Most are likely familiar with some forms of social engineering, including phishing scams. But how familiar are you with elicitation and do you know how to detect and defend against it? Read on to learn more about elicitation, who is vulnerable, and behavior to watch out for.
What is Elicitation?
Elicitation resembles a typical or routine conversation, except it is being used to discreetly gather information that is confidential, not readily available, and or non-public (e.g., controlled but unclassified information). Elicitation may take place in person, over the phone, or in writing and can be easy to disguise, deniable, and effective. It may also be used by more than just criminals, to include foreign intelligence entities, business competitors, coworkers, and more.
Who is Vulnerable to Elicitation?
Like other forms of social engineering, elicitation takes advantage of a target’s sociological and psychological vulnerabilities – also known as manipulation. Some of those potential vulnerabilities may include:
- Desire to be polite and helpful; natural inclination to trust strangers or new acquaintances
- Desire to be perceived as being well-informed
- Desire to feel appreciated and contribution to something important
- Tendency to expand on topics when someone shows interest
- Tendency to gossip
- Tendency to correct others
- Underestimate value of information being sought or given
- Tendency to believe others are honest and disinclination to be suspicious of others
- Tendency to answer truthfully when asked a question
- Desire to convince someone your opinion is right
In addition, in Robert Cialdini's "Influence: Science and Practice", he describes six principles he observed as being successful for influencing people. The principles are:
- Reciprocity - Natural human tendency to return favors, e.g., when someone does something for you or shares something with you, you may feel more inclined to do something or share something with them.
- Authority - tendency to trust those who appear to be in positions of authority. For example, placing more trust in someone who claims to hold a certain position, claims expertise, or appears to have material success.
- Scarcity - People value things perceived to be scarce. An example of this can be seen with limited time offers, real or perceived limited supply, or the perception of being sought after.
- Consistency - When someone voluntarily commits to something (e.g., signing a contract promising to pay monthly installments on a car loan), they are more likely to stick to their word/not go back on their commitment.
- Liking - People tend to like others and be more willing to do things for those that like them. Examples of this may include genuine praise or showing similar interests (e.g., building rapport).
- Social Proof - Similar to liking, people tend to look for cues and information reinforcing the idea someone is similar (or dissimilar) to them. For example, if you were a baseball fan and you see someone else wearing a baseball hat for the team you like, you are more inclined to believe them when they say they like that baseball team as well.
Ways Vulnerabilities Are Exploited
Part of being able to counter elicitation is by being aware it is happening in the first place. Some ways criminals and others exploit these vulnerabilities include:
- Assumed knowledge – pretending to have knowledge or associations in common with a person
- Bracketing – Provide a high and low estimate to entire a more specific number
- Can you top this? - Tell an extreme story in hopes the person will want to top it
- Confidential Bait / Quid Pro Quo - Pretend to divulge confidential information in hopes of receiving confidential information in return
- Criticism – Criticize an individual or organization in which the person has an interest in hopes the person will disclose information during a defense
- Deliberate False Statements / Denial of the Obvious – Say something wrong in the hopes that the person will correct your statement with true information
- Flattery – Use praise to coax a person into providing information
- Leading Questions – Ask a question to which the answer is “yes” or “no,” but which contains a presumption
- And many more…
One of the most important ways you can detect elicitation is by being aware of how an interaction with someone makes you feel.
Do you feel anxious or like you are being pressured? Indebted to the person because they did something for you? Do you feel guilt because you said something you wouldn't typically say? Overly ingratiated or flattered?
While these feelings can result from any interaction, one should be especially mindful of the context these feelings take place (e.g., with someone you just met asking for overly personal/sensitive information).
What should you do if you suspect elicitation is taking place?
First and foremost, if the information being elicited relates to your government work, report it to your security officer. During a conversation, there are some ways to deflect the elicitation attempts, such as:
- Refer the individual to public sources (e.g., websites, press releases, etc.)
- Ignore any question or statement you think is improper and changing the topic
- Responding with “Why do you ask?”
- Giving a nondescript answer
- Stating that you do not know
- Stating that you would have to clear such discussions with your security office
- Stating that you cannot discuss the matter
As you can see from the above, most of what has been described takes place in every day interpersonal communications / relationships. Observing the above does not definitively mean someone is attempting to elicit information, and even if they are, that they intend to use the provided information for nefarious purposes. However, you should remain vigilant, have a healthy level of skepticism, and report incidents you feel warrant it. It is better to be safe than sorry.
References / Additional Information
About Tom Busillo
Tom brings over 13 years of experience working in leadership roles within the military, special operations, intelligence community, and commercial sector(s). Tom has a broad range of expertise and excels with information technology, cybersecurity, software development, regulatory compliance, risk management, cloud services, program management, and more.