Social Engineering Techniques
What Is Elicitation?
Elicitation is a conversational technique used to extract sensitive or privileged information from someone through a seemingly polite, affable, and mundane chat without raising suspicion that specific facts are being sought.
Elicitation is a conversational technique used to extract sensitive or privileged information from someone through a seemingly polite, affable, and mundane chat without raising suspicion that specific facts are being sought. This low-tech, human-centered information gathering method is used by Foreign Intelligence Entities (FIEs), criminals, corporate competitors, and threat actors to gather information without the target's knowledge.
According to the Defense Counterintelligence and Security Agency (DCSA), elicitation efforts create significant insider risk across government and cleared industry, serving as a pathway to collusive threats or unauthorized disclosures (DCSA, 2025). Chinese cyber espionage operations surged by 150% overall in 2024, with attacks against financial, media, manufacturing, and industrial sectors rising up to 300%, with elicitation serving as a foundational reconnaissance technique (DCSA/CSIS, 2024).
How Does Elicitation Work?
Elicitation is the strategic use of conversation to subtly extract information about a target, their work, colleagues, and organizational details. Several common techniques demonstrate how seemingly innocent conversation can extract sensitive information.
Assumed knowledge involves the elicitor pretending to possess certain knowledge in common with the target. Example: "I remember when I worked on a similar project at Company X..." which forces the target to correct or elaborate, revealing actual information.
Bracketing provides high and low estimates to entice more specific details. Example: "I heard the budget was either $5 million or $50 million, which is it?" Targets instinctively narrow the range, providing actual information.
Confidential baiting involves pretending to divulge confidential information hoping to receive information in return, exploiting reciprocity. Example: "I shouldn't tell you this, but our next release is..." hoping the target reciprocates.
Deliberate false statements mean saying something intentionally wrong so the target will correct with true information, exploiting the human need to be correct and demonstrate expertise.
Indirect questioning asks questions that appear innocent but are designed to gather specific information. Example: "How's your new systems upgrade going?" to determine which systems are being upgraded.
How Does Elicitation Differ From Related Techniques?
Feature | Elicitation | Phishing | Pretexting |
|---|---|---|---|
Primary method | Natural conversation | Deceptive digital communications | Fabricated scenario |
Technical component | None | Email/links/attachments | Variable |
Detection by security systems | Impossible - no technical indicators | Possible - email filtering | Difficult |
Ideal for attackers | Reconnaissance and intelligence gathering | Mass credential theft | Building false trust |
Ideal for defenders | Organizations with awareness training | Email security systems | Verification protocols |
Why Does Elicitation Matter?
Elicitation represents one of the most difficult social engineering techniques to detect and defend against. Unlike phishing emails that can be filtered by technology, elicitation uses normal conversation with no technical indicators. Security systems cannot detect elicitation because there are no malicious links or suspicious attachments.
The technique serves as foundational reconnaissance for more sophisticated attacks. Information gathered provides intelligence needed for targeted phishing, business email compromise, or advanced persistent threat campaigns. The 150-300% surge in Chinese cyber espionage in 2024 demonstrates how nation-state actors use elicitation in broader campaigns (DCSA/CSIS, 2024).
Foreign intelligence entities consistently use elicitation as a primary intelligence collection method, particularly against government personnel, defense contractors, and individuals with security clearances. The threat extends beyond classified programs to include corporate intellectual property, strategic business plans, and competitive intelligence.
What Are the Limitations of Elicitation Attacks?
Detection Difficulty Benefits Defenders Through Training - While elicitation is difficult for security systems to detect, defense relies on individual awareness and training. Organizations that invest in comprehensive elicitation awareness training create employees who recognize conversational patterns designed to extract information.
Relationship Building Constraints Scalability - Effective elicitation requires establishing rapport and trust, which takes time and effort that cannot be automated. While attackers can send thousands of phishing emails simultaneously, elicitation requires individual conversations tailored to specific targets.
Verification Risks Expose Attempts - Attackers risk exposure when attempting to extract information that doesn't exist or when demonstrating impossible knowledge. Targets may become suspicious and report the interaction.
Compartmentalization Limits Information Value - Organizations that implement strict "need to know" principles and compartmentalize sensitive information reduce the value attackers can extract through elicitation.
How Can Organizations Defend Against Elicitation?
Implement Security Awareness Training - Educate personnel on elicitation techniques and tactics. Train employees to recognize conversational patterns designed to extract information. Teach the "need to know" principle—don't share information beyond what is necessary. Emphasize that friendly conversations with unknown contacts can be intelligence gathering attempts.
Establish Information Protection Practices - Implement "need to know" and compartmentalization approaches to information access. Train employees on what information is sensitive. Create organizational cultures where discussing specific work details with outsiders is discouraged. Establish clear guidelines on what can be discussed in social and professional settings.
Develop Verification and Reporting Procedures - Establish procedures for reporting suspicious questions or conversations. Encourage employees to verify the legitimacy of people asking questions before disclosing information. Implement debriefing procedures where employees report conversations involving organizational questions.
Implement Counterintelligence Measures - For government and cleared industry, implement active counter-intelligence programs. Brief personnel on known threat actors and their elicitation tactics. Develop threat intelligence on foreign intelligence entities' methods. Conduct security reviews during organizational changes.
Control Professional Communications - Train employees to be cautious with unsolicited professional networking connections. Educate personnel to verify the legitimacy of conference attendees, researchers, or consultants before discussing work details. Implement social media and professional networking guidelines.
FAQs
What is the difference between elicitation and phishing?
Phishing uses deceptive digital communications including emails, fake websites, and malicious links to trick people into compromising credentials. Elicitation is a conversational technique gathering information through normal discussion with no technical component. Phishing can be detected by email filters; elicitation leaves no technical indicators. Defense against phishing involves technical controls; defense against elicitation relies on human awareness.
Why is elicitation so difficult to detect and defend against?
Elicitation is extraordinarily difficult to detect because it is low-tech and human-centered—there are no malicious links or technical indicators for security systems to identify. The conversation appears normal and friendly, making it nearly impossible to distinguish from legitimate networking without understanding context and intent. Defense relies heavily on individual awareness rather than technological solutions.
Who uses elicitation and for what purposes?
Elicitation is used by foreign intelligence entities (government-sponsored espionage), criminals seeking competitive advantage, corporate espionage operations, and hackers gathering reconnaissance. They use it to gather information about organizational structure, technical capabilities, security procedures, project details, and strategic plans. The 150-300% surge in Chinese cyber espionage in 2024 suggests active use of elicitation (DCSA/CSIS, 2024).
What are the "assumed knowledge" and "deliberate false statement" elicitation techniques?
Assumed knowledge involves pretending to know something about the target: "I heard your team was working on AI integration..." The target then elaborates, revealing information. Deliberate false statement involves saying something intentionally wrong: "Isn't that system running Windows 7?" An expert corrects you with the actual system. Both exploit natural human behaviors—seeking rapport and the desire to be correct.
Is elicitation a significant threat if I don't work in government or defense?
Yes. While government and cleared industry are primary targets, elicitation is also used by corporate competitors, hackers gathering reconnaissance, and criminals. Any organization with valuable technical information, strategic plans, financial data, or security procedures is a potential target. Elicitation is a foundational reconnaissance technique used before more sophisticated attacks.
