I think Chris makes an excellent point (without specifically saying it), on the often "over-glamourized" uses of social engineering.  I mean, sure, you can tailgate, or you can throw a SET-initiated attack at company employee X.  Those are both fully valid, and I use them all the time.  And if you can, and you get the access and data you need, you've done your job.  But that's not always necessary. 

As Chris noted, all it takes is gathering enough information to get full access to a database.  From there, all bets are off.  On one side, it might let me plant some malicious scripts or code in a web-fronted db, and gain a shell on the server.  Now I have my pivot, and can go on about my business.  Yep, a more 'glamorous attack', from a technical perspective, after first carefully gathering some info and getting in.  But maybe I don't even have to go THAT far.  Is simply pwning a MAJOR database enough?  Depending on the database, and the target, it just might be.

Suffice to say that with a little time and patience, you could reap far greater rewards than trying to waltz in the front door.  And if done right, the stealth factor is so much greater as, if you've played the cards right, customer X thinks that at least SOME of your database activity is legit, buying you a little extra time to dig in further and leave your backdoors.