If money is your hope for independence you will never have it. The only real security that a man will have in this world is a reserve of knowledge, experience, and ability.

—HENRY FORD

As a quick recap, I have covered what has changed in SE over the last seven or so years: OSINT and how to use it, communication modeling, pretexting, rapport building, influence, manipulation, elicitation, and nonverbals. From a communications stance, this is a great foundation of knowledge, but because I'm a professional social engineer, I need to tell you how to apply this information and use it in an SE context.

From a malicious social engineering angle, there are four main vectors that I see being used in attacks: phishing, vishing, SMiShing, and impersonation. There are also combinations of those attacks that trap us.

In this chapter, I discuss how you can use the skills I discussed in each of these vectors. Then I go over (briefly, I promise) the always-fun topic of reporting. And finally, I discuss how to break into the business and close some clients.

Before I get into any of that, however, I have to discuss the principles of the pentest. This will set the foundation for how you approach social engineering pentests.