Interspersing requests for sensitive information with casual conversation can distract the target and help prevent them from catching on to what you are trying to achieve – especially when they are performing an essential task at your request as part of your social engineering test.
"You're trying to desensitize the person to their actions," Winkler says. "Change the way the person thinks by reframing the action."
For example, if you're trying to get the target to copy some data for you, you could explain to the target that they aren't stealing anything, they're just making a copy of it, and that the data will still be there when the company needs it.
"One of my strategies is to bore people to death over the phone," Winkler says, "so they give me something quickly, just to get off the phone with me."
Don't: Dawdle once you've got what you want, but don't run for the door, either
Winkler adds a subtle, but important, point gleaned from his long experience testing defenses. "You probably want to move on once you've got the thing you need, but you don't want to sprint for the door if it might raise suspicions," he says. "It's a situational thing."
In other words, heading straight for the door after your target gives you the sensitive information you've been seeking is a sure way to raise a huge red flag and leave everyone patting themselves down to see whether they still have their wallets.
That's not to say that you should invite your target to the lunch room for a cup of coffee, either. Striking the right balance between slipping away quickly with the goods and not blowing your cover by breaking a sweat requires a keen ability to ascertain what's appropriate in any given situation. If you're going to play the role of a pro, act like a pro.
Don't: Act irresponsibly with the data you get
Professional security analysts typically perform social engineering attacks as part of a wide-ranging analysis of an organization's overall security measures. The goal of these tests isn't to demonstrate how much you can damage a company's operations, but to help the company improve its internal procedures and policies, and address the weaknesses you discover.
However, "some people perform social engineering very irresponsibly," Winkler says.
"There have been times where I saw police called, or [where a penetration tester] caused operational disruptions by changing the password of a trader at a large brokerage firm," he recounts. "The trader wasn't able to do trades because he wasn't able to log in to his system."
It's OK to enjoy the rush of pulling off your con successfully, but don't let it cloud your vision as to the task at hand.
"As a consultant, you have to know where to go, and where to stop," Winkler adds. "You can't just create the effect to say, 'Ha ha,' but a lot of consultants do. In the field, people get excited and they don't [behave] professionally."
Instead of demonstrating disaster, Winkler suggests that at the end of your penetration test you simply present your findings and note any plausible fallout. For example, if you were able to obtain a username and password, provide the two pieces of data along with a list of scenarios in which the information could have been misused or abused by a truly malicious attacker, as well as the kinds of data exposed in this manner.
And it always helps to frame your prevention advice in terms of cost. "You say, 'Here's what I could have done with that password'," Winkler says. "'If you would have had these things in place, you would have been able to mitigate these things at low cost.'"
Keep in mind that putting on your pretexting mask for a penetration test is more than just a matter of raising the specter that a real social engineer could hack a particular company. If you're going to earn your pay, you'll have to dig a little deeper and consult.
As Winkler says, "The message is, 'You're screwed, but there are ways to prevent this.'"