In other words, a successful social engineering hack is no snatch-and-grab job. It requires real diligence. "If you're going to be doing this work, you have to have a detailed plan," Winkler says. "The less training you have, the more detailed the plan you have to follow."
Do: Play on common interests when conversing with your target
Spies don't just walk up to random people on the street and ask them to divulge their country's secrets. They take weeks, months, or even years to develop a rapport with a target, gradually asking them to release increasingly more sensitive information. Security experts call this process "elevating the situation."
But when it comes to social engineering, time is generally of the essence. Nobody can strike up a deep, confiding friendship in the course of one conversation or phone call. And here is where context and intuition come in.
From the beginning of your white hat social engineering hack, pay close attention to your target, assimilating as much as you can about him or her as quickly as possible. A keen sense of observation and a knack for profiling can help tip you off to topics of conversation that will resonate with your dupe. Last weekend's game, raising children, something else likely to be of interest to the victim … whatever it takes to convince the target that you share a common experience or outlook.
Proving you are a member of the same "tribe" is essential to earning trust quickly and ensuring you are more deserving of assistance than some stranger off the street.
Do: Exploit human nature
Human beings – social creatures that we are – are taught from a very early age that helping others is a worthwhile practice, especially those with whom we most identify. For the social engineer, nothing helps a black-bag job go more smoothly than the victim's innate desire to be helpful.
In your role as sham bad guy, remember that an effective social engineer doesn't just get what he or she wants without arousing suspicion. The other objective is to make victims feel good about themselves, even as they hand over the crown jewels.
And when it comes to penetrating the workplace, playing off employee's inclination to be useful is a worthwhile strategy. After all, bosses do it all the time.
People want to feel like they are fulfilling their job duties effectively, says Dan Kaminsky, director of penetration testing at security firm IOActive. A good con artist feeds this sense of accomplishment back to the victim so that the victim is left off guard, unaware that he or she has compromised company security in exchange for feeling some momentary sense of satisfaction at having done a good job.
Do: Assume the target is at least as smart as you are
If you're going to play social engineer, remember that underestimating the intelligence of your target can get you in trouble fast. Although in many cases, a social engineer can call a help desk, pretend to be a hapless user, and get a password over the telephone, you can't always assume that will be the case.
Depending on the organization, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible – and to be aware that the person you're social engineering probably has experience parrying many of the usual tricks in the book.
This is where your advance research comes in handy: If you know the organization requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.