We have presented some basic steps that are required to initiate a social engineering attack against your target. This is not the only method, or even the one that is the most likely to succeed, but it should give you an idea of what social engineering entails. Intelligence-gathering, identifying vulnerable points, planning the attack, and execution are the common steps taken by social engineers to successfully divulge and acquire target information or access:

• Intelligence-gathering: There are many techniques to determine the most alluring target for your penetration test. This can be done by harvesting corporate email addresses across the web using advanced search engine tools; collecting personal information about people working for the target organization through online social networks; identifying third-party software packages used by the target organization; and getting involved in corporate business events and parties, and attending conferences, which should provide enough intelligence to select the most accurate insider for social engineering purposes.
• Identifying vulnerable points: Once a key insider has been selected, one can move forward to establish a trusting relationship and show friendliness. This would ensure that an attempt to hijack any confidential corporate information would not harm or alert the target. Maintaining a high level of covertness and concealment during the whole process is important. Alternatively, we can also investigate to find out whether the target organization is using older versions of the software, which can be exploited by delivering malicious content via an email or the web, which can, in turn, infect the trusted party's computer.
• Planning the attack: It's your choice whether you plan to attack the target directly or by passively using an electronic-assisted method. Based on the identified vulnerable entry points, we could easily determine the path and method of an attack. For instance, we found a friendly customer-service representative, Bob, who would unwittingly execute any malicious files from his email without any prior authorization from senior management.
• Execution: During the final step, our planned attack should be executed with confidence and patience to monitor and assess the results of the target exploitation. At this point, social engineers should hold enough information or access to the target's property, which would allow them to further penetrate the corporate assets. On successful execution, the exploitation and acquisition process is completed.