In your role as sham bad guy, remember that an effective fraudster does not just get what he or she wants without arousing suspicion. The other objective is to make victims feel good about themselves, even as they hand over the crown jewels.
And when it comes to penetrating the workplace, playing off employee's inclination to be useful is a worthwhile strategy. After all, bosses do it all the time.
People want to feel like they are fulfilling their job duties effectively, says Dan Kaminsky, director of penetration testing at security firm IOActive. A good con artist feeds this sense of accomplishment back to the victim so that the victim is left off guard, unaware that he or she has compromised company security in exchange for feeling some momentary sense of satisfaction at having done a good job.
Do: Assume the target is at least as smart as you are
If you are going to play a conman, remember that underestimating the intelligence of your target can get you in trouble fast. Although in many cases, a social engineer can call a help desk, pretend to be a hapless user, and get a password over the telephone, you cannot always assume that will be the case.
Depending on the organisation, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible and to be aware that the person you are social engineering probably has experience parrying many of the usual tricks in the book.
This is where your advance research comes in handy: If you know the organisation requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.
Of course, that said, if you are testing a company's security arrangements, it is often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."