Irrespective of whether you are a beginner, Intermediate or advanced SE'er, "a strategy must be In place before the attack Is executed" against each and every store/retailer you're planning to social engineer. It's not possible to perform what I call a "blind SE", whereby you have very little to no Idea of how the company operates, and then expect things to run smoothly - complications will be experienced either right from the get-go, or In the early stages of the claim's assessment - most of which will cause the SE to prematurely come to an end. Naturally, It relates to reps/agents who work strictly by the book, and not Instant approvals by chat bots, refunds on scan, or brain-dead reps who credit accounts with no questions asked.
Now If you've just stumbled on this blog without any prior knowledge of the sophisticated breed of human hacking named "company manipulation and exploitation", you'd be at a loss at to what Is documented above, hence I strongly suggest reading my Beginner's Guide to SEing as well as the SEing Encyclopedia and when finished, you can continue this article from this point onwards. Okay, on the grounds you've been hitting companies to the likes of Currys PC World, WayFair, John Lewis, Amazon etc and have thoroughly researched their terms & conditions, you'd be well aware of the Importance to Implement "Item and method formulation" - meaning, selecting a method that's compatible with the nature of the Item to be SEd - which will support the attack vector thereafter.
If the "method", "Item" and "execution" have been flawlessly prepared and launched by leaving no room for error, It will help ensure the SE heads In the right direction and remains on track to achieve the objective of every social engineer - a refund generated by the claims department, or a replacement Item dispatched at no extra cost. It's all well and good when all happenings are within the SE'ers local environment - he has full control of the SE, however the same cannot be said the moment It's executed and Is In the hands of the customer service rep - It's simply not possible to predict how the claim will be evaluated, and the type of requests thrown by the representative.
As a result, a lot of SE'ers experience difficulties with certain events that (unbeknownst to them) are In fact "standard company procedure", and they're confused as to how they should be handled and In many cases, It unnecessarily complicates matters to the point of the SE failing. For example, do you know why an "Investigation" Is opened, Inclusive of what takes place behind the scenes and most Importantly, why there's absolutely no cause for concern?. Or what to do when asked to file a "police report", or perhaps sign & return a particular "document" Issued by the rep?
Believe It or not, each of the above quoted terms - "Investigation", "police report" and "document" are all part of company protocol to continue assessing your claim, and If you haven't come across either or all of them, rest assured, I've got you covered. What you will learn from this article, Is how each one Is used by the company purely for evaluation purposes and from a social engineering standpoint, the reason(s) why they will not have an Impact on your SE, so without further delay, let's begin with a "company Investigation".
Protocol One - A Company Investigation
When companies process claims from customers who request refunds or replacement Items, they have certain guidelines and procedures that they must follow, which ultimately determines whether the claim Is approved or declined. While some (claims) are pretty straightforward and do not require additional Information, hence they're finalized with little delay, there are times when reps/agents need to collect specific details from various sources before a decision can be made. This Is when they open what's called an "Investigation", whereby as Its name Implies, the rep Investigates the claim to see exactly what's going on, and attempts to clarify why things don't add up with what the social engineer has said/provided, against their own records and/or other entities.
Due to the complexity of some Investigations, they can take up to a couple of months to complete! Yes, I've personally experienced one which took around 7 weeks, but that was In the worst-case scenario - the majority are over and done with In approximately half the time or less. There are many reasons why It can take so long, such as liaising with the carrier to check a number of details, and/or tracing the movements of the company's warehouse picking & packing activities. From an SEing viewpoint, It can be rather frustrating, and I've known many SE'ers who've given up and put an end to their SE.
If you're part of that equation, what I'd like you to understand Is that "an Investigation Is part of company protocol, and only required for administration purposes to move forward with your claim". As a matter of fact, most Investigations result In favor of the SE'er, so "when" the rep says your claim will be Investigated (yes, you will be told when repeatedly SEing one company to the next), don't panic - there's nothing to worry about, they're simply processing It, so relax and await their response.
If they haven't replied In a timely manner, call or shoot them an email asking where they're at with their assessment. Of course, communicating via live chat Is also an alternative, but only If It's a supported contact option - not every company has It. Okay, there are two types of Investigations that take place and depending on the nature of your SE, It may trigger either or both, therefore It's Important to know what each one entails, so we'll have a look at that next, starting with an "Internal Investigation".
An Internal Investigation
A lot happens behind closed doors during an "Internal Investigation" which Is completely unbeknownst to social engineers, thus It's vital to be well acquainted with the events that're mostly performed by representatives and their associates- as It will prepare you for what to expect with the method & Item you're planning to SE. Now I'm not suggesting every event will definitely occur, but rather the fact that they do exist and can be used at any moment while evaluating your claim. Here's how It generally works. An "Internal Investigation", means that the company will check the activity of your claim withing the confines of their very own environment.
In other words (and as an example), they'll examine when your order was placed, who was responsible for picking & packing It, the weight recorded In storage and also question their dispatch area to see precisely when your package left their warehouse. All that Is done "Internally" (hence "Internal Investigation"), with the Intention of trying to establish what went wrong with your order, and the steps needed to correct It. Do note that an Internal Investigation does not apply to each and every method - only those that trigger It! To give you a good understanding, I'll provide a scenario with the wrong Item received method.
It's used by saying that a different Item was In the box/package, to the one that was originally purchased. For Instance, you've decided to SE a GHD Platinum hair straightener and the wrong Item you'll be using (that you've already bought from the same company on a different account), Is a very cheap Remington hair dryer. You've also made sure "the weight of both Items match". After contacting the company and Informing the rep about the wrong Item, an Internal Investigation was opened, but as you're aware, It's standard practice under the circumstances.
The weight was cross-checked as well as their stock count, but because there wasn't a discrepancy In weight and each Item was from their Inventory, there was no evidence to decline your claim and as a result, a refund was generated shortly after. Can you see how the Internal Investigation was only used to help with their Inquiries and given your method was prepared flawlessly, there's no reason to be concerned? Good! Okay, let's rip Into the other (and final) type of Investigation as per the subtopic below.
An External Investigation
This particular Investigation Is almost certain to take place when using methods that justify It, such as the missing Item or partial method, by claiming that the Item(s) you've purchased, was not In the box/package when the carrier delivered It to your premises. Other methods to the likes of the DNA and boxing, also warrant an "external Investigation" but for the purpose of this tutorial, I'll refer to the missing Item method. In contrast to an Internal Investigation that happens within the company Itself, an external Investigation Is when Information Is requested from other (outside) sources - the most common being the carrier who serviced your delivery.
In this case, the "weight of the package", Is the main thing the company checks with the carrier to see If there's any Inconsistencies and If so, say goodbye to your SE. However, If the method Is formulated accordingly, a refund or replacement will be forthcoming. For example, let's say you've used the missing Item method on something that weighs "80 grams". The company will contact the carrier to verify the weight that was taken at their weighing facilities - just before the package was loaded Into the driver's van to be delivered to your house.
Now If you've read my guide on the missing Item method, you'd know that anything under "120 grams" will (predominantly) not register on any shipping scales and as such, the company's findings are Inconclusive. Because the product was only "80 grams", a weight variance could not be Identified, therefore they'll have no choice but to approve the claim. Yet again (and as with the Internal Investigation above), this clearly demonstrates that "an external Investigation Is routine procedure" and If your method Is well-crafted without loopholes, a favorable outcome can be expected.
Protocol Two - A Police Report
When social engineers hear or read the word "police" during their SEing activities, It's human nature to Instantly assume that they're In some sort of trouble with the law, or perhaps the Feds will bust their door down at 5:30am and start reading out their rights. I can assure you that nothing could be further from the truth. Law enforcement agencies have more Important things to do, than to waste their time and valuable resources on a one-off Incident that (for example) suggests you did not receive your package when the DNA method was used. So why do companies request a "PR" (which Is short for "Police Report"), and what do they do with It once It's received? I'll answer all your concerns and put your mind at ease.
A PR Is nothing more than a bit of paperwork to say that everything you've said (about your SE) Is true and correct to the best of your knowledge, thus It's simply required to move forward with your claim. To give you an Insight of Its usage, here's an analogy that you can relate to. If you've been Involved In a minor motor vehicle accident, the police will be contacted and when they arrive, they'll ask you a series of questions pertaining to the events that took place. To claim the cost on Insurance, a "police report will be filed", and the cops will put It on record.
Your Insurance company will then use the Information on the report (with other bits & pieces), to process your claim and repair the damage on your car free of charge. "All that Is no different to filing a police report when social engineering" - as long as your SE appears legit without any suspicion raised whatsoever, then there's no cause for concern. The PR will be over and done with and stored at the police station collecting dust, so when you're asked to hand one In, you know exactly what to do - comply with the rep's Instructions and head over to your local police station, or (where available/applicable) file a report on the Internet.
Protocol Three - Asked To Sign A Document
The fact Is, every SE'er wants to have the latest Apple IPhone worth over 2,000$ or an awesome 3,000$ gaming laptop, however SEing high value Items has Its fair share of problems - companies do not appreciate crediting thousands of dollars without being absolutely certain It's justified and well and truly warranted. As such, unless the rep/agent Is half-asleep on the job and approves the claim on the spot, he will assess It with a fine-tooth comb and that's when he'll "send you some type of document, and your claim will not proceed until It's signed and returned". In this case, It's the "Item's value" that prompted the rep to send the paperwork, but It's not limited to cost alone.
Some methods like the DNA (Did Not Arrive), whereby you've said the carrier driver did not deliver the package to your house, can also trigger the need to sign documents - namely when the package was left unattended at your doorstep. How so, you ask? Well, anyone could've stolen It In your absence - a passerby took It or maybe the neighbor did the same thing, therefore It becomes a "theft-related Incident", hence you'll be asked to complete a form stating everything Is true and correct about not receiving the package.
When that happens (package left at the doorstep), they've basically DNA'd themselves! There's no way for the company to prove that "you personally received It" and If they try and use tracking/GPS Info to verify the consignment, It's useless - tracking ONLY confirms delivery to an "address" and NOT to a "person", so the SE Is destined to succeed. With both examples In this topic - the DNA & high value Items, there are two kinds of documents that're fine to sign and return. The first Is a "statutory declaration" and the second Is an "Internal company document", also known as a "denial of receipt form". They're not legally binding per se, so they can only be used to evaluate your claim - which makes It safe to put pen to paper.
In Conclusion
After reading this entire article (If you haven't, go back and do It now!), you're now aware that a "company Investigation", a "police report" and "signing documents" (as discussed above) Is just a formality when managing and assessing claims.
Provided you are not abusing a given company by refunding one SE to the next In close timing, as well as other suspicious activities, there's nothing to fear when any or all of the said events come your way - but that's on the grounds you social engineer using common sense, good judgement and take precautionary measures from start to finish. As such, you'll find that your SE will progress with minimal disruptions, thereby It significantly Increases the likelihood of a successful outcome.
