Don't Overthink The SE

Do Not Overthink The Progress Of Your SE.

There's a lot going on In the profound mind of the social engineer, and unless you're reading this as an SE'er yourself with years of experience In the art of exploiting the human firewall, It can be very difficult to fathom just how his mind operates. If he's committed to SEing on a daily basis, be It companies on a large scale to obtain refunds and/or replacements for Items or manipulating people to grab their personal Information, seldom Is there time for leisure activities, In fact, watching a favorite TV show or relaxing on the couch listening to music, rarely (If ever) Is part of the equation- there's simply no Interest whatsoever.

Advanced/dedicated SE'ers have a one-track mind, and that Is "to consistently SE a given entity without fail, or to help those who require assistance In every way possible" and If It means Isolating themselves from all forms of distraction, they will do that without any hesitation at all. This preserves their mindset, thereby allows them to generate their full attention to the task at hand. However, Irrespective of a social engineer's level of expertise, they can lose their perspective at the best of times- namely "overthinking the progress of the SE" by trying to predict events before they have a chance to happen. This Is very bad practice and for the most part, works against the SE'er.

You see, It's one thing thinking about your SE based on the details you have right In front of you, but quite another to create all types of fanciful predictions. The keyword here Is: "predictions", meaning It's Impossible to forecast the exactness of your attack, Inclusive of the responses that you'll receive. Sure, you should well and truly prepare yourself for the unexpected, but It must be on the grounds that It will "Probably (most likely) happen" and not "Possibly (may/not likely to) happen!". There's a big difference between the two and If you don't follow the correct path, your SE Is destined to fail. The best way to give you a clear understanding, Is by demonstrating a couple of examples, so let's begin with the first one as per below.

Example One- Using The 'Wrong Item Received' Method:

Let's say you're planning to SE an Item by using the "wrong Item received method", hence you'll obviously claim that the company sent something completely different to what you've ordered. You've researched their terms and conditions, "purchased a stock Item as the wrong Item", and prepared your method based on your findings- In readiness for Its execution. The only thing left, Is to call the company, speak with one of their representatives and social engineer him for a refund. Instead of doing this, "you overthink your SE by creating all sorts of scenarios, events and conclusions that may never occur!". Here's a breakdown of what I'm referring to.

  • What If the weight Is noticed by the carrier?
  • What happens If they scan the Item and ask questions?
  • What If they decide to open an Investigation?
  • What If I'm asked to sign a police report?
  • What If the police don't agree to give me the report?
  • What If my account gets locked?
  • What If my claim Is declined?

Now think about this for a minute or so. What are the chances of all the above happening In the "exact manner?". I can confidently say: "absolutely zero". There Is no way that each and every one will come your way. Moreover, half the stuff Is Irrelevant to the method Itself. Realistically (and provided your method & attack vector leaves nothing to chance), this Is what should be In the back of your mind.

  • What If they decide to open an Investigation?

That's It! Anything can happen In an Internal Investigation solely within the confines of the company, so there's every reason to be (somewhat) concerned and ready for It. The rest are pretty straightforward, thus should not even be considered- namely because the chances of them taking place In one hit Is (Immaterial and) next to nothing. Let's checkout another example, this time using the "DNA" (Did Not Arrive) method.

Example Two- Using The 'DNA Method':

As you're well aware, the "DNA" method pertains to ordering an Item from an online retailer and when the package Is delivered, you claim that you did not receive It. Regardless of the circumstances Involved between you, the company and the carrier, If you've formulated and executed your attack effectively, It will succeed. The worst thing you can do, Is to ruin the entire process by "overthinking the SE" and draw your own conclusions with absolutely nothing to work with. Many social engineers come up with the following possibilities.

  • When should I call the company saying I didn't receive It?
  • What If my fake signature Is rejected?
  • What If the carrier takes photos of my house?
  • Will the carrier get In trouble because of the DNA?
  • What If the carrier comes to my house asking questions?
  • What should I do If the carrier calls and my parents answer the phone?
  • Will the company open an Investigation & ask for a police report?
  • What should I do If they send an affidavit to sign?

As with the first example above, "the probability of every event happening Is zero"Believe It or not, I've come across these questions on a handful of occasions from different members and after posting countless messages back and forth, the only things that they had to deal with, were the following Incidents.

  • When should I call the company saying I didn't receive It?
  • Will the company open an Investigation & ask for a police report?

The rest were simply a waste of time and effort, that should've been disregarded altogether right from the get-go. It's a totally different story If you have some sort of evidence to base what you believe might eventuate, but to blindly come up with events off the top of your head, Is not the way you should perform your SE.

In Conclusion:

I'd like to reiterate, that It's certainly of paramount Importance to research and formulate your SE In readiness for the execution and to also prepare yourself for the unexpected during the entire claims process, however this must be done on realistic terms. If you're going to sit there and create all sorts of predictions based on "What Ifs", then you may as well forget about social engineering altogether. 

Every SE Is taken one step at a time, and each response and action you decide to take, depends on the nature of the company's reply. As such, you'll find that the majority of things going around In your head, will never match the exactness of how your social engineering attack Is progressing!