I saw Stephen Haunts speak at the Norwegian Developers Conference on doing sinister things with social engineering and immediately afterwards I canceled my debit card.

Hacking humans takes three shapes, phishing, vishing (which is phishing over the telephone), and impersonation. 77% of all social-based attacks fall into the first category, but the talk largely focused on the last, impersonation. The four sequential steps in impersonation are information gathering, pretexting, elicitation, and manipulation. Information gathering could be shoulder surfing, dumpster diving, a keylogger, or the use of remote screenshotting tools. How can another gather information about you? If you post something as public to Facebook, the next time you publish something it will default to public and you should explicitly change the who-can-see status. Be careful slick. In pretexting one presents oneself as someone else in order to interact with a target. Good acting helps. Keep it simple. Use information that needs no verification. Plan for a different path in pretexting should things go down strange tangents. I think of the stereotype of Sherlock Holmes planning several Chess moves ahead, not that I've ever read any Sir Arthur Conan Doyle. Just being friendly won't be sufficient, but there is a natural human inclination to trust. People want to appear well-informed and especially recent college graduates or junior members of a team who are likely to spill their guts when you chat them up. Build a bond. People want to feel appreciated. Stay in the character of your pretext. Questioning can be categorized into open and closed questioning. Closed is very yes or no. Open is of open-ended questions where you are making the other party try to fill-in-gaps and guess at what you want to hear. Elicitation is using the persona profiled in a pretext to gather information. After you've fished someone dry in a pretext, you climb inside their husk to pretext as them. In "influencing" one attempts to change the mind of another in the name of a win/win, but this is not "manipulation" which is bad instead of good and steers a victim towards a win/lose. Fear and relief are good tactics in manipulation. Put fear into someone and then offer them a convenient means of escape. Use guilt as a way to get others to comply. A foot-in-the-door technique is gold. Ask for a small request first in advance of a bigger one. Don't keep sensitive data on a USB drive and if you find a USB drive lying on the floor, don't pick it up and plug it in.