Rest assured that there are many ways to get out of a situation quickly without giving yourself away. It could be as simple as making up a plausible excuse to get off the phone or to just calmly walk away from an irksome employee. Subdue the natural tendency to panic, and easy exits will present themselves clearly. Then you can wait a while, come back, and test from another angle.
Don't: Let the other person think about their actions too much
Interspersing requests for sensitive information with casual conversation can distract the target and help prevent them from catching on to what you are trying to achieve – especially when they are performing an essential task at your request as part of your social engineering test.
"You're trying to desensitize the person to their actions," Winkler says. "Change the way the person thinks by reframing the action."
For example, if you're trying to get the target to copy some data for you, you could explain to the target that they aren't stealing anything, they're just making a copy of it, and that the data will still be there when the company needs it.
"One of my strategies is to bore people to death over the phone," Winkler says, "so they give me something quickly, just to get off the phone with me."
Don't: Dawdle once you've got what you want, but don't run for the door, either
Winkler adds a subtle, but important, point gleaned from his long experience testing defenses. "You probably want to move on once you've got the thing you need, but you don't want to sprint for the door if it might raise suspicions," he says. "It's a situational thing."
In other words, heading straight for the door after your target gives you the sensitive information you've been seeking is a sure way to raise a huge red flag and leave everyone patting themselves down to see whether they still have their wallets.
That's not to say that you should invite your target to the lunch room for a cup of coffee, either. Striking the right balance between slipping away quickly with the goods and not blowing your cover by breaking a sweat requires a keen ability to ascertain what's appropriate in any given situation. If you're going to play the role of a pro, act like a pro.
Don't: Act irresponsibly with the data you get
Professional security analysts typically perform social engineering attacks as part of a wide-ranging analysis of an organization's overall security measures. The goal of these tests isn't to demonstrate how much you can damage a company's operations, but to help the company improve its internal procedures and policies, and address the weaknesses you discover.
However, "some people perform social engineering very irresponsibly," Winkler says.
"There have been times where I saw police called, or [where a penetration tester] caused operational disruptions by changing the password of a trader at a large brokerage firm," he recounts. "The trader wasn't able to do trades because he wasn't able to log in to his system."
It's OK to enjoy the rush of pulling off your con successfully, but don't let it cloud your vision as to the task at hand.
"As a consultant, you have to know where to go, and where to stop," Winkler adds. "You can't just create the effect to say, 'Ha ha,' but a lot of consultants do. In the field, people get excited and they don't [behave] professionally."