2025 Foundational Application of Social Engineering
According to FBI.Gov elicitation is “a technique used to collect information that is not readily available and do so without raising suspicion.” In other words, elicitation is a discreet and effective way to obtain information that can be applied in sales, interviews, customer service, and even in social situations. During successful elicitation, the person we’re seeking to obtain information from (or target) should provide this information casually and willingly. At the end of the conversation there should never be a sense that they’ve been interrogated or manipulated in order to provide information. Instead, it should be a pleasant exchange.
Elicitation is a valuable tool for social engineers; However, in today’s climate, social engineering is often associated with “scammers.” So how can elicitation techniques be used effectively as ethical social engineers?
Set your goal before the conversation takes place. Be specific and write down the items of information you’re seeking to gain from the conversation, as well as the overall goal. It is helpful to start a conversation with something not related to your objective. Start by selecting a topic that interests them. Next, create a pretext or story that makes sense. And then think about how you will ask the questions, will they be direct or indirect?
Certified Social Engineers at SECOM have a pretext in place before conducting their vishing calls. They also have specific “flags” or goals that they are trying to elicit from the tested employees. Usually, the pretext starts off a conversation that is not directly related to the flag. For example, they may say they’re calling from HR to conduct a survey and offer to send it via email. During this brief conversation they can build enough rapport to casually elicit a flag by the end of the call.
We don’t always know who our target will be, as in the case of a social engineering engagement. Therefore, observing how staff operate and doing research in advance will be necessary to find the best way to start the conversation. Doing research also helps to know which information is considered sensitive. A brief observation of our targets can help us determine certain aspects of their communication style or mood. Are they outgoing or reserved? Are they in a hurry or do they seem relaxed? Once we have determined this, we can adapt our pace and tone of voice, as well body language, to make our target feel at ease as we start the conversation.
During a vishing adversarial simulation, ethical social engineers can listen to the target’s pitch, pace, and tone, and discreetly match theirs. This helps to establish rapport as well as put the person at ease to facilitate the sharing of information.
Active listening involves more than just hearing a person speak. Instead of listening with the intent to reply, listen with the intent to understand. If you’re thinking about what you’ll say next, you may miss important details of the conversation. When you’re actively listening, show that you’re trying to understand by asking questions and/or repeating some of the target’s statement. Validating a person’s feelings will make them feel that they can confide in you and will motivate them to share more information.
If you don’t plan your exit, you may be in an awkward situation when you don’t know when the conversation should end. This may lead you to have to give additional explanations, which may cause your target to start thinking critically and question your conversation. Whether it’s during vishing or an onsite engagement, having an exit plan such as a time constraint allows for a smooth transition or exit; in this way the target never feels “hacked.” The conversation should end as casually as it was started, and the target should walk away without having second thoughts about the conversation. A graceful exit should be part of your professional reputation. Targets remember how you leave a conversation, and ethical social engineers leave a positive impression — even when they’re testing security.
There are many techniques to elicit information from people. The psychology behind social engineering principles such as elicitation can be fascinating and scary if not used ethically. Why are ethics so important for a professional social engineer? In short, ethics equals power. The goal of a professional social engineer is not to show off their skills but to educate and protect. At Social Engineer LLC our certified social engineers always operate within our code ethics, which enables them to provide real-life scenarios and testing while leaving employees feeling empowered.
Written by
Rosa Rowles
Human Risk Analyst, Social-Engineer, LLC
According to FBI.Gov elicitation is “a technique used to collect information that is not readily available and do so without raising suspicion.” In other words, elicitation is a discreet and
The cybersecurity landscape is constantly evolving, with new threats emerging at an alarming rate. As technology advances, so do the methods used by cybercriminals as they employ more complex and
