During my Interaction with Intermediate and advanced SEers In the cyber world, whereby I've attended to countless questions and concerns over the years, the majority have their priorities set In the right perspective when hitting online retailers for refunds and replacement Items. Although It's expected that social engineers on that level should well and truly know most of the Ins and outs of company manipulation and exploitation, I'm quite pleased that they apply their SE In the appropriate fashion- being "research", "Item & method compatibility" and "strategic attack execution". Each and every one of those three elements, play an Integral role to help ensure the SE not only gets off to a good start, but also keep It consistently flowing In the right direction until It's finalized In the SEers favor.
For Instance, you cannot perform what I call a blind SE, where you have no Idea what you're up against, and that's when you "Research" the company's terms (and more) to establish the grounds on which refunds & replacements are Issued. When you've collected the relevant details, you'd then prepare your "Item & method compatibility" based on your (research) findings. An example of this, Is If they don't have CCTV cameras In place, the missing Item method can be used with a product that does not exceed a weight of 120 grams. It's at this point when the foundation Is set and ready for a "strategic attack execution", which essentially means that the attack vector Is hit by using all the above-mentioned Information that was gathered during the SE's preparation, hence leaving very little to no room for error.
If you've just started your career In this capacity of social engineering, you'd most likely be at a loss as to what you've just read, so I strongly suggest checking out my Beginner's Guide To SE'ing prior to continuing with this article. On the other hand, as an SE'er who's been refunding for many years to date, I'd say It's safe to assume that you've familiarized yourself with just about every facet of SEing companies on both a small and large scale, thus you pretty much know what It takes to form the perfect Ingredients In readiness for each execution. However, the moment the SE leaves your local environment, you cannot control the steps taken by representatives when assessing your claim- which brings me to the objective of this article, namely "the need to sign & return certain types of documents".
I've come across social engineers of all shapes and sizes who've SEd one particular company and just when they thought their claim was on Its way to success, the rep/agent forwarded a document asking to fill In a few details about certain events pertaining to their claim and as such, the SE'er was at a complete loss as to what he should do about It. This type of scenario has happened (and still does) quite a number of times, and that's what prompted me to write this article. If you're one of those SEers who's experienced the need to put pen to paper and Indecisive as to whether you should go ahead and sign It, rest assured, I've got you covered. I will clear up any confusion by outlining the three different types of documents that're typically generated by companies, being an "affidavit", a "statutory declaration" and an "Internal company document". But first, let's checkout why they're Issued as per the topic below.
Why Companies Ask To Sign & Return Documents:
The fact Is, every social engineer wants to have the latest Apple IPhone worth over 2,000$ or perhaps the awesome 3,000$ gaming laptop, but It's not as easy as formulating a given method, executing the attack and expect the SE to run smoothly from start to finish. SEing high value Items has Its fair share of problems- companies simply do not appreciate crediting accounts for the full cost of the retail price, or send a replacement Item at no extra charge. They want to be absolutely certain that such events are well and truly warranted. The same applies to mid value Items that are worth between 350$ - 700$. Unless the representative Is brain-dead and approves the claim with very little to no questions asked, he will assess It with a fine-tooth comb, and this Is when he'll "send you some type of document, and your claim will not move forward until It's signed & returned".
In the above case, It's the "Item's value" that deemed and justified the rep's actions to send you the paperwork, however It's not limited to cost alone. Some methods such as the "DNA" (Did Not Arrive), whereby you say that you did not receive the package that was delivered by the carrier driver, can also trigger the need to sign documents- namely due to the company's records showing that It was delivered to the correct address, but you've stated otherwise. If the package was left at your doorstep, anyone could've stolen It and as a result, It becomes a "theft-related Incident", thus you'll be asked to complete a form saying that everything you've stated (relating to nonreceipt of goods) Is true and correct.
Along with a few other bits & pieces, It will then be used to evaluate your claim but before It reaches that stage, a lot of social engineers are hesitant to sign & return It, which will lead to the claim being declined for not complying with the rep's request. I often get asked If It's okay to fill In a particular document but prior to providing my assistance, every SEer must have a clear understanding of the "three different types" (as mentioned a couple of paragraphs above) that're commonly utilized by companies. As such, they can make an Informed decision whether to put pen to paper and email It back to the company. I've provided my thoughts and recommendations on each type of document In the topics below, so let's begin with the first one being a "statutory declaration".
A Statutory Declaration:
Given that legislation and regulations differ between many countries, I cannot speak for each and every region, so what you're about to read Is based on general principles of law and not bound to any specific location. Put simply, a "statutory declaration" (also used In Its short form as "stat dec"), Is a written statement that declares that everything stated regarding the events In question, Is true and correct. Just so It can be used with some authority, It can be signed In the presence of an authorized witness such as (but not limited to) a police officer or any law enforcement agency. Depending on what part of the globe you live In, some stat decs are signed on the condition that everything you've said Is correct "to the best of your knowledge".
From a social engineering standpoint, that Is a vulnerability that can potentially render the declaration void. How so, you ask? Well, as far as you're concerned, you have signed the document "to the best of your knowledge"- be It true or false, makes no difference whatsoever. In other words, "that Is what you believed was true at the time of signing the stat dec", hence even If you've lied (which as an SE'er, you will!), no one can hold It against you- "It was believed to be true by you", and that's where It ends. The good thing about It, Is that It's not a legally binding document and because It's needed as part of the assessment of your claim, It's "generally" fine to sign and return It. I've just quoted "generally" for a very good reason as follows.
In some territories, making a false declaration can result In the person being liable and subsequently charged with perjury but that being said, the chances of this happening due to (for example) submitting a claim for a package that did not arrive at your premises, Is extremely slim. In all my years of social engineering, I've yet to experience legal action taken as a result of signing a document "to the best of my knowledge", nor have I come across any SE'er who has had their case taken to court under similar circumstances. As said In the above paragraph, It's generally okay to comply with a statutory declaration but given each SE Is taken on a case-by-case basis, It's Impossible to conclusively comment on the lot. Do take all the above details under advisement when deciding whether to sign yours.
An Affidavit:
This type of document Is a lot more serious than a stat dec, namely because of the legal ramifications that may arise If the company In question decides to pursue the matter (your SE) further by putting your claim In the hands of their solicitors. Unlike a statutory declaration that "must be signed In front of a Justice of the Peace to make It legally binding", an affidavit Is quite the opposite. In simple terms and without the legal jargon, once an affidavit Is signed, It becomes a legally binding document there and then and can be used as evidence In court. Now I'm not suggesting that It "will happen", but rather It "may happen"- should the company decide to take litigation against the SE'er. What's the likelihood of this happening? Not likely at all with mediocre SEs.
For Instance, If you're social engineering Items of low value, you basically have nothing to worry about- the cost of solicitors, court proceedings and the company's administration/Investigation team, outweighs the cost of the Item a thousand (plus) times over. For your reference, a low value Item Is anything up to around $250 or a touch higher. On the other hand, hitting high value Items worth In the thousands of dollars, Is a different story altogether- the company will take extra care when assessing your claim, just to make sure that their decision to approve the refund/replacement Is justified and Issued correctly. To help with their evaluation, "an affidavit will be generated and sent, asking you to confirm the events of your claim on paper by signing and returning the document".
In a nutshell, that's how an affidavit generally works, but the question Is "should you sign It?". I've lost count as to the number of times I've been asked the very same question and to this day, my advice remains firm- "do not put pen to paper". Sure, there's every chance that It may only be required to move forward with your claim and nothing more, but given It's legally binding and for the sake of SEing one Item (that you can start over by targeting another company at a later time), It's simply not worth the risk of signing It. Many SE'ers may beg to differ, but that's their opinion and I respect their viewpoint just as much as I respect yours- should you go ahead and comply with the rep/agent's request to verify your actions In the affidavit.
An Internal Company Document:
The third and final bit of paperwork that companies "may use" when managing and evaluating claims, Is an "Internal document" whereby (as Its name Implies) It's prepared "Internally" and Issued by the company Itself - perhaps by the account's section, HR department or the senior management team. It serves the same purpose as a statutory declaration and an affidavit, meaning It's used to say that everything you've told the company about your SE Is true and correct. But there Is a major difference with an Internal document, and that Is It's not legally binding nor does It hold the same value as a stat dec. As such, If It's solely created by the company's personnel and without any Involvement by their legal representatives, It's the least effective document of all three.
I've been SEing for a very long time (over 30 years to be precise) and during my personal experience of signing & returning Internal company documents, each and every one was required purely for administration purposes. There wasn't a single occasion that suggested further action would be taken as a direct result of the contents contained In the document Itself, so If you've received one and you're contemplating If you should sign It, It pretty much speaks for Itself- go ahead and do It. Now the way It can be Identified as an Internal document, Is when It lists "specific details regarding your claim".
For example, If you're using the DNA method and It contains something along the lines of "I hearby declare that the Information provided of my package not delivered to my home by DHL, Is true and correct", then It's been generated by the company- namely because It specifically mentions "package not delivered" and "DHL" as the carrier. Other than the company, who else will have knowledge of this? Also (and stating the obvious), check If there's a logo or some type of heading that represents the company- both are usually located at the top of the document, or sometimes at the end of the page, just after Its contents have been finalized.
In Conclusion:
Prior to reading this article, If you've been hit with any of the aforementioned documents for the very first time during your social engineering activities, It can be rather overwhelming as to why It was Issued and the appropriate course of action that should be taken on your part. Now that you've reached the conclusion and on the grounds that you've read and absorbed every word In each topic, you will be well prepared to effectively handle any or all of the three types of documents that rep's ask to be signed & returned. In closing, because every entity operates differently and Independently from each other, there will be a variation In how documents are worded but one thing for sure, Is that they still maintain the same objective- "to verify that everything you've said Is true and correct".
