S.e

Social Engineering Guide by Gjusandros including how to SE and protect yourself from SE



A little introduction

You've contacted the supplier saying you've received the package but the device Is defective. Obviously It isn't, but that's the excuse you're using to social engineer them.
After going through a few troubleshooting procedures and you've told them the phone Is still not functioning, they've asked you to send It back for a full refund. 
Instead of sending the phone, you've placed dry Ice In the package that matches the Item's weight. 
You have also made a slight tear at the bottom of the package, just enough to match the size of the phone, and sealed It with different colored tape. 
The package Is then sent and by the time they have received It, the dry Ice has melted and the tear on the package Is consistent with the phone being stolen during transit.
As such, they've cross-checked with the carrier and after a few Investigations, are satisfied that the phone was stolen. You have been Issued a full refund thereafter.
You now have a brand new cell phone and a refund, which means you didn't pay a single dime for the phone.

See how the method was used to social engineer? It tampered with the packaging, hence manipulated the person on the other end Into doing something they were not supposed to do- and that was to provide a full refund for the cell phone. You now have the device plus your money back, ultimately resulting In a free phone!
So as you're aware by now, social engineering Is all about the method used, no matter what the end result may be. 
What you're about to read will train you In all types of social engineering attacks, not only on a personal level, but also In a corporate/business environment. Before I begin, there are quite a number of terms used In social engineering and computing, either as a whole, or In their abbreviated form that you should be aware of. I will be referencing these terms quite often, so please take the time to read the section below.



SOCIAL ENGINEERING TERMS & METHODS DEFINED:


Note: The majority of what you're about to read, Is relative to social engineering companies to obtain refunds and/or replacements for Items that the social engineer has purchased & received. The objective of this, Is to make you fully aware of how social engineers operate, the methods they use during their attack and most Importantly (from a company's perspective), how to protect your business and It's representatives from falling victim to SEing exploitation.
My goal Is to get you Into the mind of a social engineer, and provide you with a clear understanding of the methodologies they use to manipulate representatives Into performing acts they're not supposed to do In the first place. After reading every topic below, you will learn how to Identify a social engineering attack and stop It before It has a chance to succeed. Everything Is based on true events that social engineers perform on a daily basis, but for security reasons, I've excluded all Identifiable details.  
I've also provided a few common terms that are used In the social engineering community. Do take the time to read "every" topic, particularly from a business standpoint. It will significantly help your entire organization to minimize risks with all facets of social engineering attack vectors. 



SEing- An abbreviated form of "Social Engineering".
This Is one of the most commonly used terms In the world of social engineering. You will find that every Internet forum and chat gateway where social engineering Is discussed, will utilize SEing quite often. So be sure to make a mental note and keep It at your disposal. You will need to reference It regularly.

SEd- Short for "Social Engineered".
As with SEing, this Is also somewhat widely used by the majority of social engineers. Those who've been SEing for a number of years, will use this a lot more often than someone who's been In the scene for only a few months or so. A variant of this Is SE'd, (the Inclusion of an apostrophe) which Is equal to SEd.

SEs- Stands for "Social Engineers".
To the contrary of both the above, It's not often that you'll come across this In online social engineering communities, but nonetheless, It's certainly worthy of familiarizing yourself with It's meaning. It's predominantly written exactly as Is, with only the minority of times used with an apostrophe In the form of SE's. 

SE'er- Defined as "Social Engineerer"
Used to describe the person who social engineers, being the social engineerer. It's abbreviated and used as such, mainly because "social engineerer" Is not In the English vocabulary and when used as a whole word, It doesn't really make much sense. SE'er Is the least used term of the lot, but as you'll see In a few topics below, It puts the sentence In the proper context. Be sure to remember this, you will come across It every so often.

SE- Meaning "Social Engineer".
I don't believe there's much point In going Into detail about this. Without question, this Is "the" most frequently used term In the art of human hacking. Even If you've just started reading guides etc, you would've definitely experienced this abbreviation of "Social Engineering" In the very early stages of your Involvement, and will definitely continue to do so throughout many articles and Internet boards/forums. 

Warranty Exploitation- "Refund Anything Still Under Warranty"
What you're about to read In this topic, pertains to almost every article listed below. Although the term "Warranty Exploitation" Is not so much of a commonality In social engineering parlance, It's still used here and there on Internet forums and chat platforms like IRC and Discord. As It's name suggests, warranty exploitation Is used by social engineers to take advantage of Items that are still covered by the manufacturer's warranty, with the Intention to receive a refund or replacement. This works greatly In the SE'er's favor- they're aware that the company must comply with their warranty terms and formulate their method to exploit It accordingly. Provided the SE'ers method Is effective, there's very little a company can do to decline their claim. So when you read "Warranty Exploitation", It's used by social engineers to obtain refunds and replacements.

DNA- Acronym of "Did Not Arrive".
DNA Is predominantly carrier-based that's considered a universal method. When social engineering companies with the Intention to obtain a refund or replacement for an Item already purchased, DNA Is used to describe a particular method to achieve It, namely the "Did Not Arrive" method. Simply put, the social engineer will claim that the package he ordered, was not delivered at his home. He'll either use a fake signature or If It was left at his doorstep, he'll  say that It was stolen. When the company contacts the carrier and Is unable to verify the delivery due to either of the above excuses, they'll process a refund or Item replacement.  

Wrong Item Received Method- "Incorrect Item Sent".
A very effective method used by social engineers when SEing a company to obtain a refund, Is the "Wrong Item Received" method. The social engineer will claim that the company has sent an Incorrect Item. The company will ask to return It, so the social engineer will then purchase something that the company "stocks" In their Inventory, Is around the same weight and size and Is significantly cheaper. He will send this to the company. When they receive It, they'll Issue a refund. It's as simple as that. 

Missing Item Method- "No Item In The Box".
For this method to work, the Item that the social engineer purchases, must be extremely light and barely registers a weight on consignment. Let's say the Item Is a pair of AirPods which only weigh 8 grams. After the order Is placed online and the package Is sent to his home, he calls the company and tells them that he received the box with nothing Inside, hence "missing Item". Because the Airpods are so light, the company cannot cross-check the weight with the carrier. It will NOT show any record! As such, the company will Issue either a refund or replacement. This has a very high success rate when performed exactly as stated on lightweight Items.

Boxing Method- "Sending A Box Without The Item".
Boxing Is to obtain a refund or replacement on an Item that the social engineer has purchased from an online store. In simple terms, he sends the box back to the seller without the Item (that was purchased). How It generally works Is like this. The social engineer will contact the seller claiming the Item Is defective. The seller will request It's return, and the social engineer will send the box empty, without the Item. Now packages are weighed during shipment so to match the weight of the Item, the social engineer will place "Dry Ice" In the box. He will also tear the package to a length that's consistent with the Item, and seal It with different colored tape. This gives the Impression as though the package has been tampered with during transit. That Is, the Item has been stolen. By the time the seller receives the delivery, the dry Ice would've sublimated and ONLY the box Is received. The seller checks with the carrier and after Investigating, he's satisfied the Item was stolen. A refund/replacement Is then Issued to the social engineer. 





Double Dip Method- "SE An Item Twice".
This method requires a particular skill set, that's mainly used by advanced social engineers. They SE a company to get an Item "twice", both free of cost. For Instance, the social engineer will say that he didn't receive the package (which realistically he did!), and the company will send out a replacement. He now has two Items, but he's only paid for one Item. Next, he will claim that the replacement Item Is defective and then use the "Boxing Method" to get a refund. So ultimately, he has SEd two Items without paying a dime. This Is a difficult method compared to the rest, but advanced social engineers achieve a successful result almost each and every time. 

Triple Dip Method- "SE An Item Three Times".
Some people say that this method Is pushing It to the extreme, and to be honest, I totally agree. As per the "Double Dip Method" above, this goes one step further by adding another Item Into the equation, thereby obtaining "three Items" absolutely free. Try and follow this step by step. The social engineer will order an Item and say It was missing In the box. The company will then send a replacement Item. The social engineer now has "two Items". He will then claim that the replacement Item didn't arrive. The company will then send ANOTHER replacement Item. The social engineer now has "three Items". Finally, the social engineer will say that the replacement Item Is the wrong Item. The company will then Issue a refund. Ultimately, the social engineer has ended up with "three Items" and a "refund". This Is a VERY difficult process and Is susceptible to failure more than any other method.

Drop House- "A House Or Address Not Belonging To The SE'er".
Also known as a "Drop Address", this Is a house that does not belong to the social engineer and Is used as a delivery point to receive packages. There are many reasons to use this, with the most common being to protect the SE'rs Identity, and/or to avoid being billed by the company who's sending the goods. The social engineer will search for a vacant home, such as one that's listed for lease/rent. He'll then use this as the delivery address when ordering Items from an online retailer and either accept the delivery from the carrier, or If It's left at the premises by the driver, he will pick It up at a later stage. Given the house Is not associated with the social engineer In any way, shape or form, there Is no Identifiable relationship, thus has a pretty high success rate. 

POP- "Proof Of Purchase".
The title of this topic Is very much self-explanatory, but because It's almost always written and referred to In It's abbreviated form ("POP"), It's essential that you're aware exactly what It stands for-  and that's "Proof Of Purchase". When a social engineer SEs an Item and requests for a refund or replacement, before the company Issues It, they'll ask for a POP, just to verify that the Item was purchased from their store. A good social engineer can get around this with ease. A couple of options he'll use, Is to either Photoshop the receipt, or use a receipt generator specific to the company who's requesting It. Obviously It cannot be validated by It's order number, but It all comes down to (as It seems) an error In the company's administration department. 

AR- "Advanced Replacement".
Not too many companies offer this as part of their claims management process, but for those that do, It means that they will send the Item BEFORE the defective product Is returned to them, hence "Advanced Replacement". This suits the social engineer perfectly, particularly when It's dispatched to a "Drop House" (as per a couple of topics above). In this case, he doesn't have to even think about ways to avoid sending the defective product- the Drop House Is not his, so he's totally In the clear. So what happens when It's sent to "his" residential address, and the company Is awaiting the return of the defective Item? Simple, he will box the company (refer to the "Boxing Method" further up) and get to keep both Items. You'll see the term "AR" somewhat often In the social engineering community. 

POD- "Proof Of Destruction".
Prior to sending out a replacement for a defective Item, there are a number of companies who request what's called a "POD" (Proof Of Destruction), on a claim submitted by the social engineer. The representative will ask the social engineer to destroy the defective Item/device by (for example) breaking the buttons and cutting the cord on the computer mouse, or drilling holes In the Hard Disk Drive. Once that's done, the representative requests evidence by way of a photo or video that clearly shows all this and only after he receives It and Is satisfied with It's contents, will a replacement be dispatched. Social engineers circumvent this by getting Images off Google or eBay, and then Photoshop It (Inclusive of serial numbers etc) according to the representative's Instructions. The term "POD", Is used In this fashion In almost every article and post that discusses It.

RMA- "Return Merchandise Authorization".
Without going Into too much detail, an "RMA" (Return Merchandise Authorization), Is Issued by a company to approve a refund or replacement of an Item. In general terms, an email Is sent to the customer with an RMA number (or tracking number) confirming the replacement/refund. The customer then writes the number on the box that the Item Is being shipped In, and sends It via a nominated carrier. The replacement or refund Is processed by the company thereafter. Some companies have this as a mandatory option, but social engineers work their way around by predominantly using the "Boxing Method". The RMA process does vary from one organization to another, so this should only be considered as a general guide. 

C&D- "Cease And Desist".
Even though this Is not very common In the social engineering sector, It's certainly worth mentioning, particularly due to the seriousness of It's usage. When a social engineer goes too far with obtaining refunds and/or replacements against a company, a "C&D" (Cease and Desist) letter Is sent to the social engineer asking to stop his SEing activity. If the social engineer Ignores It and continues to perform his actions, the company who Issued the letter can take legal action. As you can see, this Is quite serious and In almost every case, It puts an end to the SE there and then. It can be a somewhat lengthy process when Issuing a C&D letter. Although It's not necessary, the company must first consult an attorney, and the paperwork Is then prepared accordingly- which can take a while to collect and document every detail.

SN- "Serial Number".
Very much common knowledge for advanced SE'ers, but when It's used and written as "SN", It makes very little to no sense to novice social engineers. Going by personal experience, I'd say that It's equally used as "SN" and "Serial Number". Some Items such as devices (example, a computer keyboard and mouse) have a serial number that's unique to each one, and It's this number that Identifies the device when a warranty claim for a refund Is submitted by customers. Social engineers take advantage of this, by obtaining the serial number (for example, off eBay) and then SEing the company as though the Item Is theirs. They'll say that It's defective and ask for a replacement. Given the Item Is still under warranty, the company will dispatch a replacement Item. It's a clever tactic to SE an Item that the social engineer doesn't have to begin with.

Tracking Number- "Track Delivery Location".
When a product has been purchased from an online retailer and a carrier Is used to ship It to the delivery address, a "Tracking Number" Is assigned to the package. It's usually sent In a confirmation email after the Item has been ordered. As It's name Implies, It allows the customer to track and see the location of their package at any point In time, by entering It Into the website's tracking option of It's respective carrier. Social engineers find this extremely beneficial when using a "Drop House/Address" during their SE. It allows them to see precisely where their package Is located and once It's within close proximity of the drop house, the social engineer will make his way there and accept the delivery. UPS & FedEx are just a couple of many carriers that use tracking numbers for their consignments. 

Corrupted File- "Send A Damaged Image Or Video.
During the process of assessing a claim for a refund or replacement of an Item, In order to complete the request, some companies ask the customer to provide a picture or video that must Include (obviously) the Item and other Identifiable details, like It's serial number and perhaps a handwritten note. Only when the Image or video has been sent and fulfills the request, will a refund/replacement be Issued. Aside from Photoshopping an Image, social engineers use online services to "corrupt the file" and sent It to the company thereafter. Naturally, the company will ask for It again, and the social engineer will keep sending the corrupted file, but In a different file format each time- just to give the Impression that he's making an effort to resolve the matter. He will also assure the representative that the file Is working fine on his end. The majority of times, the company will give In and go ahead with the refund/replacement. A common website to corrupt any file Is this.

Reship- "Ship To A Company & Then To The Address".
We're all different with the type of personal Information we hand over when purchasing products on the Internet. Some people don't mind giving out their residential address, but others want It kept to themselves and In this case, they'll use what's called a "Reship" (or "Reshipping") company rather than their own address. Once the package has been sent by the online store, It's delivered to the reship company's warehouse and they'll forward It to the customer's house. This Is a good service to keep your real address hidden from the online store. Social engineers however, often use It together with a "Drop Address" to double their anonymity. The way It works with SE'ers Is like this: "SE > Reship Company > Drop Address". Simply stated, the online retailer sends the package to the reship company, and they deliver It to the drop address. The social engineer then picks It up from the drop address. 

Receipt Generator- "Fictitious Receipt".
Many social engineers go to great lengths to succeed with whom they're SEing and If It means falsifying paperwork to achieve their objective, they will do just that to the company who's requesting It. Such paperwork, Is to create a fake receipt using a "Receipt Generator". This comes In the form of either a standalone tool (used on your computer), or through an online website such as this. When an online store Is managing a refund claim, sometimes they'll ask for a receipt/Invoice from the customer to verify that the Item was In fact purchased from them. When the social engineer doesn't have It (due to SEing without purchasing an Item), he will use a receipt generator to produce a fake copy. It appears very realistic, with only the order number not being on company record. The SE'er will Insist that he's purchased It, and the company will assume It's an administration error on their end and process the refund. 

Image Metadata- "Remove Metadata When Editing Images".
It's Inevitable that online retailers will dispatch defective Items unintentionally and In such Instances, the customer will ask for either a refund or replacement. In order to complete the customer's request, some companies require the original "POP" (Proof Of Purchase) and once It's received, the refund/replacement Is finalized. A social engineer who doesn't have the POP, will create one using Photoshop and send It In the form of an Image file, but a proficient SE'er knows precisely what to do "prior" to sending the file. When an Image Is edited, particularly In Adobe Photoshop, If will show the changes by viewing the metadata (Information about the Image). The company can easily examine this and determine that the POP Is In fact fake. To prevent this, the social engineer will strip the metadata by using an online tool, or save the Image In a systematic manner In Photoshop Itself by choosing "File > Save for web", and then selecting "JPEG". As an added precautionary measure, he'll change the "Copyright and Contact Info" to "None", thus leaving no Indication that the Image has been altered. 

Investigation- "An Official Inquiry By The Company".
Every online supplier, differs to some degree In the way they address and process refund and replacement claims, but a very common approach with the majority of retailers, Is to open what's called an "Investigation". Here's what I mean. When a customer calls the company and tells them that he did not receive the Item/package that he ordered, the company will open an Investigation and cross-check with their carrier to see If they did In fact deliver It. The carrier's records will determine the outcome. An Investigation Is part of their protocol to simply move forward with the claim. Social engineers are well aware of this and use the "DNA" (Did Not Arrive) method, by using a fake signature on receipt and then say that the package wasn't delivered. The company's Investigation can determine that the package was "delivered", however (because of the fake signature) they cannot say for sure that It was "received" by the social engineer. The Investigation Is then deemed Inconclusive, and the social engineer Is Issued a refund. 

Police Report- "Filing A Report With The Police".
Further to the topic right above this pertaining to a company opening an Investigation, they could also ask the customer to obtain a "Police Report" to help with their Inquiry. Amongst other reasons, the police report Is often requested when the customer says that the carrier did not deliver the package to his home. It's basically nothing more than a bit of paperwork, to say that everything the customer has said Is true and correct to the best of his knowledge. When the report has been filed and the Investigation Is complete, the customer's claim Is then processed. Elite social engineers are well-Informed about all this, and also know that the report Is not legally binding, therefore they have no hesitation In obtaining one from their local police station. Because of this, the social engineer continues to use every SEing method mentioned above.

Item Contains Blood Method- "Avoid Sending Item Back".
Health and safety Is taken very seriously by businesses of all shapes and sizes. It doesn't matter If It's a multi-billion dollar organization, or a small family owned company of only a handful of employees, they must comply with the applicable law. Social engineers know all about this, and use a very clever method to avoid sending back an Item to a company that they're SEing for a refund or replacement. To do this, they say that they've cut themselves when opening the box to take out the Item and as a consequence, the Item was covered In blood. Regardless how well the Item Is cleaned and disinfected after the event, the majority of companies are not permitted to accept It as a return. For this reason, there Is no choice but to offer a refund or replacement to the social engineer. 

Cross Shipping- "Send Defective Item & Receive New Item".
There are many options used by companies when dispatching customer orders and receiving warranty claims, and each Is based on the customer's circumstances at the time. One of these options Is called "Cross-Shipping". There are a few steps Involved but for the simplicity of this article, It's basically when a company ships (delivers) a package containing the replacement Item at the same time the customer sends their package containing the defective Item. Essentially, the company gets the defective Item, and the customer gets the replacement Item. That's how It works In a legit environment, but not In the world of social engineering. Instead of sending the Item back, the social engineer will send an "empty box" and because the company dispatches the replacement at the SAME time, the SE'er knows he'll get It without fail. The "Box Method" Is always used for Cross-Shipping. 

VCC- "Virtual Credit Card".
Before I begin explaining how social engineers use this to their advantage, you need to know what a "VCC" (Virtual Credit Card) Is. Unlike your physical (plastic) credit card, a virtual credit card Is simply a number that's associated with your real card. Think of It as a disposable card- If anything happens to It, just get a new one. Generally, It can only be used once and cannot be traced to the real card. A VCC can be used for online purchases just like a normal credit card, and no one can tell the difference. Now this Is how social engineers use It. When the company Issues an "AR" (Advanced Replacement), they will put a hold on the card. So If the Item Is not sent back, the company will charge the card for the cost of the Item. Because the VCC Is a disposal card, the social engineer will "cancel" It, thereby the company cannot draw any funds from It and the SE'er doesn't pay a single dime. The process Is a lot more complex than this, but I'm just giving you a simplified example.

Disposed The Faulty Item- "Avoid Sending The Item Back".
In the event you purchase an Item from the Internet, be It a pair of headphones, a computer keyboard or a rechargeable toothbrush, It doesn't always come shipped In a faultless condition. Some Items are completely nonfunctional, and just about every retailer will ask to return the faulty Item In exchange for a refund or replacement. Although this particular method Is not too common, social engineers use the "Disposed The Faulty Item" method. When the company requests It's return, the SE'er will say something along the lines of "The toothbrush blew up when my son was using It, and for safety reasons, I Immediately threw It out". Of course, he did nothing of the sort. As mentioned above, companies take "safety" seriously and In this case, they'll send a refund with no questions asked. When used In this context, this method works on almost every occasion.

Received The Item As A Gift- "Avoid Sending POP".
As mentioned In the "POP" (Proof Of Purchase) topic a few articles above this, before a company can Issue a refund or replacement for (example) a faulty Item, the customer must provide the POP.  This Is simply to verify that the product was purchased from the company In question. When a social engineer wants to refund an Item that he doesn't have to begin with, he'll avoid sending the POP by saying that he "received the Item as a gift", and that the gifter didn't see the need to keep It, so he also doesn't have the POP. The company will then ask to return the Item and all the social engineer has to do, Is use the "Box Method"- as though the Item was stolen during transit. He'll then receive a refund for a product he didn't acquire. This Is a simple, yet very effective method when used as stated. 

Wrong Item In The Box Method- "Send A Different Item".
Seldom do manufacturers pack an Incorrect Item In the box during manufacturing & shipment, but given we don't live In a perfect world and human error Is unavoidable, It does happen on the rare occasion. That Is, the customer will order something online, and receive the correct "box" but containing a different "Item". This favors social engineers considerably. If the manufacturer can make a mistake and pack the wrong Item, so too can the social engineer, by saying that he's received a completely different Item to what's described on the box. Advanced SE'ers make It appear very realistic. For example, let's assume a HDD (Hard Disk Drive) was ordered from an online retailer. Upon receiving the delivery, the social engineer will say that a "computer mouse" was In the box. Can you see the association? Both the hard disk & computer mouse are "IT/tech related", so It's more likely than not for the manufacturer to pick & pack a wrong Item from the technology section of their warehouse. 

Similar Item In The Box Method- "Send Almost An Identical Item".
Almost the same as the topic right above this regarding the "Wrong Item In The Box Method", manufacturers/suppliers can make errors when picking and packing products prior to dispatch- particularly when two or more Items are very similar In appearance. Sure, they're scanned and Identified by their respective serial numbers, but all It takes Is a momentary lapse of concentration, and the scanned Item Is not the one that was packed and shipped. To a social engineer, this Is known as the "Similar Item In The Box Method", whereby they receive a delivery of the correct Item from an online retailer, but swap It for an "old similar Item" they have lying around the house. They'll contact the company, claim that the Item Is defective and receive a refund or replacement. This Is actually the social engineer's preferred method. Why? Well, a company may open the returned box and rather than scanning It's serial number, they'll have a quick look and see that It's appearance matches the description on the box and accept It thereafter. 

Broken Glass Method- "Item Smashed When Received".
Anything can happen to a package during shipment when ordering from an online store- It can get lost/misplaced, It's contents stolen In transit or damaged to some degree. The latter (damaged) Is what social engineers take advantage of when ordering "particular" Items. Notice the operative word being "particular?". That's because the SE'er Is selective with the nature of the Item, namely those that are shipped In bottles such as perfumes and cologne. They're susceptible to breakage and because of this, there's very little a company can do to deny that It did not happen from the time It left their warehouse, to when It was received by the customer. Social engineers know all about this, and use the "Broken Glass Method" to request a refund on a bottle of (example) cologne that arrived In perfect condition to begin with. The company usually asks for proof such as a photo of the shattered glass, and the SE'er will either Photoshop the Image, or use glass that's similar In appearance. Either way, the outcome has a very high success rate.

Food SEing Method- "Claiming To Feel Sick After Consumption".
Food (consumable) products are one of the easiest Items to SE. You do not have to be a master social engineer to get either a free replacement meal, or your money back after eating something and complaining straight after. How many times have you ordered takeout and It wasn't to your expectations- not cooked properly or stale with a very unpleasant taste? If you did In fact happen to complain, I bet you would've received another meal free of charge. When social engineers use the "Food Is Stale Method", they say that It had a bad smell and after eating It, they Immediately felt extremely sick. The social engineer will always say "Immediately"- as this solidifies that It was that meal (and not any other), that caused the reaction. Of course, nothing of the sort has happened, but I'm just demonstrating how easy It Is to get a free meal with just about any restaurant or food chain. 

Human Hacking- Same as "Social Engineering".
I'm sure you know by now that social engineering Is a form of hacking, but as opposed to traditional hackers using technical means to compromise a particular website or computer, SEing Is achieved by manipulating the person In question. As a result, It's the "Human" that's exploited, and not the device. So the terms "Human Hacking" and "Social Engineering" are Interchangeable, but no doubt the latter of the two, Is utilized a lot more often. 

Human Firewall- "Person's defense mechanism".
Not only do devices such as computers, web servers and networks have firewalls to keep the bad guys out, you may not realize It, but you too have what's called the "Human Firewall" on a personal level. For Instance, If someone tries to social engineer you over the phone, with the Intention to have you read out your password, your "Human Firewall" kicks In and you make the decision to keep It to yourself. This Is the main purpose of social engineering- exploiting the human firewall, by manipulating the person to do things he's not supposed to do to begin with. 



 

WHAT MAKES A GOOD SOCIAL ENGINEER:


There are two types of social engineers- those with an exceptional degree of skill set as though they're gifted In the art of human manipulation, and others who simply seek for assistance and advice from advanced SE'rs who've been there and done that. You're either the former or the latter. There's no In-between, that Is, you either social engineer or you don't. 
But what makes a good social engineer? What are the key attributes that separates them from the rest? Well, this Is where I come In and explain every element that an elite social engineer entails to get the job done In an efficient, methodical and effective manner. 
Do use the content provided herein for Informative and educational purposes. I do not condone using the Information to perform acts of social engineering In any capacity. 


Researches His Target Prior To The SE:
In order to SE a person and/or the business he's employed with at the time, the social engineer MUST know what he's dealing with. For the most part, It's not possible to succeed with what I call a "Blind social engineering attack", whereby he'll try to exploit his target without any knowledge of what he's up against. For example, If you're Invited to a wedding 100 miles from home to a church you've never heard of nor (obviously) attended, If you don't look up directions beforehand, how do you know how to get there? Unless you research It, you don't. The same principle applies to a good social engineer. He will always extensively research his target before moving onto the next step.


Identifies & Evaluates Information:
When a social engineer selects his target, be It manipulating the representative of an online retailer to obtain a refund, or pretending to be someone from the account's department In your office to SE you for usernames & passwords, once he's "researched" his target he then needs to evaluate the Information and Identify all (possible) vulnerabilities. There's no point having all the details he needs In front of him, If he doesn't know what to do with It Is there? The social engineer will go through every minute detail, Identify all flaws and use the weaknesses to his advantage when the time comes to prepare his attack. Which brings me to my next point In the topic below. 

Formulates/Prepares His Attack:
Once the social engineer has researched his target, collected the Information  and evaluated & Identified every vulnerability, the next step Is to formulate (prepare) his attack based on his findings. Preparation CANNOT take place without researching and Identifying security weaknesses. How so you ask? Well, the social engineer needs to prepare his attack based on something, and that "something" Is the data collected during his research. The evaluation of the data, will assist In the preparation process. The social engineer Is very calculated on how he will setup his method and once all this Is done and the timing Is right, he'll execute It against his target. 

Executes His Attack Accordingly:
This Is where It all happens for the social engineer. He's researched his target and gathered the relative Information, Identified & evaluated the details and after It's preparation, comes the most Important part- the "execution" against his target. It could be via email, live chat or a phone call. Whatever the case may be, the attack Is based on the merit of whom the SEing Is directed at. A good social engineer knows exactly what to do, and how to handle the person whom he's SEing at the time. The significant contributing factor that assists him with this, Is not only his skill set, but also all the above methodologies that ultimately define the effectiveness of his execution.  

Has A Very High Level Of Confidence:
The social engineer can be an absolute genius with his research and Information gathering, as well as having an exceptional set of skills when preparing and executing his attack, but this means very little If he's lacking In confidence. If you're on the receiving end of being SEd on the phone from someone (being the "social engineer") claiming to be a representative of your electric company and he Is hesitant, Indecisive and demonstrates signs of nervousness, what are your thoughts about the authenticity of the call? Precisely, he's not who he claims to be. Confidence makes all the difference In a successful outcome. A good social engineer's confidence Is second to none. 

Assumes An Authoritative Figure:
Generally speaking, when social engineering a company with the Intention to obtain a refund for an Item that you don't have to begin with, It's the company's representative who's In charge of the conversation. He'll ask so many questions, refer to company protocol, deny requests for refunds and so forth. Basically, he calls the shots and the recipient must comply. A good social engineer manipulates the representative by first assuming an authoritative figure (takes "control" of all communications), and then uses some degree of reverse psychology to get the representative to do the opposite. In other words, the roles are reversed- the social engineer Is the person who makes the decisions. 

Instantly Notices Human Vulnerabilities:
Whether It's SEing physically In person or over a phone call, It's of the utmost Importance for a social engineer to pay attention to everything at his disposal- with the objective of Identifying human vulnerabilities of the person(s) In question. Without weaknesses, It's extremely difficult, and at times Impossible, to manipulate the target and SE them thereafter. A good social engineer analyzes the context of the conversation (over the phone), and the actions & body language of his target (In a physical environment) for vulnerabilities that will allow him to execute his exploitation. One false move or a slip up by the target, could be the gateway for the social engineer to achieve his goal. 

Perseveres With His Objective:
In the profound mind of an elite social engineer, there's only one thing that he seeks to achieve, and that's circumventing the human firewall to ultimately fulfill his objective. Depending on the complexity of his attack, he will encounter a number of difficulties that prevent him moving forward, but this Is only short-lived. What differentiates a good social engineer from the rest, Is "perseverance". He will do whatever It takes to get what he's after and If that means shooting off 20 emails or making just as many phone calls to successfully SE his target, he'll do just that. In the social engineer's mind, the term "No", Is not In his vocabulary, nor Is any form of negativity. 

Is Well Prepared For The Unexpected:
Regardless how well a social engineer has researched his target and prepared & executed his method, things don't always go according to plan. Initially, he does not know the degree of difficulty that's required to succeed. His target could be resisting a range of attacks, but a good social engineer Is always prepared for the unexpected. For example, If he's SEing his target to refund an Item and all of a sudden they request a POP (Proof Of Purchase) which he obviously doesn't have, he'll kindly comply but send a "corrupted file". No doubt, they'll request It again and he'll keep sending corrupted files, but In a different format each time. This gives the Impression that the social engineer Is doing everything on his part to resolve the matter. He'll also assure them that It's working fine on his end. Eventually, his target will give In and Issue the refund.

He Is Very Selective With His Wording:
I've always stood by the saying of "It's not what you say, but how you say It", and this Is a key element of a social engineer's attributes. Can you Imagine he's SEing his target on the phone as though he's from their credit card company and says "Hey, gimme your name and address so I can whack It Into the PC and your accounts gonna be fine". As opposed to "Hello, my name Is John Smith and we're doing a routine security account upgrade for all our customers. For verification purposes, may I please start with your full name and date of birth". Which of the two sounds more convincing? Enough said. The social engineer will study the company's terminology, Identify how communications are generated to their customers and will apply his wording based on his findings.

Finishes The SE On A Good Note:
One of the most essential aspects of social engineering, Is to not raise suspicion at any point during the attack. The moment It happens, It can subsequently result In a failed attempt. Be It physically gaining unauthorized access to a restricted area on the third floor of a building, live chat with a representative of a major retailer, an email message, or via a phone conversation- the social engineer will always end It on a good note. In doing so, there's no cause for concern by the persons(s) Involved, nor the need to question the social engineer's movements. A simple "Thank you, have a wonderful day" to conclude,  Is sometimes enough to solidify the SE attack. 

Plans Subsequent SEs With Good Timing:
For the purpose of this topic, I'll use the example of SEing online stores for refunds and replacements. Obviously, this applies to every SE, but It's beyond the scope of this article to cover the lot. When the social engineer submits a claim for a refund or Item replacement "multiple times", the timing between each SE Is crucial. Allow me to explain. If he's made "four" refund claims In so many days for a package that (seemingly) didn't arrive to his house against the same online store, It's almost certain that the SE will fail. How so? Well, It's extremely unlikely that a package goes missing four days In a row. However, If the social engineer has spread out the timing of his claim to once every 6-8 weeks (and received legit purchases In between), It's not likely to raise any suspicion. 

Sets His Limit And Sticks To It:
As with everything In life, there's a limit to what we aim to achieve and how we go about doing It. Pushing It too far, can have a negative Impact and affect the end result, thereby defeating the purpose of It's Intention. The same applies with social engineering. It's Imperative to set a limit and no matter what happens, stick to It. A good social engineer does exactly this- he knows what he's after and how to get It and the moment he accomplishes his task, that's when It comes to an end. It's very easy for "greed" to take over and override his mindset (which Is the biggest mistake a social engineer can make), but this Is not part of his equation. Why do you think he researches his target and prepares his attack? It's this that determines his goal!

Adapts To The Environment Of Whom He's SEing:
Manipulating the person on the other end to perform tasks as per the social engineer's Intentions, requires a calculated and systematic approach, that must also be executed according to the environment of whom the SE pertains to. Let's assume the social engineer pretends to be someone from the account's department In your office, but realistically, he's sitting on his couch at home. His plan Is to get the user Information of an employee by calling you and saying he cannot access any details because his system Is down, and he urgently needs It to finalize the employee's contract. It's absolutely paramount that he sets his environment suited to the nature of the SE, In this case, office conditions. It won't be convincing (and "will" fail) If there's a dog barking and baby crying during the call! He'll have phones ringing, keyboards tapping, people talking etc. And all this Is achieved by simply visiting YouTube, entering "Office sound effects" and playing It In the background. Try It for yourself, there's pages of search results. 

Keeps Critical SEing Information To Himself:
Irrespective who Is being social engineered and the scale of the organization they're associated with, the fact Is that Information Is being collected and actions are performed against the Intention of the person In question. The social engineer could be after usernames & passwords, looking to gain remote access to the target's computer or SEing their gas company for details on the account- whatever the reason, a good social engineer always keeps critical Information to himself. This can Include his target's full name and address, confidential company data and so forth. It's very easy to brag about a successful SE, and just as easy to be Identified as the person responsible for the attack somewhere down the track, thereby potentially have serious consequences. 

Selects The Method & Gateway He's Comfortable With:
When you get to the very last topic of this entire article named "Social Engineering Methods And Attacks", you'll see that there's a number of "methods" used by social engineers against their target. You will also see that SEing can be performed via a few gateways- phone call, email, In person or live chat. There are no hard and fast rules as to which method and gateway to use, however given they're all different to each other, a good social engineer will opt for those he's most comfortable with. This significantly Increases the likely hood of a successful result. To give an example, If he's not too confident over a phone conversation, he'll send an email Instead, which gives him all the time In the world to think of what to say. Similarly, If he's not at ease using the "DNA method" to refund an Item, he will choose the "wrong Item received" method- both of which will ultimately achieve the same result.

Does Not Complicate The Social Engineering Attack:
The equation Is pretty simple for a proficient social engineer- keep the method as simplistic as possible, yet extremely well prepared and executed. In other words, he does not complicate the SEing attack with extra Information that's not really needed to begin with- he'll use just enough Info for the SE to succeed. It's like when the police arrest someone and say "You have the right to remain silent...". The smart thing, Is to do just that and not say anything that can be used against the Individual In question. It's the same principle with social engineering. The more Information that's given to the person who Is being SEd at the time, the more the SE'er will have to remember (and answer to), therefore It Increases the probability of contradiction. Why give extra Info when you don't have to? A good social engineer formulates his method with only the bare necessities that's required to execute the attack successfully. Nothing more, nothing less. 



TRAINING, AWARENESS, SKILL SET, KNOW-HOW


As per the above title, my motto pertaining to social engineering Is pretty simple. T.A.S.K. Believe me, as you'll read a little further down, If you haven't applied this effectively, It can be quite an arduous "Task" to Identify, evaluate and fend off a social engineering attack! The art of human hacking and manipulating the person on the other ending Into giving up Information or doing tasks they're not supposed to do, Is a VERY powerful technique used by social engineers. You must be prepared and have the skill set to recognize and defend both yourself and everyone Involved. 
Unfortunately there are no hard and fast rules nor any textbook methods to prevent social engineering In It's entirety. Each attack vector Is different to some degree and If you're not trained to see the warning signs there and then, you could be handing over critical Information without even knowing It. 

T.A.S.K Is defined as follows:

T- Training
A- Awareness
S- Skill set
K- Know-how

You receive the Training, your Awareness has kicked In, you've acquired the Skill set and you ultimately have the Know-how to defend against social engineering attacks. So remember T.A.S.K. This Is your key to protect yourself and any associated entity against SEing. These all work hand In hand- you cannot disregard one and skip to the next. Collectively, they form the equation of a perfect formula In an anti-social engineering environment. 
To give you an Insight and a clear understanding of what's Involved and how you should apply each one accordingly, I shall briefly cover T.A.S.K respectively, beginning with Training. This can be viewed from both a personal and business perspective. 


(1). TRAINING:
This Is where It all begins. Whether you're viewing this from a personal or a professional (business) standpoint, It's vital to receive the appropriate training to help Identify and stop a social engineering attack before It proceeds further. However, It's not as simple as organizing a meeting at work, and having every employee listen to the advice given by the social engineering expert. How so? Well, how effective and accurate Is the training? How competent Is the person In delivering the Information In a clear and comprehensible manner? There's no purpose In being lectured If the speech Is Inaccurate, cannot be understood and the trainer's skill set and knowledge Is at a minimum. If It's your workplace that you wish to protect, be sure that the person who will train your staff, Is well and truly capable In doing so. 

(2). AWARENESS:
You and/or your workplace personnel may have received all the training they need In a very accurate and effective fashion to combat social engineering attacks, but what happens If a handful of people were half asleep during the lecture? Or they were playing around with their cell phone at the time and paying no attention? Training Is one thing, being aware and "absorbing" the Information given, Is something else. "You can't give what you don't have", meaning If your awareness levels are next to zero, all the training In the world will have no Impact on your capacity to be switched-on during a social engineering attack. Stay alert when being trained, take notes and If In doubt, ask questions. Reiterate everything you've learnt and documented, until you're "fully aware" of what you were told. 

(3). SKILL SET:
Now that you've received the training and you were well aware to absorb It to It's full potential, this Is where your skill set "begins" to develop. Notice how I've quoted "begins?". That's because you CANNOT, and will not acquire the skill set over a session or two of social engineering lectures. It takes a lot of time and real-life experiences to build your skills to the point of becoming an expert yourself. As mentioned, every SE Is different, no two are a carbon copy of each other, so the more social engineering attacks you come across, the better your skill set becomes. To help move things along, request a few friends or work colleagues to SE you at some random dates and times. It could be anytime between now and 6 weeks down the track. Take note of how effective you handled the attack and where you can Improve.

(4). KNOW-HOW:
After, and only "after" you've acquired all the above, namely the Training, Awareness and Skill Set In their respective order, will you have the Know-How to defend against social engineering attacks on every level. As mentioned earlier, T.A.S.K works hand In hand- you cannot Ignore one and skip to the next. They need each other to achieve the end result of formulating the perfect Ingredient, that eventually solidifies your social engineering defense mechanism. When you're at this (Know-How) stage, you'll find that It all comes together naturally. That Is, It's not something that you need to sit there and think about, but rather you'll act Instinctively when you're experiencing an SEing attack. Now that you have T.A.S.K under your belt, and on the grounds that you're engaged In a business/workplace environment, It's crucial to pass your knowledge to the applicable personnel by way of lecturing during scheduled meetings. 


Now that T.A.S.K Is complete and clearly understood, the topics covered from this point forward, are as follows:

Social Engineering Prevention On A Personal Level.
Social Engineering Prevention On A Business Level.
Social Engineering Methods And Attacks.

Where applicable, I've used an offensive & defense approach- because at times you need to perform your own (offensive) SEing to defend against SEing. So let's get this started by addressing the above topics In that very order.
Before I begin, here's a few common computing terms used throughout the entire article that you should familiarize yourself with.

ISP- "Internet Service Provider".
Although this has no association with social engineering, given It's just about always used In short-form being "ISP", It's Imperative to know the denotation of It's literal meaning. Simply put, your Internet Service Provider does just that- provides you with a gateway to access online content. Sure, this Is common sense for the majority of users, however not everyone Is equally Informed, especially when reading It In It's abbreviated format.

IP- "Short For "Internet Protocol Address".
Once you've selected your ISP, In order to establish an Internet connection and navigate online, your device must have an "Internet Protocol Address", or more commonly known as an "IP Address". It's assigned to you by your ISP. Every connection has an IP and no two are alike- each and every one Is different. This Is what Identifies you online, namely the external/public IP address that's used to connect from one website to another.

IRC- This means "Internet Relay Chat".
Of all communication services, IRC Is one of the oldest, yet still widely used means of communication on the net. To use It, you can either Install a client program on your computer, or use a web-based client by registering an account and login thereafter. Either way, you'll be up and running In no time at all and communicate with everyone on the IRC chat server.

MM Service- "Middle Man Service".
If you're part of a community on a popular Internet forum, such as a hacking board, you'll know exactly what this Is. For those who've never heard of a "Middle Man Service", It's basically used for purchases within the confines of an Internet community. The MM Is a trusted user who acts for the buyer and the seller, by holding the funds and ensuring the buyer gets the product, and the seller gets his money. So when you read "MM" In this respect, It stands for "Middle Man".

Pen Testing- Is "Penetration Testing".
You've probably come across the term "pen testing" (also used as "penetration testing"), and gave very little thought as to It's usage and how It can benefit the overall security of your business. Put simply, penetration testing evaluates the security of a PC, network or organization In an attempt to find and exploit vulnerabilities, with the objective of determining whether malicious activity or unauthorized access Is possible. If you're reading security articles, you're sure to find the term "pen testing somewhere In It's documentation.

2FA- Referred to as "Two Factor Authentication".
Everyone who has a registered online account, should be well aware of "2FA" and It's security benefits. Almost every website refers to It as 2FA, rather than It's elaboration of Two Factor Authentication. How this works, Is that It adds an added layer of security by requiring "two factors" of authentication to log In to your account. The first may be a password, and the second Is a security code sent to your cell phone. Only when BOTH of these are entered Into the login page, are you able to access your account. 



SOCIAL ENGINEERING PREVENTION ON A PERSONAL LEVEL:


Note: Although this can be used as a general guide and applied to all types of environments, the following articles pertain to social engineering protection and preventative measures on a personal level. You will learn how to Identify and protect yourself from SEing attacks In the cyber community, as well as from a physical face-to-face standpoint. Your devices, such as a cell phone and PC, are obviously also part of the equation, hence those platforms are covered accordingly.
Evidently, you will find that some topics are Irrelevant to your circumstances and overall usage, however do take the lot under advisement- you may not need It now, but find that It's applicable at some point In the future.

(1). The Good Old 'Your Computer Has A Virus' Phone Call:
As far as I can recall, one of the oldest tricks In the book to social engineer the end user Into executing tasks on his/her PC, Is the good old phone call saying "Your computer has a virus". Whilst there are many reasons behind this, a well-known objective Is to lure the user Into navigating to a website and clicking on a malicious link provided by the attacker. Depending on the nature of the deceptive site, the attacker can either gain remote access to the user's PC and have full control thereafter, or trick the user to log Into their online banking and transfer funds to the attacker's account. I've personally experienced this, and although I Instantly Identified the caller as a scammer/SE'er, I must say It did sound rather authentic- with phones ringing and keyboards tapping away In the background, that's typical of an office environment. I can confidently say that the average PC user can easily fall victim. If you receive a phone call similar to the above description, do NOT comply. Immediately terminate the call. 

(2). Social Engineering With Phishing Email Messages:
I'm sure you've come across an email at some point requesting to update your bank account details by clicking a link, or claiming that your long lost superannuation funds are ready to collect once your full name, date of birth and credit card details are provided. This Is typical of what's called a phishing attack. It's a form of social engineering, with the Intention of grabbing your personal Information by tricking you to log Into a phishing website. Once you've done that, your login credentials are sent to the attacker. I don't need to elaborate what happens next. To help prevent falling victim, always check emails for suspicious links, typos, the context of the email address, email subject, email header and use Google to see If any similar emails have been reported. If you're still not sure, call the entity which the email relates to and ask whether they're the ones who've sent It. Whatever you do, do NOT click on any links nor open any attachments. Once you've 100% Identified It one way or another, you can then take the appropriate action.

(3). Receiving Random Or Unknown SMS/Text Messages: 
On the same principle with phishing emails (mentioned right above this), the same can be said when receiving a random or unknown text message. How many times have you received an SMS that either Informs you that you've won a prize, or asks to provide your personal details? Me too, and I still receive them from time to time. Almost everyone nowadays, owns a cell phone and social engineers are well aware of that, which Is why It makes this type of attack so powerful. Allow me to elaborate. You receive a message claiming that Facebook Is performing It's routine security maintenance, and that you need to verify your account details by replying with your login credentials. The message appears so genuine- even the sender Is titled "Facebook Support Team". If you reply, say goodbye to your Facebook account! Let me tell you, Facebook will never request such Information over a text message. Do NOT respond to such messages.

(4). Telemarketers And Their Social Engineering Tactics:
Most of us receive phone calls on a daily basis, either from family and friends, or from an unknown entity asking a few questions here and there. While this (questions) may seem like a normal telemarketer trying to make a living, the underlying truth Is that It may be a ploy to social engineer you Into giving up sensitive Information. The phone call may come In the form of (seemingly) offering you a better deal on your electric bill. During the conversation, In order to check your current bill and compare the rates, you're asked to provide your family & given name and date of birth. That's It, your Identity can be built within 10 minutes! See how easy It Is to grab your details by assuming the role of an electric company representative? There are Instances where your "real" electric company will call, so either call them back, or ask them to read your account number on the bill as well as the amount that was paid on the last one. If It's a legit call, they'll have no hesitation In complying with your request. 

(5). Verify Phone Numbers & Emails Using Reverse Look ups:
It's a given that we Inevitably receive emails and text messages unbeknownst to where they originate, and will continue to do so Indefinitely. The same with phone calls- how many missed calls have you received from unknown numbers? I'd say It's safe to assume you've lost count! In most cases, simply viewing the nature of the text message or the context of the email's contents, Is enough to determine the next course of action. Even hitting a Google search on the phone number, can provide an array of Information, but what If you wish to find out more about the sender? Well, you can do this by performing what's called a reverse email and reverse phone number lookup. Both these services attempt to reverse the process, by Identifying the sender. They can (In some cases) reveal the family & given name and possibly their address- residential, business or otherwise. To do all this, please refer to the Information Lookup category on this website.

(6). Always Verify The Person By Asking For Their Identification:
Whether an unexpected charity worker knocks on your front door, or the plumber you've organized to unblock your kitchen sink has arrived, make It a habit to ask for Identification. Sure, you're the one who called the plumber, but Is It simply a matter of coincidence that someone else happens to show up around 30 minutes prior to the real guy? Yes, I agree that the likely hood of the latter happening Is slim but having said that, all It takes Is for a social engineer to randomly turn up at your property and ask "Did you call for a tradesman?". Due to the timing of the event, what would Instantly come to mind? Correct, It's the "plumber". And what about the charity worker asking for a donation? Is he/she really who they claim to be, or someone social engineering you and everyone In the neighborhood? There are plenty of scammers who SE the vulnerable for their valuables and savings. Always verify the person by asking for their ID- regardless how authentic they appear at the time. 

(7). Cross-Check The Person's Identification Via Various Sources:
Further to the above topic about the Importance to request for Identification, you've done exactly that with the person who arrived at your doorstep wearing a telco uniform and offering an excellent deal on a cell phone plan. It's an offer you couldn't resist- as It was significantly cheaper than the provider you're currently with. As a result, you've completed the contract by filling In your name, date of birth, driver's license number and a few more bits and pieces. The telco guy finishes off with a "Thank you, enjoy the rest of your day" and that's the last you have heard of the "so-called" deal. You guessed It, you have just been SEd and the Identification he showed you, was In fact fake! He now has all your personal details, and can do a lot of damage to your reputation. Asking for ID alone, does not suffice. You must also cross-check It's authenticity by looking for Inconsistencies like spelling errors, poorly designed and formatted text and (where possible), the name on the ID against the company It's relative to.

(8).  Keep Your Personal Information To Yourself:
How many times have you encountered a salesperson In a shopping mall asking you to complete an entry form with your family name, given name, address and phone number for the chance to win a nice 50 Inch Smart TV? In the event you win (which you almost certainly won't!), this Information Is required for verification and contact purposes. So why not enter, yes? After all, you've got nothing to lose and everything to gain right? Wrong. What you've just done, Is disclosed your personal credentials to someone you've never met, and have no Idea what they're capable of doing. This person can use the Info to get your date of birth and open a bank account, register a cell phone, apply for a credit card and the list goes on- all by using the Information you've provided on the entry form. I've known a handful of very talented social engineers who use this tactic. And don't think for a minute that It won't happen to you. It can and probably will, If you keep handing over your details. Keep your personal Info where It belongs- with you.

(9). Remain Anonymous At All Times During Online Chat:
Technology has evolved In a manner that allows us to communicate via many different online gateways, such as IRC, Discord and of course, Facebook Chat. Whilst you may "think" you know the person on the other end In the cyber world, the fact Is, never underestimate their ability to social engineer you. How so you ask? Well, have you physically met your online friend over a few drinks at your local bar and also Interacted with this person countless times during dinner, thus have a very good understanding of their background and personality? If you've answered "no" to this (which I'm sure you have), then you have absolutely no Idea who's on the other end of the keyboard! What may seem like a friendly online conversation, could be a well-crafted plan to obtain your personal Information by way of SEing. Furthermore, another user may be Impersonating your cyber friend with the exact same username. Have you thought of that? Probably not. Safeguard your online chat and remain anonymous at ALL times. 

(10). Protect Your Purchases On Online Forums:
So you have registered on an online forum and navigated to the Marketplace section, whereby you've come across a member selling a great deal on a cell phone. It's precisely what you're looking for and after performing a few online searches via various shopping sites, the member's price Is the cheapest, so you've decided to contact him to arrange the sale. The payment method Is PayPal and he's requested to pay the phone In full, and It will be sent to your nominated address thereafter. Do NOT pay upfront! You're not dealing with a reputable company such as Amazon or eBay, but rather some random member looking to make easy money. It may well be a social engineering scam and If It's successful, you'll never see your money again! Select a "trusted" middleman (like the forum's admin or moderator) who will be part of the transaction. The middleman acts for the buyer and the seller, by ensuring the buyer gets the product, and the seller gets the money.

(11). Communicate Only Within The Forum When Buying & Selling:
Moving forward from the topic right above this, In the event a middleman Isn't present when buying & selling your Items on an online forum, It's of utmost Importance to use a secure means of communication when discussing the transaction process and details. Do not use a chat service outside the forum's boundaries, such as Discord, Skype and/or IRC. Reason being, If you are social engineered hence scammed, the forum's staff members (namely the admin and moderators), cannot verify logs, therefore they do not have the capacity to cross-check any Information that Is given In support of the alleged scam. When the transaction Is discussed using the board's Private Message system, the forum's administrators & moderators have the tools to Investigate the evidence pertaining to the scam, which can significantly help to resolve the matter. So the procedure when buying & selling Is quite obvious- only communicate within the confines of the forum.

(12).  All Salesmen Use Social Engineering Tactics To Some Extent:
Every salesman you come across, does have some element of social engineering. Whether you're looking at purchasing a home, a new car or boat- the prime focus of the person selling such Items, Is to manipulate you Into buying Into their service, and that service Is achieved by SEing you. I'm sure you've heard of a few people who've purchased a vehicle that was a complete lemon, and they've been lured Into the sale all because the salesman used his manipulative pitch to suggest otherwise. To lock In the contract, most salesmen will tell you all sorts of fanciful stories, most of which are exaggerated- just to glorify the Item being sold. Keep your guard up at all times. Just because he seems nice and goes out of his way to make you feel happy and comfortable, It doesn't mean he's looking after your best Interests. He's not! All he wants the sale. Whatever the Item Is that you're looking to buy, do your own research to establish whether It's worthy of the purchase. 

(13). Be Mindful When Physically Assisting Those Who Request It:
Unfortunately In this day and age, there are a lot of deceitful people who target their victims by physically analyzing their vulnerabilities, and using their very own "friends"as part of their social engineering attack. Allow me to create a hypothetical situation on how your "handbag" can be taken right In front of you, without you even realizing It happened. Let's say you're waiting for a good friend to arrive at a nice restaurant on a Sunday afternoon. A passerby with his partner, asks you to take a photo of them by handing you their cell phone. You oblige by standing away from your seat, take the photo and hand back the phone. During the course of your actions, a third person (being a friend of the couple), has walked by and taken your handbag that you left unattended on your seat whilst taking the photo. Within a space of less than 30 seconds, you've been social engineered! Say goodbye to your credit cards, IDs and whatever else your handbag contained. Be mindful of those you assist, and "always" carry your possessions with you. 

(14). Do Not Trust And Take Anyone Unbeknownst To You At Face Value:
Social engineers operate In a very methodical and calculated fashion- their objective Is to first gain your trust, and then formulate exactly how they'll achieve what they're after. Once you believe In what they "appear" to be, there's no reason to suspect malicious behavior, therefore you can be SEd with Incredible ease! For Instance, let's assume you've advertised for someone to look after your baby whilst you're at work. No matter how nice the babysitter seemed during your Interview, Inclusive of the type of references given to assure you of their competency and work history, do not take It at face value. A calculated social engineer will go to any length to deceive their target. Always, and I mean always, perform a background check prior to any commitment with a given person. This can Include checking criminal & commercial records, ID authentication, qualifications and so forth. All In all, you need to establish that the person IS who he/she claims to be.

(15). The Elderly Are The Most Vulnerable To An SEing Attack:
Unlike those aged In their teens and 20s who are tech-savvy (some more than others) with the latest cell phones and computers, hence their awareness of common scams and SEing attacks Is also part of the equation, It's a completely different story for the elderly, namely those from 65 through to around 80 years old. Once this age bracket Is reached, their mental capacity to absorb and process Information begins to slow down, particularly when hitting their mid to late 80s. Because of this, the ability to Identify a con artist significantly diminishes and this Is what makes them a perfect target for social engineers. I've lost count as to the number of times I've read reports of an elderly man scammed out of his life savings- all due to a social engineer who talked his way Into transferring ex-amount of dollars Into his account. If you're looking after an elderly friend or relative who falls In this category, be sure to also take care of their personal errands and affairs, by protecting them from falling victim to social engineering attacks. 

(16). Be Wary Of Advertising Social Engineering Tactics:
Believe It or not, each commercial you view on TV offering to buy their product, Is In fact trying to social engineer you. The good old "buy one, get one free" Is somewhat difficult to resist for some viewers but do you want to know a fact of this "supposed" deal? You're not actually getting another Item for free- they're simply Increasing the original cost to compensate for the seemingly free Item! This Is a very common SEing method that's widely used amongst many retailers and distributors. Or how about that credit card that offers 6 months Interest-free? Pretty good deal right? Not really. What happens after 6 months? I bet the Interest would double- just to make up for the cost of the Initial free Interest. Again, this Is a social engineering tactic to capture and lock you Into the purchase. Be sure to read the fine print before committing to any deals and services, and always seek comparable alternatives prior to making your selection.

(17). Using Catfishing To Fabricate An Identity And Social Engineer You:
As per the methods used by social engineers and scammers with the good old "Your PC has a virus" (as stated In the first topic In this section), Catfishing social engineering operates In a similar fashion. This type of SEing Involves creating a fake profile (example Facebook) that's so convincing with Images, friends, posts, likes etc, and attempts to lure you Into giving up confidential Information and/or steal your funds. Here's an example of how It works. To get your attention, the attacker will analyze and monitor your online activity, and will take special note of your Interests, job and leisure activities. He'll then create a fake Facebook profile that shares the same commonalities and will befriend you thereafter. The objective from this point onward, Is to gain your trust and once that happens, he'll attempt to social engineer you for personal Information and/or money. Unless you conclusively know who the person on the other end of the keyboard Is, never deal with anyone asking for any type of Information from you. 

(18). Your Internet Service Provider May Not Be Who They Claim To Be:
A well-known tactic used by hackers to social engineer the recipient (being "you") Into giving up confidential Information, Is to actually "Impersonate" your ISP (Internet Service Provider). Why your ISP? Well, In this day and age, just about everyone Is connected to the Internet, so It's extremely simple for a social engineer to grab your IP address, perform an IP address lookup and get the name of your ISP thereafter. Try It for yourself using this website. See how simple It Is? This Is how the attack will be executed. The social engineer will call you and pose as your very own ISP. He'll say something like "Hello may I speak with the account holder please". You'll say "that's me". He'll then move forward with the attack as follows. "Hi, I'm Brad Tiller from (your ISP provider) and we've just  completed our scheduled maintenance. To finalize the process, I need to confirm your account details. For verification purposes, may I start with your full name, date of birth and address...".  How legit does that sound? I'd say It's very safe to assume that you'd comply with the request, yes? Guess what? Your Identity can be built within 10 minutes! If you receive such a call, NEVER disclose your details. Ask for their number and call them back. 

(19). The Van Pulling Over Offering Discount Items:
If you haven't experienced what I'm about to mention, you probably will at some point In the future. Regardless of our financial state, we're all after the best deal possible when looking to purchase goods- be It shopping at the local supermarket for the weekly groceries or navigating online to buy a gift for the birthday party on Saturday night, money Is better In our pocket than anyone else. On these grounds, an offer presented to you for a particular product that's a fraction of the cost of It's retail value, Is difficult to refuse. This can come In the form of the good old delivery van pulling over In front of you with a heap of goods stored In the back, whilst you're walking down the street. It's occupants then offer you (example) a pair of expensive home theater speakers for an extremely low price, so you go ahead and close the deal. Upon your arrival home, you connect them to your stereo but there's no sound. Why? Because the guys In the van were social engineers who took the actual speakers (magnets) out of It's wooden casing, and only sold you the box! Do not purchase goods from those who randomly show up. If It's too good to be true, It probably Is.

(20). How Social Engineers Can Easily Pickpocket Your Wallet:
It's a commonality with a lot of people when travelling outdoors, to place their keys and wallet In their pocket, with the latter namely In the "back pocket" of their trousers. Why not you ask? It's In your possession and easily accessible when purchasing an Item at your local store right? Well, If It's easily accessible to you and given your wallet Is In your back pocket and away from your view, don't you think It's just as easy (If not "easier") for anyone to simply distract you and steal It? I thought so. A social engineer can purposely distract your attention by bumping Into you, take your wallet, politely apologize and quickly disappear thereafter. This can take as little as five seconds and before you even realize what's happened, your credit card has already been used on a 52 Inch Smart TV that's sitting In the social engineer's living room! Do not carry your wallet In your "back pocket" or place It In the side pocket of your jacket. There are two In front of your trousers, use them! 

(21). Do Not Trust Anyone In The Cyber Community:
Establishing a good rapport with users, particularly when accepted and actively Involved In a user group, Is very common In all forms of online chat gateways. Such gateways can Include (but not limited to), online forums, Discord channels and IRC communications. Once you've established some sort of trust with whom you've been chatting with for many months/years on end, It's very easy to let your guard down and disclose details that would otherwise be kept private. The mistake many people make, Is to eventually confide In users by sharing details that reveal quite a bit of Identifiable Information. You do not know who the person on the other end Is, what their Intentions are, nor what they're capable of doing. Do not, and I repeat, do NOT trust anyone In the cyber world, no matter how long you've communicated with them, and how helpful & pleasant they may "seem" during conversations. As I keep mentioning, you don't know who the person behind the keyboard "really Is".   

(22). Be Careful What You Say And WHERE You Say It:
The conversation you have whilst speaking on your cell phone or face-to-face with a friend, can reveal a lot about you on a personal level. It may not Involve talking about anything private, but a social engineer does not need "personal" details to obtain your personal details! He will gather bits and pieces here and there and combine the lot to fingerprint your profile. For Instance, how many times have you given your new phone number to a friend, or over the phone to your electric company whilst having lunch at your favorite restaurant? Anyone with malicious Intent who's heard your conversation, will not only have your phone number, but can also use It to social engineer your carrier and take over the account. Once that's done, the social engineer will have (at the minimum) your full name and address. He'll then use this to grab your date of birth, email address, where you work etc via publicly-available online sources. Do you have a Facebook account? Well, this Is a very good starting point! It's pretty simple. Be VERY careful what you say and where you say It.

(23). Social Engineers Can Steal Your Cell Phone With Ease:
Personally, I've experienced so many strangers approaching me asking to use my cell phone for emergency purposes. I do like to help those In need, but not all people are In need of help, namely social engineers who prepare their attack with the Intention to steal your phone. Once you've handed your cell phone over to someone who wants (as It seems) to make an urgent call, who's to say he won't run off with It? Or text his friend, thereby grabbing your number? Or quickly look through your personal data? The latter two can be done within 10 seconds- simply by giving the Impression that he's dialing a number. When a stranger asks to use your phone, always check their physical appearance. If they're dressed In a suit, well spoken and clean shaven, then It's most likely legit. As a precautionary measure, be sure you're In a crowded place, YOU dial the number, speak with the recipient and then pass on the message to the stranger.

(24). Analyze The Conversation & Background Noise Over The Phone:
When you receive a call from an unknown number and you decide to answer It, unless It's someone you're familiar with who's advising of a change of number or any other legit reason, you never know for sure who the caller Is. Even If they've assured you they're calling from a reputable organization, there Is no way you can solidify It there and then. What you can do, Is methodically analyze both the conversation and background noise during the call. Believe me, you can establish a lot about It's authenticity, by comparing It against the nature of the entire discussion and what can be heard In the background. How so you ask? Well, If the person Is claiming to be a representative from your Insurance company and he's hesitating, showing signs of nervousness and there's a baby crying during the call, what does that tell you? Precisely, he Is not who he claims to be, thus probably some scammer attempting to social engineer you. If the caller Is unbeknownst to you and they're requesting certain types of details, analyze It carefully (as mentioned above) for any Inconsistencies.

Простите что слишком короткий