Skip to main content

Featured

SE'ing Encyclopedia

Updated: 29/03/2022:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

Timing Every SE Accordingly



Plan Each And Every SE With Good Timing

There's no doubt that each and every SE performed on every scale, must be done with extreme precision and accuracy to give It the best possible chance of success. Be It a small businesses with less than 100 employees, a mid-sized organization operating with up to 1,000 staff or the largest eCommerce company being Amazon who has a headcount of over 50,000 workers In the UK alone, each one must be treated equally In the way you plan to execute your attack vector. Never underestimate a given representative's competency and Intentions when he's assessing your claim, particularly those who work strictly by the book and follow protocol every step of the way during the claim's process.

In other words, from a social engineering standpoint, It's good practice to "always expect a number of complexities with every SE" - from the time It's executed and leaves your local environment, to when It's In the hands of the company's reps/agents and being evaluated pending questions and requests thrown at you at any given moment. As such, you'll be using an "offensive approach", hence be In readiness to adapt and effectively tackle just about every obstacle that comes your way to the likes of (but not limited to) Investigations opened, police reports to be filed & returned, or whether you should put pen to paper on a statutory declaration

If you've taken the time to "thoroughly research" the company you're planning to SE, as well as familiarized yourself with the Ins and outs of their carrier partner(s) to see precisely how they service their deliveries, you'll find that making the correct decision on any of the above requests, Is not too difficult at all. For example, you'd know through your research (and/or perhaps hitting a practice run) that an "Investigation" and a "police report" Is simply required to move forward with your claim, and because a statutory declaration Is not legally binding, you'll also have knowledge that It's generally fine to sign and return It. 

The same can be said for other things, such as circumventing photos taken by the carrier driver when dropping off the package to your home, or bypassing an OTP (One-Time Password) when using the DNA method. Everything discussed so far, predominantly pertains to handling events that occur with the company & carrier, but In order to maximize your SE's success rate, It's of the utmost Importance to flawlessly prepare It on your end with Item & method formulation and on-topic of this article, to be well aware of how to "plan every SE with good timing" from one to the next. Allow me to explain It with an analogy that you can relate to on a daily basis.

When you're hungry, regardless of what part of the day It Is, the first thing you'd do Is eat something to your liking that will satisfy your appetite without the need to consume any more food than what you have to. Given you've just eaten, you're obviously not going to repeat It there and then, but Instead wait until "the timing Is right" - namely when you feel hungry again. The same principle applies to social engineering - don't be "hungry" with the amount of SEs you perform In a given time frame, but rather "wait for the right time by allowing a sufficient gap between each SE", specifically when you're hitting the same company/carrier with the methods you use, and also when filing disputes/claims with PayPal, as well as chargebacks with your credit card provider.

If you couldn't care less about any or all of the above circumstances, thus allow greed to take over your behavior by SEing anything and everything you can get your hands on, It will significantly raise suspicion to the point of your SE prematurely coming to an end. In other situations, your online account can be permanently locked, or your payment system may be limited due to too many claims/chargebacks In succession - all of which could've well and truly been avoided If you played It smart with "the timing of every event". So how do you Identify the right timing, and at what stage do you apply It to ensure minimal disruptions throughout the assessment of your claim? 

Rest assured, I've got you covered. I will outline a handful of elements on how to safely SE with "Company & Carrier Timing", "Item & Method Timing" and last but not least, "Payment System Timing" In that same order. I will also discuss "the best time of the year to perform your SE" a little further down the page - as this also plays an Integral role with Its success. What you're about to read from this point onwards, begins with an Introduction about what each topic Involves, and then outlines the "5 key elements of timing" that must be taken on board with every SE. Okay, so without further delay, let's rip Into It beginning with "Company And Carrier Research & Timing".


Company And Carrier Research & Timing:

The very first thing you need to do before even thinking about putting your SE together, Is to become well-acquainted with how the company operates, and the measures they have In place when processing claims - thereby you can make an Informed decision on the type of method that will be used with the Item you're looking to SE. For Instance, If their warehouse Is monitored with CCTV cameras, although It can be circumvented, you (generally) wouldn't use the missing Item method or the wrong Item received. Why? Well, they'll simply refer to their camera footage and deem that your product was In fact picked, packed and dispatched correctly. Instead, you'd choose a method that doesn't relate to warehousing activity- the sealed box method being the perfect alternative.   

When you've finished with the company, their carrier partners (yes, they may have more than just the one!) Is the next port of call to research - namely their terms and conditions, with the objective of establishing how they handle your goods, and what their responsibility as a carrier service entails. For example, If they're not liable for loss of goods In transit, then you're the one who Is accountable for packages/Items missing during shipment, so It's a logical choice to disregard the boxing and the DNA method. There's a lot more Involved, but I cannot possibly cater for each and every minute detail. As an SE'er yourself, It's your job to do your homework on the company & carrier In question. Now that you have both entities under control, It's crucial to understand how to effectively use your SE with good timing, so be sure to Implement the following 5 elements.        

  1. Do not keep targeting the same company In close timing - take a break from one SE to the next. 
  2. Use different companies when wanting to perform many SEs closely together.
  3. If It's the same carrier servicing your deliveries, allow a sufficient gap (with that carrier) to not raise suspicion.
  4. If It's the same driver delivering your packages, don't always use the DNA In close timing- It may get the driver In trouble, and/or he'll remember your package being delivered correctly. 
  5. Do not continue to refund the same company, even If you've spaced your SEs (accounts are flagged/closed due to a lot of refunds). Use replacements every now and then.

Item And Method Formulation & Timing:

After completing your Information gathering sessions with the company & their carrier partners, the next step prior to executing your attack vector, Is to apply "Item and method formulation". This Is done by first selecting your Item, and then sifting through every traditional method to find the one that's best suited to the nature of the Item Itself. You cannot choose the first method that comes to mind, and expect It to flawlessly serve Its purpose. Unless luck Is on your side, or you're using a universal method such as the DNA or the wrong Item receivedthere will be compatibility Issues with your product, which may cause your SE to fail In Its very early stages.

Here's what I'm referring to. Let's say you want to SE an SSD (Sold State Drive) and without putting too much thought Into an appropriate method, you've come across the sealed box method  and decided that It will suffice your needs. Upon purchasing your Item, you made sure to follow the method's formulation to perfection, by taking out the SSD, replacing It with something useless (of equal weight) that you had lying around house and resealed the box without any signs of tampering whatsoever

After sending It back for a refund, you were later told that your claim was declined due to not returning the original Item - In this case, the SSD. The reason for that, was because you neglected to look at how the box was manufactured - It was not fully covered In cardboard on all 6 sides and had a clear film on one end, thus the representative Instantly noticed your useless Item without opening the box. Can you see why It's Imperative to have sound knowledge of the method you're planning to use with your Item? Good! When you've mastered "Item and method compatibility", checkout the details below on how to SE with good timing.

  1. Don't use the same method many times In close timing - as It's very unlikely that the same Incidents happened one after another In such a short period of time. 
  2. Don't SE high value Items many times In close timing - as claims for expensive Items attract attention, thereby It's susceptible to failure and account closures.
  3. Keep a record of the timing of each method used on the same company - as this allows you to change methods accordingly. 
  4. Keep a record of the timing of each high value Item used on the same company - you can throw low value Items In between each SE to avoid raising suspicion.  
  5. If a given method failed under very suspicious circumstances, allow a sufficient gap before using It again on the same company.

Payment System Familiarization & Timing:

Let's face It, social engineering Isn't all sunshine and rainbows. You may have researched the company and carrier by grabbing everything there Is to know about how they're structured and the way they operate, and then prepared your Item & method by leaving no room for error but when your attack vector Is executed, you have very little to no control of how your claim Is handled by the company you're SEing. For Instance, there's at least one stubborn representative In every company and If you happen to be dealing with one during the assessment of your claim, he'll refuse to budge with his decision to decline It - regardless of every manipulative tactic you've used against him.

An example Is when using the corrupted file method, and Irrespective of complying with the rep/agent when asked to send the file, as well as converting It to different formats (with each request) to give It the best chance of success, your efforts were futile which ultimately resulted In a failed SE. This was no fault of your own, but rather the attitude of an arrogant rep who wanted to make life difficult for you by complicating your claim to the point of rejecting It. However, by no means does It suggest that you should take It on the chin and accept your SE as a loss - It can be rescued by using a given payment system to refund your account.

There are generally two common payment systems that SE'ers work with - "PayPal" and "Credit Cards", both of which offer buyer protection (or a similar variant), whereby they'll collect Information from the company and assess the claim In an Impartial and unbiased manner. If they're satisfied that the details are In support of your SE, the transaction will be reversed and the funds will be reimbursed back Into your account

There's too much Info to mention, so I recommend reading my tutorial here. Now SE'ers also perform a "bank reversal" which Is the same as a credit card chargeback, so I won't elaborate on that. Lastly, a "section 75 claim" Is available for UK consumers that works similar to chargebacks, but It's rarely used In social engineering, hence I won't bother discussing It. Okay, when filing a dispute with PayPal or hitting a chargeback with your credit card provider, "It's absolutely vital to only do It every once In a while", and to NOT keep repeating It many times In succession.

If you do (repeat It), It will significantly Increase the likelihood of your account being flagged and banned/locked thereafter. In the worst-case scenario, It may well be closed permanently, of which the consequences pretty much speak for themselves. When you've familiarized yourself with how each payment system Is used with your SE, It's crucial to get the "timing" right, thus It'll help safeguard against raising suspicion and account closures. Although It's simply common sense, nonetheless, I've outlined the five key elements below.    

  1. Do not perform credit card chargebacks or bank reversals In close timing - to be on the safe side, allow a gap of a few months or so.  
  2. In terms of PayPal, allow ample time when using their INR (Item Not Received) claim. 
  3. As per above, allow ample time when using their SNAD (Significantly Not As Described) Claim - add an INR In between to not raise suspicion. 
  4. If you're using PayPal's unauthorized transaction, allow at least a few months before using It again. 
  5. If you're a UK resident, a Section 75 claim should also be used by allowing a sufficient gap from one to the next.

The Best Time To Perform Your SE:  

Companies that operate on a large scale such as Amazon, work flat out during business hours to meet heavy demands with orders and claims and as a result, they struggle to find the manpower to keep up with their workload - In both their administration and warehouse departments. Social engineers who've been In the scene for many years are well-Informed of this, hence to add to the company's already busy and hectic environment and to also maximize their SE's success rate, they're selective with the "timing" of when to execute the SE - namely "Christmas", "Black Friday" and the "Easter Period"

As an SE'er yourself, hitting your target In the above-mentioned times, will multiply the company's workload tenfold, therefore due to the Influx of orders and customer requests, the probability of your claim being "easily approved" significantly Increases - all because they will not have the time and resources to thoroughly check each claim. Now before I cover each event (Christmas, Black Friday & Easter), I'm not suggesting that you should only perform your SEs during those periods - that would be unwise and a pretty silly approach. What I am saying, Is If you're planning (for example) to SE a "high value Item" or perhaps to "double dip" (SE the same Item twice from the same company) a few difficulties are expected so where possible, do It during any of those periods. Okay, so let's make a start with "The Festive Season".  

The Festive Season

Rather than solely dedicated to Christmas, the title of this topic reads "The Festive Season" for a very good reason - for the fact that the season begins late November, and finishes sometime after January In the following year. Essentially, you have around 4 weeks to social engineer from one company to the next, but In this time frame, there are a couple of extremely busy periods that you should be mostly focusing on. The first Is "a day or two before Christmas Day", and the second Is "on Boxing Day Itself", and here's why you should opt for either or both.

In terms of the first one, there's always last-minute shoppers who buy gifts on Christmas Eve or a day prior to that. In regard to Boxing Day, retailers want to get rid of their leftover Christmas stock and I can tell you that stores are absolutely packed with customers, which means that staff tend to take shortcuts when processing returns. Online shopping Is no different - It's simply another gateway to make purchases, but behind the scenes, It's just as hectic as In-store (physical) shopping. All In all, refunds/replacements are (predominantly) Issued with relative ease and for the most part, with very little questions asked. 

Black Friday

Without a shadow of a doubt, Black Friday should always be part of your social engineering routine each and every year, and although It's traditionally recognized In the United States as the busiest shopping day of the year (falling on the Friday after Thanksgiving), It's spread to other countries such as the UK, Italy, Australia, Sweden, Brazil, Ireland, Germany and more. Going by personal experience over the past decade, I can confidently say that online and In-store Black Friday deals & bargains attract an extreme amount of traffic, from consumers wanting to snatch the best deals as quick as possible. 

As a result, warehouse, administration departments and sales teams all struggle to keep up with demands - which makes It an Ideal opportunity for every SE'er to make the most of the store's Incapacity to process claims accordingly. Put simply, they don't have the time nor the manpower to thoroughly assess each claim, thus many are approved not long after they've been received. So If you're planning to hit a mid to high value Item (that would otherwise be difficult under normal circumstances), there's every chance your SE will succeed with minimal disruptions during Black Friday.

The Easter Period

Even though this cannot be compared to the amount of sales generated as per the Festive Season and Black Friday, by no means Is It excluded from being one of the best times to perform your SEs, however you need to be strategic with the days you decide to execute your attack. For example, depending on what part of the globe you're located, Easter holidays are scheduled every year and as such, people take a break from their everyday life of work and stress by going on vacation for a few days or so. Because of that, stores are quieter than usual and (to a degree) the same with online shopping, so "you'd need to completely avoid SEing during those periods".

What I recommend Is to SE a week or so before Good Friday, whereby consumers go on a shopping spree to purchase Easter goodies/baskets for family and friends, Inclusive of themselves and If school holidays coincide with Easter In your locality, go ahead with your SE. The benefit of SEing during these times from an In-store perspective, Is that there's an array of ads on TV demonstrating what's on offer at selected stores, which also Includes toys and gadgets for children, hence kids nag their mom to attend the local mall. When you combine thousands of situations like that to every family, you'll find that shops have an Influx of customers, so the advantage of SEing under those circumstances Is quite obvious. Of course, buying on the Internet Is also part of this scenario.    

In Conclusion:

Social engineering requires an exceptional set of skills to make sure the SE not only gets off to a good start, but to also keep It flowing In a positive direction, by challenging and manipulating every problematic Issue during the entire course of your claim . And If you do It effectively by covering every angle and leave nothing to chance, a successful outcome Is significantly Increased. 

A part of this equation that plays a major role In Its success, Is the subject of this article- "timing every SE accordingly". There's no rush whatsoever, so don't become fixated on the number of Items you're SEing within a given week or two. Play It smart by formulating a strategy based on everything you've just read and stick to It - Irrespective of whom you're SEing at the time.



Comments