Do: Use the pretext that best suits the situation

To run a successful social engineering test, you need to perform a fast, on-the-fly analysis of the situation and respond accordingly.

The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is also essential to choosing the best pretext for the job.

Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.

In another example, Winkler explains, "I went into an organization and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.

Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he'd been made.

"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He didn't know me, didn't check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."

Do: Anticipate how to react if caught, and prepare an exit strategy

If you test security defenses using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.

The one universal is to never reveal your true motives or actions. For example, if you're pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.

"If you've got to disengage from a social engineering attempt as someone would who is legitimate, you don't stop the act," Kaminsky says.

It's also essential to be aware of local laws so that you'll know what you're up against when performing a pretexting test. If you don't know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organization to take credentials under false pretenses," Winkler says.

Don't: Arouse suspicion by moving too quickly

Gaining the confidence of the target is an essential skill, but zeroing in too fast in your social engineering test can set off alarms in the target's head.

Because of this, it is essential to keep a cool head and pace yourself. After all, many of those whose identity you might assume to pull off your job -- a contractor, a hapless corporate user, or a disgruntled employee -- don't necessarily go about their own work quickly.

Think of the process as being more like a dance than a race, says Kaminsky -- one in which you're leading the victim, guiding his or her path, but avoiding a sudden shove in a particular direction. "Everyone has to perceive that you're doing what you're supposed to be doing," he says.