# Social Engineering Techniques

In this article, you will discover some social engineering risks and how to
recognize and avoid them.
## Understanding Cybersecurity Risks
Cybersecurity risks have emerged as a crucial concern for IT companies.
They can lead to the loss of confidentiality, integrity, or availability of
information and can adversely impact an organization's operations, including
its mission, functions, image, or reputation. Therefore, understanding and
managing cybersecurity risk is fundamental to cybersecurity strategy.
## What are Vulnerabilities?
Vulnerabilities are weaknesses in a computer or network that leave it
susceptible to exploitation, such as unauthorized access. These can include
weaknesses in security procedures, internal controls, or physical
configurations, as well as bugs that allow attackers to bypass security
measures.
## What are Vulnerability Threats?
A threat is anything capable of harming an asset or organization. Threats can
be adversarial (from individuals or groups), accidental (from users or
administrators), structural (from IT equipment or software), or environmental
(natural disasters or infrastructure failures).
## Social Engineering
Social engineering is a non-technical intrusion that relies heavily on human
interaction. Attackers often trick individuals into not following normal
security procedures, exploiting the natural human tendency to trust others.
### Common Social Engineering Techniques
1. Simple Direct Request: An attacker may directly ask for information or
data. While this method is not the most successful, it is still used.
2. Dumpster Diving: This involves searching through trash to find
discarded information that can be used for identity theft.
3. Raiding Mailboxes: Illegally opening and stealing contents from
someone else's mailbox can provide additional information to use against
them.
4. Phishing: A type of online scam where criminals send emails that appear
to be from legitimate companies, asking for sensitive information.
5. Impersonation: Attackers pretend to be someone in authority, such as IT
support or a trusted vendor, to gain access to information.
6. Surfing Company Websites: Many corporate details can be gathered
from company websites, including employee contact information and
organizational charts.
### Staying Vigilant
Social engineering techniques are constantly evolving, so it's essential to
remain vigilant to avoid becoming a victim.
## An Intruder's Tool Kit
Hackers frequently post new tools online, making it easier for them to exploit
systems. Awareness of these tools can help you implement preventive
measures and recognize hacking attempts.
### Common Hacking Tools
- Vulnerability Scanning: Hackers scan networks to identify vulnerabilities.
- Password Cracker: Programs that attempt to log in using guessed
passwords.
- Network Spoofing: Programs that impersonate legitimate systems to
collect passwords.
- Viruses and Worms: Malicious programs that infect files and spread
across networks.
- Ransomware: Malicious software that encrypts files and demands a
ransom for decryption.
- Denial of Service Attacks: Attacks that disrupt services by overwhelming
systems with requests.
## Social Engineering Defense
The human factor is often the weakest link in security. To protect against
social engineering, you must be aware of potential risks and follow security
protocols.
### Best Practices for Internet Safety
- Maintain strong security controls on network servers and desktops.
- Use firewalls to filter internet traffic.
- Regularly update IT resources with the latest patches.
- Be aware of cybersecurity risks and how to manage them.

One of the newer forms of social engineering, phishing, involves creating

and using emails, messengers, and websites designed to look like those of
well-known legitimate businesses, financial institutions, and government
agencies to deceive internet users into disclosing personal data or
information.
Phishing scams typically operate counterfeit websites that trick consumers
into revealing their personal and financial data, including social security
numbers, bank and credit card account information, and details about online
accounts and passwords.

Email and messenger attacks, such as spoofing, phishing, etc., can harm
many users. An attachment might contain a "reverse-connected shellcode"
in encoded form so that antivirus/EDR tools cannot identify it as a threat.
However, when you click on it, the shellcode "reverse-connects" to the
attacker's computer, thereby creating a valid session.

Please note that your firewall—even a security mechanism applied in the

network—might allow a connection to be established.
Think before you click or open email attachments!
👮 What to Do When You Receive a Suspicious
Email
Please be cautious when going through your emails. Test IO depends on your
security awareness.

If you receive a suspicious email, check it for the following:

 Do you know the sender?
 Have you received an email from this sender before?
 Were you expecting a message (particularly one with an
attachment) from this sender?
 Does the email header (sender, subject line, attachment
names) make sense? Does it contain any strange characters?
 Is it work-related, or did you initiate the action?
 Does the name of the attachment seem to match the sender
and the subject line? Does it contain poor spelling and
grammar?
 Does this email contain a virus? Your antivirus/EDR software
will tell you this if it is installed, running, and up to date.
After answering the questions above, if you consider an unexpected email to
be suspicious, you must know exactly what to do and what not to do.

You will find one interesting phishing attempt using email in the screenshot
below.

❌ DON'T

 You may receive emails even from your bank user asking you
to update your account by clicking a link. The link in such
emails will likely take you to a malicious website. Do not click
such links!
 Do not open attachments or run macros if you have opened an
email from an unknown sender.
 Do not respond to suspicious emails.
 Do not forward suspicious emails.
 Do not enter your credentials after clicking links.
 Do not share your government ID information (passport
number, driver's license number, etc.) with others.
 Do not click links embedded in spam emails, even if they seem
secure or correct.
✅ DO
 The best way to deal with a suspicious or unwanted email is to
report it by clicking the "Check SPAM/Malicious" button in
Outlook or the "Report Phish" button in Outlook for
Windows/Mac/iOS/Android and Outlook Web Access.
You can delete the malicious email after the Report Phish action is
completed. Data Privacy
Quickly learn about Data Privacy and potential threats

The Importance of Data Security

Throughout your daily internet routine, you can face different kinds of
cybersecurity risks—threats that can compromise the integrity,
confidentiality, and availability of the data and systems within an
organization. Everyone at Test IO must learn to recognize these
threats to protect themselves and the organization from possible
attacks.

🌐⚠️External Threats
External threats generally relate to potential risks and vulnerabilities that
originate outside the organization. When connected to the internet, all
computers and networks—including Test IO's network—are susceptible
to external attacks and unauthorized use or access by intruders
(hackers). They aim to steal, corrupt, or disrupt our resources, often using
techniques like phishing, malware, ransomware, SQL injection and
distributed denial of service (DDoS) attacks.
One compromised computer can affect every other computer on the
network.

👤⚠️Insider Threats
Insider threats typically refer to potential risks and vulnerabilities that
originate within the organization:
 Inadvertent mistakes by personnel
  Intentional misuse (e.g., access by a malicious employee
outside the scope of their duties)
 Bugs in automated test scripts where the test data is a
copy of production data
These can come from employees, contractors, or anyone with
internal access to the system or data. These threats, whether
made intentionally or unintentionally, can lead to unauthorized
access, data leakage, misuse of data, alteration, or even
deletion of data.

Data categories and classes

Data categories by origin:
 Personal data—Data relating to living individuals who can be
identified from that data, or from that data and other
information, that is in possession of or is likely to come into the
possession of the data controller
 Customer data—Data belonging to the customer
 Project/program/account data—Information created during
the project/program/account lifecycle
 Company data—Information owned by Test IO

Using and sharing the mentioned data is

strictly forbidden.

Confidentiality classes:
 Public—Freely shared information
 Confidential—Any nonpublic and non-strictly confidential data
that, if leaked, lost, or damaged, can cause harm to the data
originator, owner, company, or customer. This class includes
most of the information at Test IO.
 Strictly confidential—Any data that, if leaked, lost, or
damaged, can cause significant harm to the data originator,
owner, company, or customer. This class of information must
be protected and accessed with utmost care.

📁🔒Personal Data
The fundamental principle of data privacy is safeguarding personal
information from unauthorized or unlawful access and misuse.
So, understanding what constitutes personal information helps you better
recognize it and apply appropriate safeguards when handling such data,
ensuring it is stored, used, and shared securely and in compliance with
relevant privacy laws and company policies.

At Test IO, personal data, also called personally identifiable

information (PII), is any data that could potentially identify a specific
individual. It is any information that can be used to distinguish one person
from another and can be used to de-anonymize anonymous data.

At Test IO, PII is divided into two different levels, with different internal
processes and controls regarding their usage.

Confidential personal data

Is any personal data not covered by strictly confidential personal data.
Confidential personal data includes:
 Name
 Email address
 Personal address
 Location information
 Performance appraisal
 Date of birth
 Marital status
 Photograph
 Any other type of personal data that is not strictly
confidential

Strictly confidential personal data

Under any data privacy law, strictly confidential personal data (strictly
confidential PII, sensitive PII) requires even higher security standards; if such
data is lost, compromised, or disclosed without authorization, it could result
in substantial harm, embarrassment, inconvenience, or unfairness to an
individual.
Strictly confidential personal data includes:
 Race or ethnic origin
 Political opinions
 Religious or philosophical beliefs
 Trade union membership
 Biometric data
  Genetic data
 Sexual activity or sexual orientation
 Health (medical information)
 Administrative or criminal proceedings and sanctions
 Financial data
 Payment/financial instrument details
 Credentials
 Personality profiles
 Government ID
 Social Security measures

🔒🚫 Strictly Confidential
Information
Special categories of data, such as personal health information (PHI),
payment card information (PCI), and customer intellectual property,
involve highly sensitive information that, if lost, compromised, or disclosed
without authorization, could cause significant harm.

Due to the sensitive nature of this data, it is subject to specific legal and
regulatory protections. Improper handling can lead to significant penalties
and reputational damage for the company. Therefore, these categories of
data are usually classified as strictly confidential and require high levels of
protection from all parties involved.

Personal health information (PHI)

Includes any information that was created and used in connection with:
 The past, present, or future physical or mental health or
condition of an individual
 Provision and payment information for the provision of health
care to the individual regarding diagnosis, treatment, or
service, including personal information that identifies the
individual or can be a reasonable basis to believe the
information can be used to identify the individual
Information about an individual's health status and related healthcare
payments is sensitive data that can be linked to a specific person and can
cause them harm if misused. This is why it is so important to safeguard PHI.
Furthermore, non-compliance with regulations governing the proper handling
of PHI may have financial consequences.
Personal Card Information (PCI)
While providing software development and support services to customers,
Test IO's developers connect to customer systems that may contain and
handle cardholder data (CHD).

Customers require Test IO to perform development and remote support

activities in a PCI DSS–compliant manner.

Developers can access customers' cardholder data environment remotely via

a VPN connection based on the rights granted by the customer. In such
cases, rigorous controls are specified in the contract.
Test IO does not store, process, or transmit cardholder data and does not
intend to move data from customers' systems to Test IO's systems.

Customer Intellectual Property

Refers to the following:
 Financial information (e.g., business plans, accounting, debt
settlement, investors, assets, pricing, tender offers)
 Legal information (e.g., contracts, litigations, negotiations,
intellectual property, internal organization)
 Industrial information (e.g., technological processes,
technical solutions, manufacturing processes, logistical
methods)
 Software technologies and methodologies (including but
not limited to third-party software object code, whether in the
scope of the project or not; source code; configuration files and
technical and user manuals; alpha and beta versions of the
customer's or third parties' software products; programming
methodology; design techniques; software optimization
methodologies)
 Patented and patent-pending inventions, copyrights,
and written materials
 Marketing information (e.g., clients' information, strategies,
advertising plans)
 Other types of information that are considered the client's
intellectual property
 Photographs may contain strictly confidential (sensitive)
information, particularly by revealing a person's medical
state/condition or racial/ethnic origin, while certain situations
merely increase the likelihood of such associations.
 o For example, a picture showing someone sitting in a
wheelchair could be treated as strictly confidential since
it might reveal the individual's health status. The
sensitivity of such information is obvious if the photo is
accompanied by other personal data such as their name,
etc.

To prevent misinterpretation or security breaches, Test IO treat photographs

as strictly confidential personal information.

📊🔍 How Personal Data Can Be

Collected
The interaction below is an example of how personal data can be collected. If
you are not sure how to handle a particular type of data, seek advice from
those responsible for security and privacy at the project level
(Community Manager, Crowd Project Coordinator, and CSM) for clarification.

How to keep your device safe for Testing

important both for you and for our customers. In this article, we will give you
some tips on how to protect your devices against viruses, data leakage, etc.
Keeping your device safe, has also one more benefit for you because it will
be always available for testing, so keep your devices safe!

Protecting Against Data Leakage

 Browser Security
o Keep your browser version always up-to-date.
o Do not save the passwords/login data in your browser.

 Strong Passwords
o Use strong, unique passwords for all your accounts.
o Avoid using easily guessable information such as names
or birthdays.
o Enable two-factor authentication (2FA) whenever
possible.
o If you are in a public place, shield your device while
entering the password. You never know who is watching
 or recording your activity.

 Secure Wi-Fi Connections

o Use strong encryption (WPA3) for your Wi-Fi network.
o Avoid public Wi-Fi for sensitive activities; use a virtual
private network (VPN) if necessary.

 Encrypt Your Devices

o Enable device encryption on your mobile and desktop
devices to protect stored data.

 Secure Your Physical Devices

o Set up lock screen passwords or biometric authentication
on mobile devices.
o Lock your computer when not in use and use a strong
login password.
o When traveling, make sure that you don't leave your
devices unattended. Use safe deposits whenever
possible. Never leave your device on the coffee table
even if no one is around in the cafe.

 Regularly Back Up Data

o Back up important files regularly to an external drive or a
secure cloud service.
o Ensure automatic backups are enabled, and verify the
integrity of your backups.

Protecting Against Viruses

 Install Antivirus Software
o Use reputable antivirus software on your desktop and
keep it updated.
o Regularly scan your devices for malware and viruses.

 Keep Software Updated

o Regularly update your operating system, apps, and
antivirus programs.
Protecting Against Spam
Messages and Emails
 Be Skeptical of Messages and Emails
o Avoid clicking on links or downloading attachments from
unknown or suspicious sources.
o Verify the legitimacy of unexpected messages or emails
before taking any action.

 Use Spam Filters

o Enable spam filters on your email accounts to filter out
potentially harmful messages.

 Avoid Unsubscribe Links

o Be cautious about clicking on "unsubscribe" links in
suspicious emails, as they can be used to confirm your
email address to spammers.

 Manage Notification Settings

o Customize notification settings on your mobile device to
reduce exposure to spam messages.

 Educate Yourself
o Stay informed about common phishing techniques and
scams to recognize and avoid them.

Additional Tips
 Review App Permissions
o Regularly review and manage app permissions on your
mobile device to limit unnecessary access to your data.

 Use Secure Messaging Apps

o Opt for encrypted messaging apps for confidential
conversations.

 Monitor Account Activity

o Regularly check your account activity and statements for
any suspicious or unauthorized transactions.
DOs and DON'Ts in Protecting Your Testing Devices
Quickly learn the best practices, recommendations and
prohibited actions

As a software tester, safeguarding your devices is

crucial to ensuring the integrity and confidentiality
of the projects you work on. Your role often involves
handling sensitive data, accessing various systems, and
ensuring software meets security standards.

This article offers practical tips for software testers,

helping you secure your devices, protect your data, and
maintain trust. By following these guidelines, you can
minimize security risks and focus on delivering high-
quality software.

How to protect your device

To make your device safe for testing the customer
environment, you need to make it secure both physically
and digitally.

Steps to protect your data:

 Keep your device secure: Be careful where you
store your devices, like USB drives and laptops.
 Lock your computer: Always lock your computer
when you leave it, even if it's just for a short time.
 Use strong passwords: Consider using long,
complex passwords for added security.
 Encrypt your files: If you have confidential files,
think about encrypting them.
 Protect your laptop when traveling: Don't leave
your device unattended, especially in a car or in
your luggage.
 Report lost or stolen devices: If you lose a
portable device or removable media, report it to
Test IO Support and change your login password.
If you think your computer is infected:
 Close all programs shut down the system and take
your computer to a certified maintenance office.

✅ DOs:
 Set strong passwords.
  Lock your devices when not in use.
 Keep your software up to date, including your
operating system and browser.
 Restrict access to your computer when you’re not
using it.
 Be cautious online: Be careful about what you
receive and who you talk to.

❌ DON’Ts:
 Don’t share passwords or any sensitive
information.
 Don’t leave your devices unattended.
 Don’t use outdated/unsupported software.
 Don’t allow others to access your computer
when you're not using it.
 Don’t open suspicious emails or click on
unfamiliar attachments or links.

⛔ Prohibited Activities
You are not allowed to use, store, or transmit any of the
following:
 Peer-to-peer (P2P) software, like torrent clients,
unless it’s authorized.
 Software for sharing copyrighted material,
like music or movies, without permission.
 Pornography software or viewing pornography
websites.
 Key generators and cracking software,
including tools for hacking Wi-Fi.
 Anonymizers and software that bypass network
monitoring or tracking systems.
 Outdated or unsupported software that is
vulnerable.
 Non-standard encryption tools.
  Cryptocurrency mining software or using
company resources for personal profit.
 Hacking software for attacking infrastructure or
applications.

Bug Report Attachments

What do you need to attach when submitting a bug
report?

Each bug must be documented with at least one

attachment. With your attachment(s), you provide
evidence that the bug occurs on your device, operating
system, and/or browser.
Note: Attachments do NOT replace written
information in your report. Attachments are a
visualization of the problem and serve as proof.

Screenshot or
screencast?
In general, functional bugs require a screencast to be
illustrated properly and effectively. Unless the
instructions or the team leader asks for specific
attachments, use the following rule of thumb to
determine whether a screenshot or a screencast is
required for your bug:
 Whenever an action is required to trigger a bug or
when a process needs to be illustrated, upload a
screencast. Screenshots as static images are
snapshots and cannot illustrate the root cause.
Functional bugs will always require a screencast for
that reason.
 When the nature of a bug is static, e.g. for static
GUI problems, a screenshot is enough and a better
visualization than a video. Screenshots should be
enough for Content or Visual issues.
General attachment
requirements
 New attachments have to be created for every bug
report or reproduction.
 It is prohibited to copy attachments from other bug
reports or reproductions.
 Attachments must show all relevant bug
information to serve as proof.
 All relevant information must be displayed in
English (or optional German if the bug report
language is German), e.g. the date, time system
information, and error messages.
 You should select only one device or browser when
you are reporting the bug, and upload only
attachment for it. If you are able to reproduce the
bug in other devices or browsers, please mention
this in your Actual result.
 Don’t show any information about other Test IO
customers that can be related to Test IO (e.g.
invitation emails or browser tab names). Showing
installed apps of other customers is permitted.
 Don't show any personal information or
unprofessional data such as pictures, videos or
autocorrect bad word suggestions. Remember your
attachments will be available to other testers, to
the test IO staff and to the customer so be careful
with what you're showing on them.
 For website tests, the URL field must be visible on
attachments.
 The resolution must be high enough so that the text
and elements can be easily identified.
 Please always record your whole screen.
 A crash log is mandatory for bug reports and
positive reproductions of app crashes. The video
that documents the crash has to correspond to the
attached crash log, i.e. timings must be coherent.

Date and Time specific

rules:
  The current date and time must be visible in the
attachments.
 When proving a bug via a screenshot on a mobile
device, a second screenshot showing the date and
time must be uploaded (battery charge and time
must match with the first screenshot).
 The date can be in any common date format, e.g.
DD/MM or MM/DD, in English (or optional German if
the bug report language is German).
 Time should be in a 24-hour clock, or if you use a
12-hour clock, please make sure that you use
AM/PM format.
By displaying the current date on your attachment, you
prove that you recorded it on that date. The following list
suggests where to find the date:
 Windows: Displaying the taskbar or blending in the
calendar
 Mac: Displaying the calendar icon in the Dock or
the menu bar
 iOS & Android: Swipe down the notification centre
at the beginning of your recording.
Further information: How-to-Geek.

What needs to be
included in a screenshot?
Screenshot-specific rules:
 The screenshot has to be in JPG or PNG file format.
 Highlight the bug on your screenshot.
We recommend recording tools and best practices in the
following article: Screenshots

While most common mistakes, you can see in the

following article:
Common mistakes in the Attachments
What needs to be
included in a screencast?
Screencasts should be as short as possible but as long as
necessary. This means that you should leave out steps
that do not cause the bug. For example, when the “Add
to cart” button on a product detail page of a webshop is
defective, it is generally irrelevant how you navigated
through the webshop to reach the product detail page.
The last navigational step, the step that triggers
the bug, and the bug itself are usually relevant.

Example 1: Bug on the website,

tested on a Desktop device
Steps to produce a screencast:
49. Go to the page where the bug occurs.
50. Start your recording.
51. Refresh the page.
52. Perform the action that triggers the bug.
53. Wait until the bug occurs.
54. Stop the recording.

Example 2: Bug in the app, tested

on the mobile device
Steps to produce the screencast:
55. Run the app and go to the page where only one
more navigational step is needed to reach the page
where the bug occurs.
56. Start your recording.
57. Swipe down the notification centre to show the
current date for a couple of seconds.
58. Perform the last navigational step to reach the right
page.
59. Perform the action that triggers the bug.
60. Wait until the bug occurs.
61. Stop the recording.
Team leaders might send you an information request
asking for an external or additional recording. This is
done to gain a better understanding of the bug or when in
doubt due to the bug being non-reproducible.
Screencast-specific rules:
 Screencasts must have the MP4 file format.
 The maximum size of the attachment is 25 MB.
 The maximum time for a screencast is 60 seconds
for Bug Reports unless your bug requires showing a
loading process or long necessary manual inputs.
 The maximum time for a screencast is 15 seconds
for Reproductions and User Stories attachments
since you must only show the last action that
triggered the bug.
 Your clicks/taps/touches and the mouse icon must
be visible (only required for Android and desktop
recordings).
 Make your recording in one go. You should not
pause, nor cut parts in the middle. If your
screencast is too long and you want to edit it, only
cut the beginning or the end of the file.
 Increasing the speed of your screencast is not
allowed. If you recorded more than the allowed
time, please check if you did not show unnecessary
steps of your screencast.
 Don't record any noise (baby screaming,
conversations, TV, music, pets, etc.).
We recommend recording tools and best practices in the
following article: Screencasts

While most common mistakes, you can see in the

following article:
Common mistakes in the Attachments

Screencast-specific rules
for Streaming devices:
 Always record your whole TV Screen.
 Screencast should have high resolution and good
quality.
 The ambient light should not be dark.
  Your TV Remote must be visible in the screencast.
Also, the remote must be fully and clearly visible.
 The current date and time must be shown in the
attachment. You can show the current date on the
TV itself, or on some external device such as a PC,
phone, or tablet.
 For Bug Reports, the maximum time for a
screencast is 60 seconds, while for Bug
Reproductions and User Story Attachments, the
maximum time is 15 seconds.
 Don't record any noise (baby screaming,
conversations, TV, music, pets, etc.).
 Screencast should always look professional, do not
record your legs, messy TV stand, or similar.
Screencasts
How do I record my screen?

Creating Screencasts
You’re free to choose any tool to create screencasts. It’s
important, that you provide a .mp4 video of appropriate
quality (resolution and presentation).

Your screencast should only show the action that

triggered the reported bug in all situations and you
should add the last few steps to reproduce if it's a bug
report (usually adding 10 seconds to the video at most).
Also, screencasts that are longer than 1 minute for Bug
Reports and 15 seconds for Reproductions and User
Stories will not be accepted unless they are really
necessary to understand the bug or the video is long
because of variables you can't control (such as a slow
website response).
Tip: Before starting your recording, turn off audio
recording in the settings to prevent recording any
surrounding noise (conversations, ambient music, pet
sounds, etc.) and having to re-record your bug. This way,
you comply with our rules and provide professional
results to our customers.
Suggested tools for
desktop devices
ScreenPal (Formerly Screencast-O-Matic) (free)
 Windows & Mac OS
 Videos can be created as .mp4 files
 Up to 15 minutes per video
 Has an integrated mouse effect animation to show
clicks
 Optional upgrade with more functions
 The free version leaves a watermark

Bandicam (free)
 Windows only
 Videos can be created as .mp4 files
 Has mouse click effects (need to be enabled in
Options)
 Optional upgrade with more functions
 The free version leaves a watermark

Tools on macOS (free)

 macOS only
 No installation needed
 Has mouse click effects (need to be enabled in
Options)
 Leaves no watermarks
 Recordings may have a bigger size
 The file extension needs to be changed to .mp4

Suggested tools for

mobile devices
Built-in screen recorder (Android 11+ and iOS 11+)
 No need for third-party apps
 Good video quality
 On iOS, you might need to navigate to Settings >
Control Center, then tap the Add button next to
Screen Recording to enable this option on the
Control Center menu
 On Android, the screen recording button can be
found on the Notification Bar
Note: For iOS, you must convert the .mov files to .mp4.
You can use an online converter such as
https://www.mp4compress.com/mov-to-mp4-converter/
or any offline converter, such as HandBreak (available
here: https://handbrake.fr/).

AZ Screen Recorder (free, Android only)

 Records in different resolutions and qualities
 You can use your mobile IP local address to access
the files wirelessly using a desktop device
 You can stop the recording using different methods

Mobizen (free, Android only)

 Can be a bit complex to set up for the first time
 Records in different resolutions and qualities
 You must either buy the premium app or watch a
small ad to remove the watermark
 Available in many languages

Alternative: Record your bug with a second device

or an extra camera! Just remember to frame the
entire device screen correctly while recording the
video.

Note: Videos must not be edited (except for "thinking

aloud" videos or if you need to blur any sensitive
information).

Best practices while

capturing a screencast
 Set up the device and the app or website
before starting the recording. For example, if
you're going to show a bug that happens after the
registration form is filled and you tap on a button to
go to the next step, it's best to fill in all information
before starting the recording (such as the name,
username, email and other fields) to save you some
recording time.
 Avoid hovering over screen elements for too
long with your finger or your mouse. This
behaviour can lead you to waste precious recording
time. Usually, the viewer will be focused on
watching your video so any actions taken or
changes to the product will be noticed already.

 Remember the time limits (1 minute for Bug

Reports screencasts and 15 seconds for
Reproductions and User Stories attachments).
Since editing your videos is not allowed, instead of
trying to fast forward your screencast to make it fit
the limits you can check if you didn't record
anything that's not actually useful to understand
the bug. For the bug reports, normally only one or
two extra steps (apart from the last one) are
necessary to understand the bug. For
Reproductions, you are only required to show the
last step to reproduce the bug. Finally, for User
Stories, you only need to show the results you've
had (which usually means you also need to show
only the last step or action taken by you to
complete the User Story).

 Remember to enable clicks and taps effects.

To help the viewer understand which page
elements are you interacting with, you are required
to show the taps and clicks on your Desktop and
Android devices.

 Always watch your own screencast after

submitting it. Since videos are computer files,
they can corrupt when you're converting or
uploading them. So opening your own videos and
making sure they are good to be reviewed by
others will help you to avoid rejections.

 If you have the option while recording or

converting your video, use preferably the
H.264 codec. This is the most widely used codec
currently in the world and will guarantee your
screencast can be watched on many different
devices.
 Screenshots
How do I take screenshots of bugs?
You can take good screenshots with several tools –
this list contains the basic tools of the most
common operating systems.
A few things to remember though: If your bug
involves an action, chances are high that a video is
necessary to capture the cause and the result, and
when you take a screenshot, don’t forget to show
the URL field on it too!

Tools on different OS
Windows

 Windows 7, 8, 10, 11: Use the Windows

Snipping Tool (not sure how to use the
Snipping Tool? Find a step-by-step guide
here)
 Bandicam - Image Capture feature (contains
also "Drawing mode" option where you can
Highlight immediately the bug on the screen)

Mac OS

Keyboard commands on macOS are the fastest and

most straightforward way to take a screenshot,
both if you are capturing the entire screen or a
selected portion of it:

 For total screen captures: press cmd⌘ + L-

Shift⇧ + 3
 For screen section: key sequence cmd⌘ + L-
Shift⇧ + 4

Android

 Home button + On/Off-button (older Versions)

 On/Off-button + volume down (newer
Versions)
Although all Android phones are different, the
above mentioned button sequences should do the
job on most Android phones. The list of different
ways how to snap a screenshot on Android devices
can be found here. We recommend to use the
"ScreenMaster" application for taking screenshots
which can be downloaded for free from Google
Play.

iOS/iPadOS
Taking a screenshot on your Apple Device is as
easy as pressing two buttons (literally!):

 Press the Home button and On/Off button

 Press the Side button and Volume + button
After taking a screenshot, a thumbnail will appear
in the lower left corner of the screen. Tap on it to
start editing your screenshot with Apple's Markup
tools.