SE'ing Checklist


Social Engineering Checklist For Every SE Performed.

Every time you're planning to social engineer a company, be It a small business that only has a handful of employees who're processing a few orders here and there, or perhaps online stores on a very large scale to the likes of (obviously) Amazon, Argos and Logitech, you need to know precisely what you're dealing with prior to even thinking about executing the attack vector. It's not possible to perform what I call a "blind SE", whereby you have very little to no Idea of how the company operates and then expect things to run smoothly - It's very likely that your SE will prematurely come to an end. Of course, that's on the grounds that you've never SEd the company In question, as well as representatives who work strictly by the book by following protocol when assessing claims.

All the above, Is just one example of why SEs fail more often than not - there's a lot more to consider when not only putting together your SE In readiness for the attack, but also making sure It flows In a positive direction until It's finalized In your favor - a refund Issued Into your account, or a replacement Item dispatched at no extra cost. Allow me to simplify It for you as follows. Let's say you're using the missing Item method for the first time on a product that weighs around 900 grams, and you've selected John Lewis as the target, of which you've never SEd them before. After formulating It on your end, you've contacted one of their reps/agents and told him that upon opening the package that was delivered by their carrier partner, your Item was missing

Behind the scenes, the company opened an external Investigation by contacting the carrier who serviced your delivery, and cross-checked the weight recorded at their depot. Their findings concluded that "the package was not 900 grams lighter," so your Item was not missing. Moreover, an Internal Investigation took place, and their CCTV camera footage demonstrated that your product was In fact picked, packed and dispatched correctly. Because you did a "blind SE" and didn't bother to research the company, you were completely unaware that their warehouse activities was monitored with CCTV cameras. Furthermore, you were clueless about how the missing Item method Is used, namely with goods "under 120 grams". Each of those events/attributes were responsible for your failed SE.

As you can see, It's paramount to be well-Informed about the company's operations, Inclusive of the nature of the Item you're planning to social engineer, and also choosing a compatible and suitable method - which all work hand In hand to significantly help to ensure your SE runs as smooth as possible with minimal disruptions. In order to do that, a strategy must be In place that will allow you to collect, analyze and prepare Information pertaining to everything Involved with your SE "before hitting your attack vector". That's where I come In, by providing a "checklist" that details the most Important elements that must be taken on board with each and every SE prior to It leaving your local environment. 

Put simply, you will use the checklist as an "Information gathering & preparation tool" when formulating your SE against the "company", "carrier", "Item" and "method" - which runs In that exact same order, and will be used as such to put your entire SE together. As a result, you'll be In a position to flawlessly execute your attack, and tackle every obstacle that comes your way thereafter. I've also added a couple of "Account Checklists" towards the end of this article for the reason that It plays an Integral role with every aspect of a given SE, so when you get to It, make sure to absorb every word you read. Okay, without further delay, let's rip Into It beginning with the company

Company Checklist:

The very first thing that must be done with every SE, Is to checkout a few bits and pieces on how the company Is structured - as It will give you a very good understanding on the type of method that will be used, thereby allow you to effectively base It on the nature of the Item you're looking to social engineer. Given every company differs to some degree and no two are alike, It's Imperative to be aware of their policies and procedures, so be sure to always start with the company when marking off your checklist and do not skip It under any circumstances. What you're about to read Is not an exhaustive list, but rather "only focuses on the essentials" needed to get you through to the next stage of your checklist.  

  • Navigate to their terms and conditions
  • Identify their replacement policy
  • Identify their refund policy
  • How long Is their manufacturer warranty?
  • Do they offer Advanced Replacements?
  • Do they bill accounts when the Item Is not returned?
  • Establish who's responsible for loss of goods during transit
  • Check which carriers are used to service all deliveries
  • Check If CCTV cameras are used In their warehouse
  • Check how the company can be contacted (phone, email, live chat)
  • Do they respond to PayPal disputes/claims?

Carrier Checklist:

Now that you've finished with the company and on the grounds you've made a note of their carrier partner(s), the next step Is to go through the carrier Itself - namely the one who will be delivering your package for the SE that you're currently preparing. If you're not entirely sure who It Is and cannot find any Information online, get In touch with the company as though you're a concerned customer who wants to make sure that the package will arrive safely to your home, and then simply ask which carrier company will be delivering your goods. There's no need to provide a tracking and/or order number etc when speaking with the rep - you're only asking a question for a (seemingly) future legit purchase, hence you'll be given the details without hesitation.

  • Navigate to their terms and conditions
  • Does the carrier transport dangerous goods?
  • Check If they accept liability for loss of goods during shipment
  • Does the driver leave packages at a safe place when no one Is home?
  • Is It the carrier/driver's decision to leave packages at a safe place?
  • Check If they offer a non-tracking service
  • Is an OTP (One-Time Password) required to verify the delivery?
  • Are Photos taken of the package at the premises?
  • Are signatures accepted for every delivery?

Item Checklist:

You have now reached the stage where you can select your Item based on your findings - as a result of the assessment of both the company and their carrier that will be delivering the package to your home, drop address, or any other location you've chosen to receive goods. As you can see In the checklist below, the focal point of attention Is "the nature of the Item" In every aspect - which Is vital to establish before making the final decision on the most suitable Item. For example, If you've used the missing Item method, you'd know that It heavily relies on the "product weight" to give It the best chance of success, thus the Item must be picked accordingly. When you've completed the following checklist, an appropriate method can be chosen as per the topic after this. 

  • Identify the Item (net) weight
  • Identify the shipping (gross) weight
  • Check the full dimensions of the product
  • Taken note of the value of the Item
  • Does It come In a box or otherwise?
  • If It's a box, can the Item be viewed externally without opening It? (when using the sealed box method)
  • If It's a box, check If there's a seal, wrapped In clear film, or both (as per the above method)
  • If It's a tech-based product, take note of the serial number(s) and/or IMEI 
  • If It's a tech-based product, does It contain batteries? (good for the leaking battery method)
  • Check If the Item can be returned (some companies do not accept returns on certain products)
  • Is any or all of the Item manufactured In glass? (good for the broken glass method)

Method Checklist:

Here's a recap on what you've done with your checklist so far. Firstly, you've gone through the company's policies as well as their overall operations, and then checked off their carrier who will be servicing your delivery and based on the results of the company & carrier, you've made an Informed decision to select the most compatible Item. All Is well right up until now, but what happens from this point onwards, will determine whether your SE will execute flawlessly or come to an end shortly after your attack vector Is Initiated. If you neglect to delve Into the Ins and outs of the method you plan to utilize, thereby It's not effectively and suitably formulated against the company, carrier and Item, don't bother wasting your time SEing. "The method Is the backbone of your SE", so you need to take the utmost of care with your checklist.    

  • Look at all the traditional methods by their title
  • Segregate those that apply to your SE
  • Delve Into each one and evaluate the pros and cons
  • Select the method that's most advantageous and has the highest degree of efficiency
  • Take note of any negative Impact the method may have on your SE
  • Be sure It's suited to the company, carrier and Item you're SEing
  • Fully familiarize yourself with the method's objective
  • Formulate your method based on the company, carrier and Item
  • Check for any Inconsistencies when finalizing It
  • Cross-check It on completion 

Online Account Checklist:

The standing of your online account Is of equal Importance as every checklist that you've performed thus far, so In order to help prevent raise suspicion, you must hit every SE In a strategic and calculated manner. For Instance, If you've been SEing the same company countless times In succession on the very same account In close timing, there's a high chance that your account will get locked - most likely permanently. Sure, you can simply create another one by changing every Identifiable detail, but If you have pending transactions, then that pretty much speaks for Itself. As per the cliche: "prevention Is better than cure", so play It smart with every SE and don't allow "greed" to Impair your judgment. The following checklist safeguards against account closures, and significantly reduces risks with your SEing activities. 

  • Take note of the account's maturity (aged accounts draw less attention than fresh accounts)
  • Do you have a log book of each SE performed?
  • How many legit purchases on the account?
  • How many SEs performed on the account?
  • What was the date of your last SE?
  • What method was used with the last SE?
  • Have you allowed a sufficient gap from one SE to the next?
  • Have you mixed low & high value Items when SEing?
  • How many refunds have you claimed? (It's what companies look at when locking accounts)
  • If a new account has been created, has every Identifiable detail been changed?

Payment System Account Checklist:

This Is the final checklist and although It's not an exhaustive list, It's paramount to be Informed of the way your payment system works, and how you can use It to your advantage when your SE has failed. For example, If you've been social engineering for many months/years to date, you'd know that SEs can fail at the best of times and Irrespective of how effective you're manipulating the rep/agent, he'll refuse to budge with his decision to decline your claim for a refund. That's when you'll put your payment system Into action, by using their buyer protection (or some other variant) to reverse the transaction on the account. Payment systems are quite complex and very detailed, but from an SEing standpoint, all you need to know Is a few conditions that're used to ultimately reimburse your funds.

  • Navigate to your payment system's terms & conditions
  • If It's PayPal, familiarize yourself with their unauthorized transaction policy
  • If It's PayPal, read over their INR (Item Not Received) terms
  • As per above, check their SNAD (Significantly Not As Described) terms
  • If you're using a credit card, check how chargebacks are performed
  • If you're a UK resident, a section 75 claim can be used to retrieve funds, so look Into It
  • Do you have a VCC (Virtual Credit Card) available to use with an Advanced Replacement?
  • Check the time frame on claims for each payment system 

In Conclusion:

Now that you've reached the end of this article and given It's somewhat lengthy, you may be thinking that It's too much of a hassle to go through every checklist as outlined In each topic, but I can assure you that nothing could be further from the truth. For Instance, If you've SEd a particular company quite a few times, you may already be aware of their refund & replacement policy, Inclusive of the carriers they use and also their warranty terms, so that In Itself, has cut your checklist In half. The same applies to most of the other topics. Moreover, some checklists will not be relevant to your SE, hence you can Immediately mark It off without the need to look Into It any further. All In all, you now have a platform to work with that well and truly prepares your SE In readiness for your attack vector, so be sure to use each checklist as your "Information gathering and preparation tool".  


  1. Hey, do you know if a website still is safe to SE if they state that they will "report all suspected fraud attempts to the police"? Also, HQ post like always :)

  2. Excellent article mothered, thank you.


Post a Comment