Skip to main content
General

Ethical Elicitation

According to FBI.Gov elicitation is “a technique used to collect information that is not readily available and do so without raising suspicion.” In other words, elicitation is a discreet and effective way to obtain information that can be applied in sales, interviews, customer service, and even in social situations. During successful elicitation, the person we’re seeking to obtain information from (or target) should provide this information casually and willingly. At the end of the conversation there should never be a sense that they’ve been interrogated or manipulated in order to provide information. Instead, it should be a pleasant exchange.

Elicitation is a valuable tool for social engineers; However, in today’s climate, social engineering is often associated with “scammers.” So how can elicitation techniques be used effectively as ethical social engineers?

Ethical Elicitation

Set Your Goal

Set your goal before the conversation takes place. Be specific and write down the items of information you’re seeking to gain from the conversation, as well as the overall goal. It is helpful to start a conversation with something not related to your objective. Start by selecting a topic that interests them. Next, create a pretext or story that makes sense. And then think about how you will ask the questions, will they be direct or indirect?

Certified Social Engineers at SECOM have a pretext in place before conducting their vishing calls. They also have specific “flags” or goals that they are trying to elicit from the tested employees. Usually, the pretext starts off a conversation that is not directly related to the flag. For example, they may say they’re calling from HR to conduct a survey and offer to send it via email. During this brief conversation they can build enough rapport to casually elicit a flag by the end of the call.

Observation and Research

We don’t always know who our target will be, as in the case of a social engineering engagement. Therefore, observing how staff operate and doing research in advance will be necessary to find the best way to start the conversation. Doing research also helps to know which information is considered sensitive. A brief observation of our targets can help us determine certain aspects of their communication style or mood. Are they outgoing or reserved? Are they in a hurry or do they seem relaxed? Once we have determined this, we can adapt our pace and tone of voice, as well body language, to make our target feel at ease as we start the conversation.

During a vishing adversarial simulation, ethical social engineers can listen to the target’s pitch, pace, and tone, and discreetly match theirs. This helps to establish rapport as well as put the person at ease to facilitate the sharing of information.

Active Listening

Active listening involves more than just hearing a person speak. Instead of listening with the intent to reply, listen with the intent to understand. If you’re thinking about what you’ll say next, you may miss important details of the conversation. When you’re actively listening, show that you’re trying to understand by asking questions and/or repeating some of the target’s statement. Validating a person’s feelings will make them feel that they can confide in you and will motivate them to share more information.

Plan an Exit

If you don’t plan your exit, you may be in an awkward situation when you don’t know when the conversation should end. This may lead you to have to give additional explanations, which may cause your target to start thinking critically and question your conversation. Whether it’s during vishing or an onsite engagement, having an exit plan such as a time constraint allows for a smooth transition or exit; in this way the target never feels “hacked.” The conversation should end as casually as it was started, and the target should walk away without having second thoughts about the conversation. A graceful exit should be part of your professional reputation. Targets remember how you leave a conversation, and ethical social engineers leave a positive impression — even when they’re testing security.

Ethics = Power

There are many techniques to elicit information from people. The psychology behind social engineering principles such as elicitation can be fascinating and scary if not used ethically. Why are ethics so important for a professional social engineer? In short, ethics equals power. The goal of a professional social engineer is not to show off their skills but to educate and protect. At Social Engineer LLC our certified social engineers always operate within our code ethics, which enables them to provide real-life scenarios and testing while leaving employees feeling empowered.

Written by
Rosa Rowles
Human Risk Analyst, Social-Engineer, LLC

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now