Defending Against Modern Cyber Threats: Insights from an Ethical Hacker

Defending Against Modern Cyber Threats in 2025: Insights from an Ethical Hacker

As technology evolves rapidly, so do cybercriminals’ tactics. At this year’s Axcient MSP Xperience Summit, Rachel Tobac, CEO of SocialProof Security and an expert ethical hacker, delivered an eye-opening presentation about the state of modern cyber threats. She highlighted how attackers exploit human vulnerabilities and technological gaps, offering valuable advice to MSPs on protecting themselves and their clients. Here’s a breakdown of her insights and actionable recommendations tailored for MSPs.

Table of Contents

Understanding the Hacker’s Playbook

Rachel Tobac’s expertise lies in social engineering—tricking individuals into divulging sensitive information or granting unauthorized access. While technological defenses are crucial, most attacks start with a human element. According to the Verizon Data Breach Investigations Report, 68% of breaches involve human error or manipulation, often through phishing emails, fraudulent calls, or deceptive text messages. On average, according to IBM’s Cost of a Data Breach Report, social engineering costs organizations $4.88 million per attack, an increase of 10% from last year.

This is a stark reminder for MSPs that even the best technical defenses can be bypassed if employees and clients fall victim to social engineering. Rachel’s live hacking demonstrations underscored how criminals exploit social norms and behaviors to gain access to valuable systems and data.

The Human Element in Cyber Threats and Attacks

Rachel explained that most social engineering cyberattacks exploit the psychological principles we can all fall victim to. Attackers combine all of the following principles of persuasion to develop what they call a “pretext,” or the person they’re pretending to be, to get the victim to comply with a malicious request.

Reciprocity: Humans are hardwired to feel indebtedness, making you more likely to comply with a request. Attackers offer seemingly helpful information to gain trust and elicit responses.
Social Proof: We trust things that are endorsed by other people, especially people we trust, large groups of people, or peers. Attackers will name-drop these authoritative figures to get you to buy in and provide additional information.
Liking: We trust people we like and like people who do similar things to us. Bad actors will mimic how you sound using a similar email sign-off to you or the same language they’ve seen you use in social media postings to gain your approval.
Authority: By posing as an IT professional, an executive in your company, or even law enforcement (remember, these are criminals), attackers manipulate victims to comply with urgent demands.
Urgency: Creating a sense of time pressure forces people to act without thoroughly evaluating the situation.

“50% of the time, I can get somebody to go to a malicious URL over the phone within 30 seconds if you don’t know what to look for.”

Rachel shared how she hacked CNN reporter Donie O’Sullivan without contacting him directly, not just once but again three years later. By gathering publicly available information from his tweets on X (formerly Twitter) and impersonating trusted organizations, Rachel bypassed traditional defenses to access sensitive data. For MSPs, this example highlights the importance of educating clients on how their personal and organizational information can be weaponized against them.

AI-Powered Threats: A Game-Changer

Artificial intelligence is revolutionizing cybercrime. Rachel illustrated how AI can amplify traditional hacking techniques by:

Voice Cloning and Deepfakes: Using just two minutes of audio, attackers can create a convincing voice clone to impersonate a trusted individual. Deepfake video tools can fabricate realistic video calls, tricking victims into transferring funds or sharing sensitive information.
Automating Pretexts: AI can generate phishing emails, text messages, and calls in multiple languages, bypassing previous barriers like poor grammar, spelling errors, and language.

A chilling example involved a deepfake video call where attackers convinced a finance professional to transfer $25 million. For MSPs, this underscores the need to recognize AI-driven threats and implement countermeasures, such as advanced identity verification processes.

Real-World Threats for MSPs and Clients

Rachel identified three key attack vectors targeting MSPs and their clients:

Tech Support Scams: Attackers impersonate IT support from trusted companies like Microsoft, Apple, or your MSP to trick victims into granting access or downloading malware.
Co-Worker Impersonation: Criminals pretend to be colleagues or your clients, often using spoofed email addresses or phone numbers.
Bank Fraud Scams: Fraudsters call posing as bank representatives, convincing victims to reveal sensitive information like PIN codes or MFA tokens.

These scenarios emphasize the importance of client education and security training, vigilance, and robust internal security practices. Rachel highlighted the 2023 ransomware attack on Las Vegas casinos, which caused millions of dollars in damage. The attackers exploited weak points in authentication processes, impersonating employees to gain administrative access.

However, she also shared a success story—Cloudflare’s defense against a similar attack. While three employees fell for phishing attempts, the attack failed because Cloudflare employed FIDO2-compliant hardware security keys for multi-factor authentication (MFA). This example underscores the critical role of strong MFA in defending against sophisticated attacks.

Actionable Recommendations for MSPs

To safeguard your operations and clients, MSPs must adopt a proactive, layered, and security-first approach to cybersecurity. Here are Rachel’s top recommendations:

1. Promote “Polite Paranoia”

Encourage your employees and your clients to verify requests through multiple channels. For instance, if someone receives a request via email, they should confirm its legitimacy by calling the sender directly. This simple habit can thwart impersonation attempts, often leading to gift card scams, wire fraud, and even ransomware.

2. Embrace Advanced Authentication

Move beyond traditional knowledge-based authentication, which relies on publicly available information like birthdates or email addresses. Instead, implement MFA solutions such as app-based authentication or hardware security keys. FIDO-compliant solutions are particularly effective for high-risk clients.

3. Train Employees and Clients Regularly

Security awareness training is critical. MSPs should educate their teams and clients about common social engineering tactics, AI-driven threats, and how to spot phishing attempts. Rachel recommended programs like Living Security and KnowBe4 for comprehensive training.

“Within one week of someone changing their workplace on LinkedIn, they will likely receive a scam from someone pretending to work for the new company. This, of course, can happen at your MSP as well. There are so many levels to this impersonation strategy that people need to be aware of.”

4. Adopt Password Best Practices

Password reuse remains a significant vulnerability, and 52% of people admit to reusing their passwords. Attackers can search over 10,000 variations of a potential password in seconds to guess your most recent and frequently used passwords. MSPs should:

Use password managers to generate and store unique, complex passwords for each site you use – even the “throw-away” ones. The master password should be significantly differentiated to prevent mass exposure.
Educate your team and clients about the dangers of reusing passwords across multiple accounts.
Regularly audit accounts for weak or reused credentials.

5. Limit Public Information

Encourage clients to remove sensitive information from social media and networking sites. Publicly available data can be a treasure trove for attackers crafting convincing pretexts. For example, when you mention the companies you engage with, attackers can use that information to impersonate you and gain access to your accounts.

6. Monitor for Breaches

Use tools like Dehashed to monitor employee and client email addresses for exposure during data breaches. Promptly update compromised credentials to minimize risk. Rachel says, “I can put in one person’s email address, just one of them, and it usually returns 13 breached passwords.”

7. Secure Communication Channels

Educate clients about phone spoofing and phishing. Rachel emphasized that no one can prevent their phone number from being spoofed, so relying on multiple identity verification methods is crucial. Watch Rachel hack a 60 Minutes staffer, spoofing correspondent Sharyn Alfonsi to see how easy it can be.

Preparing for AI-Era Threats

AI technology is advancing at breakneck speed. Rachel predicts deepfakes will become indistinguishable from reality within six months to a year. MSPs must prepare for this future by adopting emerging detection tools and fostering a culture of skepticism. There are several ways to catch a deepfake before it’s too late.

Pauses: If you interrupt an AI voice clone, it will take milliseconds to restart and then answer the question, so be suspicious if there is a noticeable lag and pause.
Verboseness: AI voice clones run on AI chatbots, which speak much longer and use more words than humans usually do.
Impersonation: If the call comes from someone with authority and whose voice you know, it could be a deepfake because attackers won’t impersonate someone you’re unfamiliar with, such as a customer service representative.
Urgency: Recognize a sense of urgency in the moment. Imposter calls will want to get the information quickly and get off the phone.
Video quality:Video call deepfakes are blurry around the edges, and you can typically see a small box around the face; blinking may be slowed or backward, and the person’s mouth may not match their speech. Confirm the person’s identity and request through a second form of communication before acting.

Rachel also cautioned against using AI chatbots like ChatGPT for sensitive information, as these platforms can inadvertently expose data.

The Road Ahead

As Rachel noted, cybersecurity is not about eliminating all risks—it’s about making adversaries’ attacks more difficult and costly. For MSPs, this means blending human vigilance with cutting-edge technology to build resilient systems. By fostering a mindset of “polite paranoia,” leveraging strong authentication measures, and prioritizing regular training, MSPs can empower their teams and clients to navigate an increasingly complex threat landscape.

Rachel’s presentation was a good reminder of the stakes in cybersecurity and offered hope. With the right strategies, MSPs can turn the tables on attackers and ensure their clients’ safety in a digital-first world. By applying these insights and robust business continuity and disaster recovery (BCDR) solutions, MSPs can enhance their security posture and build trust with their clients, ensuring they remain ahead of cybercriminals in an ever-evolving landscape. See how Axcient can help you and your clients!

Start Your Free 14-Day Trial

Schedule a 1:1 Product Demo

Get Your BCDR Quote

Author

Carissa Johnson

Product Marketing Manager, Axcient

Carissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?

Disaster Recovery Plan Template and Guide for MSPs

MSP Disaster Recovery Plan Template and Guide

MSP Recovery Playbook

Axcient CIS reasonable cybersecurity blog

The CIS Reasonable Cybersecurity Guide

How well could you sleep with reliable cloud-based backups and recovery?

Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what: