This reads like it is more from a physical penetration testing perspective. Which is less about "social engineering" and more about 1) knowing what you are doing and having overt confidence and 2) being a responsible adult.
The first you are best served by learning trades and developing skills. I became a locksmith, trained as a private investigator, hung out on subreddits related to trades and skills to learn insider lingo, read books and watched YouTube channels dedicated to relevant job functions. Basically you can spend 3 days practicing mentalism and faking confidence to try and convince a facilities manager you are a vending machine repair person, or you can spend 3 days learning the basics of vending machine repair.
The later is applicable to all red team/pen testing engagements. Think long and hard about what you are about to do at every step and how it will impact your client and your ability to continue working both on this engagement and in the industry in general. You should go in being prepared to "lose" and accepting that as a desirable outcome - you'll win more often than not but it isn't a bad thing when the client has good security.
Yep, being able to talk the lingo really helps you BS when challenged. And you're spot on that being able to project the confidence that you are there because you need to be there is critical.
In Christchurch New Zealand, after the 2011 earthquake, there were a lot of officials from insurance companies, government departments etc. inspecting properties.
And the criminal elements quickly cottoned onto the fact that if you wore a hi-viz and carried a clipboard or iPad, and could talk about foundation subsidence with a moderate level of confidence, you could case and/or burgle houses with ease while multiple potential witnesses just ignored you because hey, hi-viz and an iPad, obviously there on earthquake related issues, right?
Yes, seems very specific to seeing if someone can get into the building; most social engineering attacks are remote, like bullying someone into providing login credentials by pretending to be a Very Important Exec who needs that info now.
The first you are best served by learning trades and developing skills. I became a locksmith, trained as a private investigator, hung out on subreddits related to trades and skills to learn insider lingo, read books and watched YouTube channels dedicated to relevant job functions. Basically you can spend 3 days practicing mentalism and faking confidence to try and convince a facilities manager you are a vending machine repair person, or you can spend 3 days learning the basics of vending machine repair.
The later is applicable to all red team/pen testing engagements. Think long and hard about what you are about to do at every step and how it will impact your client and your ability to continue working both on this engagement and in the industry in general. You should go in being prepared to "lose" and accepting that as a desirable outcome - you'll win more often than not but it isn't a bad thing when the client has good security.