and psychological manipulation to extract sensitive information through phone calls, text messages, and social media platforms.
Modern social engineering techniques incorporate advanced AI tools that can accurately mimic voices and create convincing impersonations. Tobac routinely demonstrates these capabilities during penetration tests, using voice cloning technology combined with background audio to enhance authenticity.
The methodology behind these attacks employs Robert Cialdini’s principles of persuasion, including reciprocity, authority, and scarcity. Tobac explains that creating urgency through time constraints triggers “amygdala hijacking,” manipulating emotional responses to drive compliance under perceived pressure.
Organizations continue struggling with outdated security protocols dating back to the early 2000s. Current attack vectors include “vishing” (voice elicitation), where attackers spoof phone numbers and impersonate trusted contacts to gain unauthorized access to sensitive systems.
The financial impact of social engineering attacks reaches unprecedented levels across industries. Data breaches involving social engineering components average $4.88 million in costs, marking a significant 10% increase from previous year figures.
Even failed attack attempts generate substantial costs for businesses, averaging $130,000 in productivity losses and incident response expenses. The banking sector faces particular vulnerability, as demonstrated through Tobac’s penetration testing work with financial institutions.
According to SecurityWeek, the cybersecurity industry anticipates social engineering attacks will cement their position as the primary security threat in 2025, supercharged by generative AI capabilities.
The shift from email-based attacks to multichannel, personalized campaigns creates new challenges for corporate defense strategies. Organizations must invest in advanced security measures that extend beyond traditional perimeter defenses to address human vulnerability factors.
Companies adopting a “politely paranoid” approach implement multi-factor verification for sensitive requests, restrict administrative access, and provide password managers to employees. These measures prove essential as hackers incorporating social engineering techniques significantly improve their success rates.
The complexity of manipulating human cognition surpasses traditional computer hacking methods. This psychological component makes social engineering extraordinarily effective and challenging to defend against, requiring organizations to rethink their security postures fundamentally.
Tobac emphasizes the critical importance of advanced authentication methods, stating: “MFA should be mandatory, and if you have users, find a way to encourage them positively to turn on their MFA. The more you can move towards hardware-like MFA the better.”
Her expertise stems from a decade of experience beginning at DEF CON competitions, where she consistently placed among top performers. Tobac’s background in neuroscience and behavioral analysis directly applies to understanding psychological manipulation techniques used in social engineering.
Training programs incorporating practical examples and improvisation practice help security teams adapt to unpredictable attack scenarios. Tobac notes that patience in selecting appropriate pretexts and targets for testing provides valuable lessons that drive security improvements.
The expert recommends essential security tools including multifactor authentication systems, password managers with “salting” capabilities, and identity management services. She advocates for moving away from SMS-based authentication toward hardware-based MFA solutions.
Social engineering attacks represent a critical inflection point for cybersecurity as AI enhancement makes traditional defense strategies inadequate. The combination of sophisticated impersonation techniques and multichannel attack vectors demands comprehensive organizational responses.
Organizations must prioritize employee training programs that address the 70% of workers who currently engage in risky behaviors. The integration of advanced verification protocols and cross-channel identity confirmation becomes essential for maintaining security postures against evolving threats.