Social engineering, like the other attacks we have explored in this book, consists of multiple phases, each designed to move the attacker one step closer to the ultimate goal. Let’s look at each of these phases and how the information gained from one leads to the next:
1. Gather information and details about a target through research and observation. Sources of information can include dumpster diving, phishing, websites, employees, company tours, or other interactions.
2. Select a specific individual or group that may have the access or information you need to get closer to the desired target. Look for sources such as people who are frustrated, overconfident, or arrogant and willing to provide information readily.
3. Forge a relationship with the intended victim through conversations, discussions, e-mails, or other means.
4. Exploit the relationship with the victim, and extract the desired information. You can also look at these four phases as three distinct components of the social engineering process:
■ Research (step 1)
■ Develop (steps 2 and 3)
■ Exploit (step 4)