Rachel Tobac

lol that’s cool, glad I work with your org!

I watch my company’s security awareness training just because the speaker is @racheltobac.bsky.social

Message from "Signal Support" Dear User, this is Signal Security Support ChatBot. Our system has detected a recent login attempt to your account from an unrecognized device or location. As a security measure, we have blocked this attempt and sent a verification code via SMS to your registered phone number. If this was NOT you: To secure your account and block this unauthorized access, please reply to this message with the verification code you just received. If this WAS you: You can safely ignore this message. The login attempt will be automatically approved shortly. Thank you for helping us keep your account secure.

Signal will never message you like this.

If you get a message like this, SOMEONE IS TRYING TO HACK YOUR SIGNAL.

DO NOT GIVE THEM THAT CODE.

In the last days, there has been an unprecedented attack targeting investigative journalists trying to seize their Signal accounts. This has gone largely unreported. I have been repeatedly targeted by phishing, and I learned that also colleagues from other outlets were targeted, with the attackers unfortunately managing to compromise at least one colleague’s account. What’s worrying: this doesn’t seem like an isolated case. A broader wave is apparently hitting journalists (and some civil society actors) via Signal. How it works: Attackers message you on Signal pretending to be “Signal Support,” warning about “suspicious activity,” and urging you to “re-verify” your account. Once you accept the chat, you receive a real Signal SMS verification code, because the attacker is actively trying to register your number on a new device. If you share that code, you’re handing them the keys. Signal’s extra protection is the Signal PIN. If an attacker also tricks you into giving up your PIN (or you don’t have strong protections enabled), they can see your contacts and networks, potentially join chats going forward, and lock you out by changing settings. Quick protections worth doing today: - Signal will never contact you via a two-way in-app support chat. Treat those messages as hostile. - Never share SMS codes, Signal PIN, or anything called “registration lock.” - Turn on Registration Lock (Settings → Account → Registration Lock). - If you see a “safety number changed” alert: verify the person via a different channel (call/video), not just Signal text. - Report + block suspicious requests, and review linked devices. If you work with sensitive sources: this isn’t just about losing an account, it’s about exposing networks. Please share this with colleagues who rely on Signal day-to-day.

WARNING, fellow journalists: As @nicoschmidt.io explains, attackers are trying to hijack reporters' Signal accounts by tricking people into handing over their 2FA codes. www.linkedin.com/posts/nicosc...

lol I very truly don’t, it’s quite frizzy and the good lighting masks it! Lighting is everything.

If you’re an activist, journalist, exec, or have a high threat model for any other reason, I do recommend using all tools to protect against spyware including Apple’s lockdown mode and WhatsApp’s new Strict Account Settings. Thanks WhatsApp for the partnership to get the word out to folks.

V good

The repairable, customizable, build-it-yourself, physical webcam & mic kill switch, Linux compatible, port swappable @frame.work laptop has hit the SocialProof office 🤖🤘

How the latest deepfake scam can cheat companies out of millions | CNN Business From CEOs to colleagues, deepfake technology can trick people into sending money, sharing passwords, or revealing sensitive information - all in seconds. CNN’s Clare Duffy met with ethical hacker and ...

Great work from @racheltobac.bsky.social, with @cnn.com: How the latest deepfake scam can cheat companies out of millions. Good one to share with your company, and with friends & loved ones. edition.cnn.com/2025/10/07/b... cc @craignewmark.bsky.social @pausetake9.bsky.social @gate15.bsky.social

YouTube video by Scammer Payback Social Engineer: YOU are Easier to Hack than your Computer

An totally entertaining, and informative interview with @racheltobac.bsky.social and Scammer Payback about hacking and handling your online privacy in the new epoch of AI. youtu.be/xEdZwLRJttQ?...

Episode 22: Social Engineering, Gas Mark 4, and AGAs with Rachel Tobac!

@tib3rius.bsky.social & @swiftsecur.bsky.social are joined by @racheltobac.bsky.social to talk social engineering war stories...and more!

Links below!

People Who Say They’re Experiencing AI Psychosis Beg the FTC for Help The Federal Trade Commission received 200 complaints mentioning ChatGPT between November 2022 and August 2025. Several attributed delusions, paranoia, and spiritual crises to the chatbot.

“The consumer’s son has been interacting with an AI chatbot called ChatGPT, which is advising him not to take his prescribed medication and telling him that his parents are dangerous,” reads the FTC’s summary of one of the calls.

Hey @racheltobac.bsky.social you're probably going to need to hire a lot more people for all the new clients you're about to get.

Oh goodness gracious

Thanks for watching!

Thank you Andy!

In 2025, I've had a steep increase in reports from clients about AI voice clone phone calls asking for money, passwords or codes.
I give it about 12 months before criminals increase use of live video call deepfakes in their scams.
Get your folks & team prepared to catch it now.

continued...
- Fraudsters Cloned Company Director's Voice In $35 M Heist: forbes.com/sites/thomas...
- Wiz CEO says company was targeted with deepfake attack that used his voice: techcrunch.com/2024/10/28/w...

British engineering giant Arup revealed as $25 million deepfake scam victim | CNN Business A British multinational design and engineering company behind world-famous buildings such as the Sydney Opera House has confirmed that it was the target of a deepfake scam that led to one of its Hong ...

These live video call or audio call deepfakes are increasing in the business world. Most often, an exec is deepfaked to the team that supports them asking for money, passwords, MFA codes, etc:
- $25M sent to scammers in Arup video call deepfake attack cnn.com/2024/05/16/t...

How the latest deepfake scam can cheat companies out of millions | CNN Business From CEOs to colleagues, deepfake technology can trick people into sending money, sharing passwords, or revealing sensitive information - all in seconds. CNN’s Clare Duffy met with ethical hacker and ...

*My Latest CNN Zoom Call Deepfake Demo*
An eng org sent $25M to scammers who deepfaked the CFO in a live video call.
Are your colleagues, fam & friends ready to catch this AI attack?
I demo'd a live Zoom deepfake to CNN's Clare Duffy to help you spot the signs:
edition.cnn.com/2025/10/07/b...

OpenAI’s New Video App Is Jaw-Dropping (for Better and Worse)

Two of our tech reporters tested out Sora, a smartphone app made by OpenAI that lets people create videos entirely from A.I. “It is, in effect, a social network in disguise; a clone of TikTok down to its user interface, algorithmic video suggestions and ability to follow and interact with friends.”

Thanks for reading!

"It makes it really easy to create a believable deepfake in a way that we haven’t quite seen yet."
-- @racheltobac.bsky.social, CEO of SocialProof Security, a cybersecurity start-up in San Francisco

My worddd

@racheltobac.bsky.social new threat model for businesses? 😬😵‍💫

Thank you for the kind words!!

YouTube video by Scammer Payback Social Engineer: YOU are Easier to Hack than your Computer

This should be mandatory watch by everybody who has a phone and or email. @racheltobac.bsky.social shows how vulnerable we all are to getting hacked through social engineering and with gAI tools it's only gotten easier.

Thank you!!

I only watched this today, but I enjoyed it immensely. So many security lessons in a very entertaining package. 😊