Moore said similar guidelines apply to physical security testing.
"You never want to put your employees, the client, or their security personnel into a situation where they feel like they are in harm's way. It is quite easy for people to overreact. I have heard stories of a client tackling a security tester because they followed someone through a security door."
Emulate "real world" exploits -- not movie scenes
Moore also thinks social engineering tests should reflect real-world attacks against the organization, not over-the-top situations that are unlikely in a day-to-day work environment.
"Sending a suspicious email or making a phone call for a password reset is something that employees should be able to defend against," he said. "By contrast, repelling through a sky light or bugging someone's office is not a normal risk for most companies, and would cross the line if attempted."
Get sign off and a clear contract
Each part of your penetration test needs sign off first by management in the organization before you proceed. You need a clearly defined contract of what is, and what is not, allowed to protect yourself, said Hadnagy.
"You want to access the dumpsters? Make sure it is in the contract. You want to have the ability to walk out of the building with a computer under arm? Get that in the contract. What if the computer you walk out with contains personal details for all employees or financial data?"
"The social engineering process should work from a plan that has been approved by both the security manager and a representative from the human resources department," adds Moore.
Make sure the appropriate people are aware before you begin
You've got permission to do what you need to do by getting it in writing, but don't just set off on your test without warning the appropriate people first -- or you could find yourself in an awkward situation. In this tale from Moore, jobs were lost because proper notification was not given in advance of the test.
"In a late-night physical penetration test of a bank branch, a consultant triggered the building alarm and was waiting for the police to show up. Fortunately, the cleaning crew arrived in the nick of time and helped disable the alarm and let them into the secured area. The police still showed up and there was an awkward conversation that resulted in the president of the bank being called. The consultant was cleared, but the cleaning crew was fired on the spot by the bank president. By the time the situation was resolved the next morning, the damage had already been done. In this case, the president should have been made aware that a test was taking place that evening."
Sign up for Computerworld eNewsletters.