Fake Receipt Method



Provide A Fake Receipt To Get A Refund Or Replacement.

On the grounds that you have the funds to purchase an Item that you plan to social engineer from an online company such as Best Buy, Walmart or Amazon, there are a number of methods to choose from- some of which are flexible with the Item In question. For Instance, If you're after an SSD (Solid State Drive) for your computer, due to Its nature being compact and very light, It's not limited to just the one method. You can use the "missing Item method", "box" the company without adding a weight substitute or use the "partial method" by ordering a bunch of Items and claim that the SSD was missing.

Given the SSD will barely register a weight on consignment, the company cannot cross-check the details against the carrier's manifest, hence the SE Is almost certain to succeed. It Is all well and good when you've already purchased the Item, thereby the company can process your claim against the account that was used for the transaction, but what If you want to social engineer an Item that you don't have to begin with? For Instance, a lot of SE'ers use the "serial number method", by obtaining the serial (that's still under warranty) from a seller on eBay and then request a refund. Some representatives will Issue It without asking any questions, whilst others need what's called a "POP" (Proof Of Purchase).

Evidently, the social engineer does not have It but as with every SE, there's always a way to circumvent every entity In any capacity. How so In this case? You guessed It, the SE'er will simply create a fake receipt, send It off at the company's request and obtain a refund or replacement thereafter. However, It's not as easy as printing off/generating the receipt and leaving It at that. Preparing It carefully prior to giving It to the company, Is of paramount Importance, which brings me to my next point.

How To Prepare Your Fake Receipt:

As with the aforementioned methods at the beginning of this article that require a methodical and strategic formulation before executing the attack, the same applies with the "fake receipt method". This Is the backbone of the SE, thus any Inconsistencies can result In failure, so It's vital to prepare It by leaving nothing to chance. And the way you prepare It, Is solely based against the company you're social engineering. For example, every online retailer has their own dedicated Invoice & receipt processing system, therefore It's crucial that you match your "fake receipt with their original".

Unless you've already bought a few Items from the company In question, you wouldn't know "precisely how their receipts are formatted and documented". You may have a general Idea by performing an online search, but It's best to play It safe by having a comparison to work with, so simply order "two legit Items" (I'll explain why shortly) that're extremely cheap "on separate consignments", and you can then use their receipts to accurately create yours. "Now this part Is very Important". Some companies have a particular algorithm In how they generate their order numbers- either numerically arranged from one to the next, or contain a sequence of letters & numbers that follow a specific structure. If this Is Identified, It will significantly help to make your fake receipt appear as real as possible!

Now when you've received both Items that you've legitimately purchased, checkout the order numbers on both receipts and If they follow some type of pattern, then this will definitely work to your advantage- as It will seem as though your fake receipt (when completed) has come from their administrative department. Also have a look at Its entire content to get a good Idea on what the final piece will look like. But knowing all this Information with the preparation side of things, means very little If you cannot accurately create a carbon copy of their original receipt. So let's see how to do this.

How To Generate Your Fake Receipt:

If you have the tools and resources at your disposal, creating a fake receipt Is very simple and only takes around 10-20 minutes to get the job done without any Indication of Inconsistencies. Now when I say "tools", I'm referring to "receipt generators" or "PSD files"- both of which are equally effective. The former (receipt generator), Is usually an online service such as this that generates them with a great degree of accuracy. The latter (PSD file), allows you to open It In Photoshop and edit It accordingly, but as mentioned, It must be pretty much spot-on to the original one.

There are also standalone tools that you can use, such as "AstroPID" (just Google It!) but I find that the quality and attention to detail of the end result Is not the best. Whichever you decide on using, be comfortable with Its overall usage. For example, If you don't have any Photoshop skills whatsoever, then there's no point utilizing a software that you're unfamiliar with. Once you've selected the tool or online generator and you've produced the fake receipt, "take the time to view and cross-check every detail against the original one"

Even If there's a slight variance, adjust It! Believe me, companies know exactly how their very own receipts are formatted, hence can spot a fake with little to no effort at all- particularly reps working In the claims department. Also, remember the "order number" that I mentioned earlier on? Good. If there's any type of consistency, apply It to your receipt by only changing one or two numbers/letters. This will give the appearance as though It did In fact originate from the company's administration department. When you have finalized your fake receipt, It's time to perform your SE, so I'll briefly provide an example of what to expect.

How the SE Works:

I'll demonstrate how this works right from the time the company asks for the receipt, to the completion of the SE, which ultimately results In a successful outcome. I will also be referring to the social engineer In the third person, and not yourself. There's not much Involved with the SE, so don't worry, this Is short and straight to the point. Let's begin.

When an online store Is managing a claim for a refund or replacement, sometimes they'll ask for a receipt/Invoice from the SE'er to verify that the Item was In fact purchased from them. When the social engineer doesn't have It due to (for example) SEing without purchasing an Item, he will use a receipt generator to produce a fake copy. It appears very realistic and If the representative does not manually enter the details Into his system, he wouldn't know that It's a fake! 

The only thing that Identifies It as a fake, Is the order number not being on company record, but the social engineer Is well aware of this and ready to manipulate everything that comes his way. Upon sending the fake receipt as requested, the rep will argue that he cannot find It on his system, but the SE'er Is always one step ahead. He will keep Insisting that he's purchased the Item against the receipt, and express his disappointment as to why the company cannot process such a simplistic claim. If need be, the social engineer requests his claim be escalated to senior management.

After going back and forth through their Internal departments, the company will eventually assume that It's "an administration error on their end", and approve the claim by Issuing a refund or replacement Item. To avoid raising suspicion, the SE'er will kindly apologize for any Inconvenience caused, and end the conversation on a good note by thanking the representative for his time and patience. A job well done Indeed!

In Conclusion:

To the contrary of what some social engineers think, the "fake receipt method" has a very high chance of success- namely due to the accuracy of how Its generated, the order number matching the company's algorithm and the SE'er persevering with the entire process from start to finish. As you've most likely noticed In the example above, the objective Is to make the company believe that It's an administration error on their end. This does happen from time to time with every organization, and that's what makes the "fake receipt method" so effective. 






Comments


Popular Social Engineering Posts