This is the second half of a two-part article. You can find the first half here.
Don't: Arouse suspicion by moving too quickly
Gaining the confidence of the target is an essential skill, but zoning in, too fast on your social engineering test can set off alarms in the target's head.
It is essential to keep a cool head and pace yourself. After all, many of those whose identity you might assume to pull off your job, a contractor, a hapless corporate user, or a disgruntled employee, do not necessarily go about their own work quickly.
Think of the process as being more like a dance than a race, says Kaminsky, one in which you are leading the victim, guiding his or her path, but avoiding a sudden shove in a particular direction. "Everyone has to perceive that you're doing what you're supposed to be doing," he says.
Don't: Put on an act that's too perfect
Somewhere between truly honest behaviour and the artifice of a ruse, people may begin to intuit that something is not right.
Academics who study human perception have a name for the point at which the mind begins to pay more attention to, for example, the slightly unnatural motion in a computer-generated animation than to the rich, lifelike detail it presents: They call it the Uncanny Valley.
Social engineering experts also refer to the Uncanny Valley, it is the moment in a social engineering attempt when everything looks and works just a bit too perfectly and therefore arouses the target's suspicion.
The solution, of course, is simple: Be imperfect. Do not be too polished or quick to answer questions. Remember, you are trying to convince your target that you are just another working Joe or Jane.
Don't: Panic if you think the game is up
If you start to get the feeling that you have aroused suspicions, stay calm. It is natural for people to lapse into rudeness from time to time when dealing with people they do not know particularly well. And besides, you have a leg up on the real bad guys, since the only bad consequences for you will be a failed test.
The most important thing to remember when you feel your blood rising is that fleeing from a target works only in the opening sequence of a James Bond movie. In real life, a look of panic or a sudden departure almost always raises a red flag and should be avoided at all costs.
There are many ways to get out of a situation quickly without giving yourself away. It could be as simple as making up a plausible excuse to get off the phone or to just calmly walk away from an irksome employee. Subdue the natural tendency to panic, and easy exits will present themselves clearly. Then you can wait a while, come back, and test from another angle.
Don't: Let the other person think about their actions too much
Interspersing requests for sensitive information with casual conversation can distract the target and help prevent them from catching on to what you are trying to achieve, especially when they are performing an essential task at your request.
"You're trying to desensitise the person to their actions," Winkler says. "Change the way the person thinks by reframing the action."
For example, if you are trying to get the target to copy some data for you, you could explain to the target that they are not stealing anything, they are just making a copy of it, and that the data will still be there when the company needs it.
"One of my strategies is to bore people to death over the phone," Winkler says, "so they give me something quickly, just to get off the phone with me."
Don't: Dawdle once you have got what you want, but do not run for the door, either
Winkler adds a subtle, but important, point gleaned from his long experience testing defences. "You probably want to move on once you've got the thing you need, but you don't want to sprint for the door if it might raise suspicions," he says. "It's a situational thing."
In other words, heading straight for the door after your target gives you the sensitive information is a sure way to raise a huge red flag and leave everyone patting themselves down to see whether they still have their wallets.
That is not to say that you should invite your target to the lunch room for a cup of coffee, either. Striking the right balance between slipping away quickly with the goods and not blowing your cover by breaking a sweat requires a keen ability to ascertain what is appropriate in any given situation. If you are going to play the role of a pro, act like a pro.
Don't: Act irresponsibly with the data you get
Professional security analysts typically perform social engineering attacks as part of a wide-ranging analysis of an organisation's overall security measures. The goal of these tests is not to demonstrate how much you can damage a company's operations, but to help the company improve its internal procedures and policies.
However, "some people perform social engineering very irresponsibly," Winkler says.
"There have been times where I saw police called, or [where a penetration tester] caused operational disruptions by changing the password of a trader at a large brokerage firm," he recounts. "The trader wasn't able to do trades because he wasn't able to log in to his system."
It is OK to enjoy the rush of pulling off your con successfully, but do not let it cloud your vision as to the task at hand.
"As a consultant, you have to know where to go, and where to stop," Winkler adds. "You can't just create the effect to say, 'Ha ha', but a lot of consultants do. In the field, people get excited and they don't [behave] professionally."
Instead of demonstrating disaster, Winkler suggests that at the end of your penetration test you simply present your findings and note any plausible fallout. For example, if you were able to obtain a username and password, provide the two pieces of data along with a list of scenarios in which the information could have been misused or abused by a truly malicious attacker, as well as the kinds of data exposed in this manner.
And it always helps to frame your prevention advice in terms of cost. "You say, 'Here's what I could have done with that password if you would have had these things in place, you would have been able to mitigate these things at low cost.'"
Keep in mind that putting on your mask for a penetration test is more than just a matter of raising the spectre that a real social engineer could hack a particular company. If you are going to earn your pay, you will have to dig a little deeper and consult.
As Winkler says, "The message is: 'You're screwed, but there are ways to prevent this.'"