Depending on the organization, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible – and to be aware that the person you're social engineering probably has experience parrying many of the usual tricks in the book.
This is where your advance research comes in handy: If you know the organization requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.
Of course, that said, if you're testing a company's security arrangements, it's often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."
And it's not always a lack of intelligence that proves to be the soft spot. Laziness, complacency, or disgruntlement may play a part, too. And of course, without training or testing, a social engineering attack may well be the furthest thing from an employee's mind. That's where you come in.
Do: Use the pretext that best suits the situation
To run a successful social engineering test, you need to perform a fast, on-the-fly analysis of the situation and respond accordingly.
The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is also essential to choosing the best pretext for the job.
Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.
In another example, Winkler explains, "I went into an organization and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.
Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he'd been made.
"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He didn't know me, didn't check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."