Want my thoughts on Anthropic's Mythos risk vs hype, how I use AI to bypass identity verification systems now, & more?
Tune in for my Rapid7's 2026 Global Cybersecurity Summit keynote panel 5/12 with Graham Cluley, Raj Samani,
Brian Honan!
Join me here: rapid7.brighttalk.com
I'm speaking at Rapid7's 2026 Global Cybersecurity Summit, May 12-13.
Come hear me chat about how modern attacks actually start, and the reality of running a SOC in 2026 - alongside @racheltobac.bsky.social, @rajsamani.bsky.social, and @brianhonan.bsky.social
rapid7.brighttalk.com?utm_source=r...
I’ve got a challenge coin for you at the UN!
Going to this UN thing in Vienna with my team and the only name I recognize on the program is @RachelTobac (which is a good sign! So much to learn about scams!)
◡̈
This is still a good reminder from @racheltobac.bsky.social
lol that’s cool, glad I work with your org!
I watch my company’s security awareness training just because the speaker is @racheltobac.bsky.social
Message from "Signal Support" Dear User, this is Signal Security Support ChatBot. Our system has detected a recent login attempt to your account from an unrecognized device or location. As a security measure, we have blocked this attempt and sent a verification code via SMS to your registered phone number. If this was NOT you: To secure your account and block this unauthorized access, please reply to this message with the verification code you just received. If this WAS you: You can safely ignore this message. The login attempt will be automatically approved shortly. Thank you for helping us keep your account secure.
Signal will never message you like this.
If you get a message like this, SOMEONE IS TRYING TO HACK YOUR SIGNAL.
DO NOT GIVE THEM THAT CODE.
In the last days, there has been an unprecedented attack targeting investigative journalists trying to seize their Signal accounts. This has gone largely unreported. I have been repeatedly targeted by phishing, and I learned that also colleagues from other outlets were targeted, with the attackers unfortunately managing to compromise at least one colleague’s account. What’s worrying: this doesn’t seem like an isolated case. A broader wave is apparently hitting journalists (and some civil society actors) via Signal. How it works: Attackers message you on Signal pretending to be “Signal Support,” warning about “suspicious activity,” and urging you to “re-verify” your account. Once you accept the chat, you receive a real Signal SMS verification code, because the attacker is actively trying to register your number on a new device. If you share that code, you’re handing them the keys. Signal’s extra protection is the Signal PIN. If an attacker also tricks you into giving up your PIN (or you don’t have strong protections enabled), they can see your contacts and networks, potentially join chats going forward, and lock you out by changing settings. Quick protections worth doing today: - Signal will never contact you via a two-way in-app support chat. Treat those messages as hostile. - Never share SMS codes, Signal PIN, or anything called “registration lock.” - Turn on Registration Lock (Settings → Account → Registration Lock). - If you see a “safety number changed” alert: verify the person via a different channel (call/video), not just Signal text. - Report + block suspicious requests, and review linked devices. If you work with sensitive sources: this isn’t just about losing an account, it’s about exposing networks. Please share this with colleagues who rely on Signal day-to-day.
WARNING, fellow journalists: As @nicoschmidt.io explains, attackers are trying to hijack reporters' Signal accounts by tricking people into handing over their 2FA codes. www.linkedin.com/posts/nicosc...
lol I very truly don’t, it’s quite frizzy and the good lighting masks it! Lighting is everything.
If you’re an activist, journalist, exec, or have a high threat model for any other reason, I do recommend using all tools to protect against spyware including Apple’s lockdown mode and WhatsApp’s new Strict Account Settings. Thanks WhatsApp for the partnership to get the word out to folks.
V good
The repairable, customizable, build-it-yourself, physical webcam & mic kill switch, Linux compatible, port swappable @frame.work laptop has hit the SocialProof office 🤖🤘
Great work from @racheltobac.bsky.social, with @cnn.com: How the latest deepfake scam can cheat companies out of millions. Good one to share with your company, and with friends & loved ones. edition.cnn.com/2025/10/07/b... cc @craignewmark.bsky.social @pausetake9.bsky.social @gate15.bsky.social
An totally entertaining, and informative interview with @racheltobac.bsky.social and Scammer Payback about hacking and handling your online privacy in the new epoch of AI. youtu.be/xEdZwLRJttQ?...
Episode 22: Social Engineering, Gas Mark 4, and AGAs with Rachel Tobac!
@tib3rius.bsky.social & @swiftsecur.bsky.social are joined by @racheltobac.bsky.social to talk social engineering war stories...and more!
Links below!
“The consumer’s son has been interacting with an AI chatbot called ChatGPT, which is advising him not to take his prescribed medication and telling him that his parents are dangerous,” reads the FTC’s summary of one of the calls.
Hey @racheltobac.bsky.social you're probably going to need to hire a lot more people for all the new clients you're about to get.
Oh goodness gracious
Thanks for watching!
Thank you Andy!
In 2025, I've had a steep increase in reports from clients about AI voice clone phone calls asking for money, passwords or codes.
I give it about 12 months before criminals increase use of live video call deepfakes in their scams.
Get your folks & team prepared to catch it now.
continued...
- Fraudsters Cloned Company Director's Voice In $35 M Heist: forbes.com/sites/thomas...
- Wiz CEO says company was targeted with deepfake attack that used his voice: techcrunch.com/2024/10/28/w...
These live video call or audio call deepfakes are increasing in the business world. Most often, an exec is deepfaked to the team that supports them asking for money, passwords, MFA codes, etc:
- $25M sent to scammers in Arup video call deepfake attack cnn.com/2024/05/16/t...
*My Latest CNN Zoom Call Deepfake Demo*
An eng org sent $25M to scammers who deepfaked the CFO in a live video call.
Are your colleagues, fam & friends ready to catch this AI attack?
I demo'd a live Zoom deepfake to CNN's Clare Duffy to help you spot the signs:
edition.cnn.com/2025/10/07/b...
Two of our tech reporters tested out Sora, a smartphone app made by OpenAI that lets people create videos entirely from A.I. “It is, in effect, a social network in disguise; a clone of TikTok down to its user interface, algorithmic video suggestions and ability to follow and interact with friends.”
Thanks for reading!
"It makes it really easy to create a believable deepfake in a way that we haven’t quite seen yet."
-- @racheltobac.bsky.social, CEO of SocialProof Security, a cybersecurity start-up in San Francisco
