SE'ing High Value Items

 


How To Social Engineer Items Of High Value.

In the complex world of social engineering, every SE'er differs to some degree and no two are ever alike. "Some are gifted In the art of human hacking, whereby they know precisely what to do with every situation that comes their way" and seldom (If ever) request the assistance of others, whilst on the other hand, there are "those who need guidance just about every step of the way" on what It takes to get the job done. Whichever of the two quoted categories (above) a dedicated social engineer happens to fall In, there's one thing that each and every one shares equally- and that's doing whatever It takes to achieve the result they're after. And If It means pushing their target to the absolute limit for days or perhaps weeks, by hitting them with every form of manipulation and not taking "no" for an answer, they will do exactly that until the person on the other end finally succumbs to the pressure of the SE'ers attack vectors.  

Now all the above doesn't relate to the old fashioned social engineering, by getting the victim's personal details over the phone In just a single session, hence It's over and done with In no time at all, but rather pertains to a much more sophisticated type that's known as "company manipulation and exploitation". This Is done by SEing online stores and tricking representatives to credit accounts, or dispatch replacement Items at no extra cost and In order to do It successfully, the company's terms must be "researched", the "method" must be formulated to perfection and the "attack" needs to be done by leaving very little to no room for error. You can already see how complicated the process Is and what adds to Its complexities, Is "when very high value Items" are selected to be refunded or replaced.

Unless the rep/agent Is brain-dead (so to speak) or couldn't care less about doing his job accordingly and approves your claim with very little to no questions asked, for the most part, they do follow protocol as per company guidelines and requirements- "especially when high value Items are Involved". For Instance, If you've SEd something from a given retailer that costs around 250$, such as 2nd Generation Apple AirPods by using the missing Item method and It succeeded with only a few emails back and forth, by no means Is It a "conclusive Indication" that the same method (missing Item) can be used for every other product. "How so?" you ask. Well, let's go from one extreme to another, by SEing a "Carat Pear Diamond ring valued at 10,199$", using the same method  against the same company  and dealing with the same rep

Do you think that your claim will be processed and finalized In the exact manner as the 250$ AirPods? Or will they check every minute detail of how your order was picked, packed and dispatched, Inclusive of opening an Investigation with the carrier by cross-checking their manifest and consignment records?  I can say with a high degree of certainty, that the latter will be performed at the minimum  and as a result, It will be a very lengthy procedure until a decision Is made, one way or the other. That's what prompted me to write this article- to provide you with a complete guide on "how to SE high value Items, and what It takes to give you the best chance of a successful outcome"

What you're about to read applies to Intermediate and advanced SE'ers, so If you're viewing this from a beginner's standpoint without any experience whatsoever, I strongly suggest that you begin your career by first SEing food Items and when your confidence builds, move forward by hitting companies that are easier to social engineer such as Amazon and Nike. To help you get started, please refer to my tutorial named Beginner's Guide to SE'ing and when you've developed your skill set to at least an Intermediate level, you'll be ready to continue where you left off In this article. Okay, on the grounds that you're well and truly an established SE'er, then you're all set to make a start so without further delay, let's rip Into It.

What Defines A High Value Item?

If you're actively registered with an online community to the likes of an Internet forum or a Discord server, you'll find that there are many discussions regarding SEing high value Items, a lot of which are very different In how they're Interpreted. Because of that, It can get rather confusing and most Importantly, the Information can be misleading which will cause SE'ers to make the wrong decision when looking for an Item to SE In a particular price range. For example, If you're social engineering something by using the DNA method, and you've been told by a fellow SE'er that It's valued In the low to mid range when In fact It Is quite the opposite (high value), then an Investigation Is almost guaranteed to take place. As you've read a couple of paragraphs above pertaining to the diamond ring, you can clearly see that It's a very arduous task to have your claim approved.

On the other hand, If you were aware that It was a high value Item right from the beginning, you would've chosen a method that doesn't trigger an Investigation. The "sealed box method" Is one of many, whereby you replace your purchased Item with something useless of equal weight, seal It as per Its original state and send It back for a refund. The company will then put It back Into stock and credit your account- all done without the need for them to go Into any detail nor check your return. So what defines a high value Item? There are no hard and fast rules and to be honest, much of It comes down to using common sense and good judgement. As a rule of thumb, anything with a "minimum cost of around 800.00$", Is considered to be a high value Item. Of course, anything over and above that figure, Is also classed In the high value range.

What Is A Safe Limit?

I've lost count as to the number of times I've been asked "what the limit Is to safely SE an expensive Item" and also without having the need to deal with a lengthy claims process, however that type of question Is Impossible to answer for the following reasons . As an SE'er yourself, you can do everything on your end to ensure your SE runs as smooth as possible from start to finish by researching your target, flawlessly preparing your method and executing your attack to perfection, but you have very little to no control of what happens within the confines of the company, namely how reps handle your claim. Sure, you can apply all types of manipulation with their requests and concerns to help the outcome work In your favor, but they ultimately decide "the steps that are required to finalize It"- which Is mostly done by complying with their protocol.

As I keep mentioning, the human brain Is the weakest link In the security chain, which means that "any entity can be SEd regardless of Its environment"  but In terms of social engineering Items In the thousands of dollars, It's obviously not the same as getting a refund for a Remington Pro hair dryer worth 29.00$. The latter Is not worth the manpower and administration costs to pursue your claim, hence one of many reasons why claims of that nature are approved on the spot. Items of (very) high value Is a different story altogether. They will go over your claim with a fine-tooth comb, which Is why It's not possible to put a price on a safe limit to SE. Now there Is one thing that I'll reiterate: "Anyone on any level can be SEd", very high value Items Included. Having a "positive attitude", being "confident" and "persevering" by pushing reps to their absolute limit, can make all the difference between success and failure.

Alter The Item Values:

The most significant element to successfully SE your target without leaving anything that's questionable and may be used against you, Is to "not raise suspicion whatsoever"- from the time your SE Is executed, to when Its finalized. The moment representatives notice Inconsistencies with your claim, they'll look further Into It, such as opening Internal Investigations within the company Itself. If things don't add up, not only can It result In your SE prematurely coming to an end, but your account can also be locked. If Its a temporary lock, you'd need to provide verification details or ID documents to get It activated again, however If It's a "permanent lock" It means exactly that- no chance of reinstating It. One of many things that can cause all that, Is "when you continue to social engineer high value Items many times In succession"

Here's where the problem lies. When you're on a roll with SEing expensive Items In the thousands of dollars, It's very easy to lose your perspective and keep hitting the same values without realizing the possible consequences of your actions. It becomes a classic case of "One Is never enough, and a thousand Is never too many". Now It may not be a big deal to you when your account Is locked, but how would you feel If the Feds busted down your door at 5:30 am and started reading out your rights? Enough said. Be smart with your SEing by altering the value of your Items between SEs. For Instance, throw In a few that cost 50$ - $100 and then "one" high value Item  and keep repeating a similar process. A safe ratio to work with, Is "10:1"- with "10" being low value Items and "1" high value

Use A Mature Account Wisely:

Believe It or not, "the state/condition of a given account Is a representation of the user who owns It", meaning (for example) If It's only a couple of weeks old and there's 8 refunds that succeeded and 5 failed attempts, then the SE'ers characteristic and behavior Is defined as "greed". A total of "13 SEs In two weeks" Is totally unacceptable and to be truthful, I wouldn't be surprised If the company terminated the account shortly after the said events. When SEing high value Items, having an aged account that's many months or even years old, has a much better Influence than one that was just created only recently- such as a few weeks ago. Allow me to explain why. When reps assess claims, they also look at the nature of the account and take Its maturity Into consideration before moving forward with the next course of action.

As a result, a mature account Impacts their decision-making In a positive fashion and decreases the likelihood of the account being flagged due to too many returns or a high number of refunds. Now I'm not saying that you can go ahead and SE every expensive Item that comes to mind- that would be unwise and a pretty silly approach. What I am Implying, Is that an account that's a few years old, In good standing and hasn't been abused by SEing one Item after another In close timing, "will not give the company reason to randomly check Its order history". Essentially, It forms the perfect Ingredients to provide you with a platform that you can confidently use to social engineer high value Items within reason, that Is, being reasonable and not too extreme with the amount of Items you're planning to SE. In order to do that, It's good practice to always use a safe method, which brings me to my next point as per the topic below.
 
The Safest Method To Use:

If you're not already aware, methods are the backbone of every social engineering attack and are used to guide It In the right direction. If you don't have one In place, your SE will not move forward, therefore It's not only Imperative to choose one (where applicable) that's suited to the nature of the Item but with regard to those of high value, "It's Imperative to opt for methods that can be used safely and with minimal disruptions during the claims process". Put simply, where possible, you'd want to avoid using methods that are likely to complicate your SE with all sorts of events  that may well and truly contribute to producing an unfavorable outcome- resulting In failure. Here's what I'm referring to. It's common for SE'ers of all shapes & sizes to use the "DNA" (Did Not Arrive) method, namely because It's compatible with any Item of reasonable size and weight.

The same popularity applies to the "missing Item method", especially when the Item Is only a few grams and cannot be detected when weighed, hence It will be very difficult (If not Impossible) for the company and carrier to conclude that It was enclosed In the shipment when you received It. There's no doubt that each of those methods a very effective, however there's one thing that's almost guaranteed to happen when using them with high value Items, which Is "an Investigation opened by the company". Given It's a costly Item and particularly If It's valued In the thousands, the rep will go the extra mile when assessing the claim by looking Into every minute detail from the time you Informed him that you didn't receive It, right through to when he's ready to make a decision to approve or decline It. 

If the rep/agent Isn't brain-dead or half-asleep on the job (and approves your claim there and then), a very lengthy process can be expected- some of which, can take up to a couple of months before you're told of the result. To help prevent all that, using a method that doesn't trigger an Investigation of any type, Is named "the sealed box method". As mentioned In the first topic above named "What Defines A High Value Item?", the objective of the sealed box method Is to circumvent the need to check your return, thereby the representative will place It back Into their Inventory and Issue a refund thereafter. You can read about the method In my tutorial here. If you've followed my guide every step of the way and applied It according to the nature of the high value Item you're SEing, there Is every reason why your SE should succeed.

The Best Time To SE High Value Items:

If you've been reading my articles on this blog on a regular basis, you'll notice that many highlight the Importance of "being selective with the timing of your SEs", by allowing a sufficient gap from one SE to the next, thus help prevent raising suspicion. Hitting high value Items Is certainly no exception. In this case however, I will be discussing "the best time of year to social engineer your target", namely "during their busy period" when they're Inundated with orders and claims and do not have the time and resources to thoroughly check each and every one. Moreover, their manpower will be somewhat limited when picking & packing orders and as a result, human error (by way of warehouse mistakes), will Inevitably happen- which adds an extra layer of support when your claim Is being processed.

If you haven't already worked It out, what I'm referring to Is "Easter Holidays", "Black Friday", and of course "The Festive Season/Christmas"- all of which are Ideal to hit costly goods, and any Item for that matter! "Why Is that", you ask? Well It pretty much speaks for Itself. In terms of "Christmas and Easter Holidays", shopping malls are flooded with customers looking to buy gifts for family & friends, and online purchasing attracts an extreme amount of traffic. The same can be said for "Black Friday"- every man and his dog (so to speak) are hunting to get their hands on the best bargains

Due to the high demand of orders and claims, companies are under pressure to meet deadlines and also take shortcuts when Issuing refunds/replacements with customer returns. Clearly you can see the benefits of SEing during the said times, so I don't need to elaborate any further. Now by no means am I suggesting to reserve your SEs for the above periods, but rather outlining why you should take advantage of companies who are experiencing a very high volume of sales and credit requests. Of equal Importance, Is to familiarize yourself with the events that are most likely to occur when SEing expensive Items, so we'll have a look at that next.  

What To Expect When SEing High Value Items:

Deceiving a company Into thinking your claim Is based on legit grounds by manipulating their reps to reimburse your funds for a measly 20 or 30 bucks, Is completely different to putting In a claim for something that's worth In the thousands of dollars. Regardless of formulating your method flawlessly and executing your attack In the same manner, the higher the value, the more attention It will attract  and because of that, the claim will be handled differently. After all, no one Is prepared to approve a refund (for example) of 4,000$, unless they're absolutely sure It's warranted  and to ensure their decision Is correct, they have certain measures In place such as opening an "Investigation", asking for a "police report"  or requesting an "affidavit" or "statutory declaration"  be signed and returned. And all that Is justified for the reason of the Item's value.   

This Is great from a company perspective, but It can be a nightmare for any social engineer, particularly If you've never dealt with any of them. Evidently, you won't be hit with the lot, but at the bare minimum, an "Investigation" and the need to file a "police report" Is very likely and In some cases, you will be asked to complete an "affidavit". This may seem like your SE Is not worth the risk, but apart from the affidavit, nothing could be further from the truth for the following reasons. Firstly, pertaining to an Investigation  and the police report, they're simply part of company protocol to move forward with your claim, so be patient during their Investigations and In terms of a police report, It's perfectly fine to go ahead and file one  online, or at your local police station. 

As for a "statutory declaration", generally speaking, If It's not signed In the presence of a Justice of the Peace, It's not a legally binding document so on the basis of signing It "by declaring that everything stated Is true and correct to the best of your knowledge", there's no cause for concern. An "affidavit" however, Is a different story altogether. The moment you put pen to paper, It becomes legally binding and can be used as evidence In court. Bear In mind that's the worst-case scenario, thereby It may never come to that, thus the majority of times It plays a similar role to a statutory declaration. Even though I keep Informing fellow SE'ers of the same thing, they continue to ask whether an affidavit should be signed. My advice remains firm: "There's always a possibility that It can lead to legal proceedings, so ultimately, It's your choice".    

Reserve Your PayPal Claims And Chargebacks:

Not every SE goes according to plan and can fail In the most favorable circumstances and as such, rather than accepting It as a loss, your "backup" comes Into action- namely hitting a "PayPal claim", or performing a "chargeback" via your credit card provider. These should always be used when all else fails- hence "your backup". Both are equally effective and serve the same purpose- to credit your account for the full cost of the (SEd) purchased Item. To make this easy to follow and comprehend, I'll provide a breakdown beginning with PayPal.

PayPal Dispute/Claim

When the SE has been declined, a PayPal Dispute Is usually the first step that's taken by the SE'er to recover funds. This Is done through "PayPal's Resolution Center". From a legit standpoint, the buyer & seller try to come to a solution regarding the Issue at hand and attempt to resolve the matter between themselves. From a social engineering viewpoint, yourself as the SE'er (buyer) will try to come to a solution with the seller (the company) and If you don't reach an agreement, the "Dispute" will be escalated to a "Claim". At this point, PayPal takes over  by reviewing the case, and decides the outcome In an Impartial and unbiased manner. Whilst many PayPal claims work In favor of the SE'er, there are just as many that don't, and this Is when you make use of a "chargeback", so let's see how It's done.

Credit Card Chargeback

When you've exhausted every other option to reverse the charge on your account to no avail, you'd then get In contact with your credit card provider and ask them to do It for you. This Is what's called a "chargeback", which Is used to reimburse your funds for the cost of the Item that you've attempted to SE. In short, here's how a chargeback works. Your credit card provider will get In touch with PayPal and collect all Information related to your claim, such as proof of purchase, shipment details, communication between yourself and the seller, transaction Info and the list goes on. They will then review everything and If all goes well, they'll approve your claim and deposit the money back Into your account. The good thing about chargebacks, Is that "they have the final say", meaning they'll override PayPal's decision (when they Initially disapproved your claim), and PayPal cannot say anything In their defense.

In Conclusion:

Now that you've had the pleasure of reading this entire article, you can clearly see that there's quite a bit to take on board when social engineering high value Items. Obviously, you will not experience every Incident nor have the need to apply each measure, but the reason why I've gone Into so much detail, Is because all SE'ers operate differently In how they hit their target. Moreover, you don't know for sure what to expect from representatives- some of whom are very stubborn and refuse to budge with your requests. As such, you will need to use many parts of this article during certain stages of your SE. In closing, be sure to keep "PayPal Claims" and credit card "chargebacks" as your backup plan. 


Comments