Step 1 - Information Discovery
The more information hackers have about a target prior to attack, the greater chance of success.
So, how do they get it?
A combination of social engineering techniques: dumpster diving (trawling your dustbin) to retrieve personal information; online gathering, through social networking that encourages people to share; well formed search queries; Companies House; examining your website for information about you and testimonials, your clients, employees and your industry sector. 'Real world' gathering relies on the 'human factor'.
Beware a confident, friendly, charming voice or face, as this can provide a hacker with valuable information. Office walking means unscrupulous contractors gaining out-of-hours access to your desk space.Shoulder surfing is the simplest method, only requiring a look over the target's shoulder when working in a public space.
Protection: Restrict personal information available over the internet, use tight privacy settings, vet contractors, adopt clear desk policies, lock computers when staff are away from their desks and don't work on sensitive information in public.