We’ve all heard of phishing — the use of fraudulent electronic exchanges by hackers seeking sensitive information like usernames and passwords. Now cybercriminals have expanded their repertoire to include vishing — basically voice phishing by phone. And the mere act of posting photos online could turn users into victims.

“I can just bypass every security protocol you’ve set up. I don’t even need a technical hacker,” said Rachel Faber Tobac (pictured), associate user experience researcher at Course Hero Inc.

Tobac would know — she’s a white-hat hacker and visher helping companies understand their vulnerabilities and strengthen their defenses. At the yearly Def Con hacking conference, Tobac competes in white-hat vishing competitions.

“I’ll call them in a glass booth in front of 400 people and attempt to get them to go to malicious links,” Tobac said during an interview last week at the Grace Hopper Celebration of Women in Computing event in Orlando, Florida. She also co-founded SocialProof Security LLC, which educates companies on social media and security risks.

Tobac spoke with Jeff Frick (@JeffFrick), co-host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Grace Hopper event. 

“The biggest tool that I use is actually Instagram, which is really scary,” Tobac said. About 60 percent of the information she needs to vish a company, she culls from Instagram via geo-location. The mother lode is often a picture with a computer or workstation in the frame. “I can get their browser, their version information, and then I can help infiltrate that company by calling them over the phone.”

Femme fatale phoning

A visher might call a company posing as a company insider or some other innocent individual. Tobac revealed that “low-status pretexts” are particularly effective. Assumptions about women’s lack of technical expertise can often help get her inside.

For example, “I call you, and I’m like, ‘I don’t know how to troubleshoot your website. I’m so confused. I have to give a talk — it’s in five minutes. Can you just try my link and see if it works on your end?'” Tobac said. All the person on the other end has to do is click the link, and the hypothetical hacker is in his or her computer.

To avoid being vished, Tobac advises to never let anyone on the phone authenticate themselves with information about your browser or computer. And don’t take pictures with your computer in the shot.

“If you do, I’m going to see that little line at the bottom, and I’m going to see — exactly — the browser, version, OS and everything like that,” she concluded.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of Grace Hopper Celebration of Women in Computing.

Photo: SiliconANGLE