Do: Anticipate how to react if caught, and prepare an exit strategy
If you test security defenses using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.
The one universal is to never reveal your true motives or actions. For example, if you're pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.
"If you've got to disengage [from a social engineering attempt] as someone would who is legitimate, you don't stop the act," Kaminsky says.
It's also essential to be aware of local laws so that you'll know what you're up against when performing a pretexting test. If you don't know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organization [to take credentials under false pretenses]," Winkler says.
Don't: Arouse suspicion by moving too quickly
Gaining the confidence of the target is an essential skill, but zeroing in too fast in your social engineering test can set off alarms in the target's head.
Because of this, it is essential to keep a cool head and pace yourself. After all, many of those whose identity you might assume to pull off your job – a contractor, a hapless corporate user, or a disgruntled employee – don't necessarily go about their own work quickly.
Think of the process as being more like a dance than a race, says Kaminsky – one in which you're leading the victim, guiding his or her path, but avoiding a sudden shove in a particular direction. "Everyone has to perceive that you're doing what you're supposed to be doing," he says.
Don't: Put on an act that's too perfect
Somewhere between truly honest behavior and the artifice of a ruse, people may begin to intuit that something isn't right.
Academics who study human perception have a name for the point at which the mind begins to pay more attention to, for example, the slightly unnatural motion in a computer-generated animation than to the rich, lifelike detail it presents: They call it the Uncanny Valley.
Social engineering experts also refer to the Uncanny Valley – it's the moment in a social engineering attempt when everything looks and works just a bit too perfectly and therefore arouses the target's suspicion.
The solution, of course, is simple: Be imperfect. Don't be too polished or quick to answer questions as you perform your social engineering test. Remember, you're trying to convince your target that you're just another working Joe or Jane.
Don't: Panic if you think the jig is up
If you start to get the feeling that you've aroused suspicions, stay calm. It's natural for people to lapse into leeriness from time to time when dealing with people they don't know particularly well. And besides, you have a leg up on the real bad guys, since the only bad consequences for you will be a failed test.
The most important thing to remember when you feel your blood rising is that fleeing from a target works only in the opening sequence of a James Bond movie. In real life, a look of panic or a sudden departure almost always raises a red flag and should be avoided at all costs.