Communicate Professionally



A Good Social Engineer Is Very Selective With His Wording.

When social engineering someone, with the objective to grab their personal Information, such as their family & given name, date of birth, address, phone number, credit card details and so forth, It's predominantly "done over the phone". Let's face It, they're not just going to tell you their details, hence a very effective method, Is to pretend that you're "someone who's calling from (for example) their electric company", and querying their bill by requesting to verify the Information on the account- which Is their personal details. This can be done with any company you like. 

In doing so, It's paramount to fit the role of the company's representative precisely to how they operate over the phone- namely "the way they engage In conversation". This "must be done In a professional fashion", and the choice of wording must be spot-on. For Instance, If you've called your victim pretending to be from their electric company  and said: "We're upgrading every customer's account Info, so gimme yours and I'll whack It Into my computer and It's gonna be fine".  Your victim will Instantly detect that the call Is a fake.

In order to make the call as realistic as possible, you "must communicate professionally", AND the conversation must be suited to the nature of the company. So how do you know what to say when SEing your victim for their personal details? I can tell you In one word: "Research", and here's how It's done.

Research The Company Prior To The SE:

Let's assume that you're going to use a "Credit Card company" to SE your victim, by pretending to be one of their representatives. Most operate In a similar manner, so your aim Is to Identify the questions asked, how they expect to be answered and the terminology used

You'd start off by calling your very own credit card provider, and make a legit query on your card. The representative will definitely ask to verify the account details, so "take note of every question raised and answer given". Also listen to how the rep "answers the call", and how he "personally addresses you" during your chat. Once you have all this Information, you're ready to SE your victim. I'll use a general example, of how a social engineer easily obtains his victim's credit card account details.

The SE In Action:

The social engineer pretends to be a representative from the "Card Services" department, who deal with fraudulent credit card transactions. He calls his victim as says: "Hello, I'm Tom McPherson calling from (provides the card service company name) may I please speak with the account holder". The victim says: "Yes speaking". The SE'er then replies: "We've Identified a potential fraudulent charge on your credit card, did you purchase a 60 Inch Panasonic smart TV to the value of $2, 875?" The victim Is now In a state of  panic and replies: "No! I did no such thing".

The social engineer then replies: "Rest assured, we'll take care of It. To reverse the charge and for verification purposes, may I start with the name on the account, date of birth, credit card number, expiration date and CVV number?" The victim happily responds with: "Sure thing (and reads out the details)". The social engineer assures his victim, that the transaction will be reversed within the hour, ends the conversation on a good note and now has his victim's full credit card account details.

In Conclusion:

After reading the SE In action above, you can clearly see the level of professionalism Involved during the conversation. And all this, was due to the social engineer researching the credit card company, Identifying how communications are generated to their customers, and the terminology and nature of how the representatives ask and reply to questions and concerns. The SE'er then communicated with his victim based on his findings, and easily obtained the details he was after.



Comments


Popular Social Engineering Posts