Rachel is a hacker and the CEO of Social Proof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also a winner of DEF CON’s wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row. Rachel has shared her real-life social engineering stories with NPR, Last Week Tonight with John Oliver, Huffington Post, Business Insider, CNN, USA Today and many more. In her remaining spare time, Rachel works as the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she works to advance women to lead in the fields.

Common misconceptions of hackers

A lot of times people portray attackers as a man in a hoodie in a basement somewhere, but I look and sound a lot different from that common perception of a hacker.

How I hack people over the phone and email using information found on social media:

Many people have likely encountered a lazy attacker who will send “your Amazon package is delayed” in a spray and pray fashion (no personalization and sprays the attack to thousands, hoping to capture the username and log in of as many Amazon users as possible). When I’m hacking I tend to take a more personalized approach. Let’s say I find your social media and see that on your Twitter you tweet at a company, let’s say it’s Safeway grocery delivery, and let them know you’re trying to contact someone in customer support. I may see that and spoof my email (make it look like I’m emailing from Safeway) and message your email address (that I find on your LinkedIn) pretending to be from Safeway saying “Sorry you’ve had a hard time reaching us, here is a link to claim your refund. Thanks for your patience.” And let’s say that you posted a picture on Twitter on your birthday of you in front of your open macbook pro and I see your computer and get a sense for the browser you use, then I can customize my malware to be tailored for the vulnerabilities in your browser and gain access to your machine when you click on that link!

How to protect yourself from attackers like me, especially under COVID-19:

Phishing and vishing (phone attacking) are already a challenge for people and businesses, but they are especially a challenge under COVID-19. According to the Google Transparency Report phishing is up 350% and according to RiskID’s research there were over 300,000+ new COVID-19 related phishing websites set up in early March alone.

The best ways to protect yourself are:

–Use 2 methods of communication to confirm people are who they say they are (will elaborate on the interview)

–Navigate to authenticate sites instead of clicking through email

–Use a password manager to avoid password reuse (according to a Google online security survey, 52% of people reuse their password

–turn on MFA so that even if I can grab your unique password, I still can’t get into your online bank account for instance and steal your money, etc.