In discussing social engineering and threats to your personal security we mentioned elicitation. Elicitation is a technique that is used by an adversary to get a person to unintentionally divulge more information about a particular subject than they normally would. Its used to gather confidential or proprietary information and in the realm of personal security it can be used by an adversary to gather information for use in targeting you or to build rapport with you or someone close to you.
While we are not going to attempt to teach elicitation or counter-elicitation here we are going top briefly outline some of the common techniques that are used so that you can recognize them being used against you. Remember these can be employed in person, over the phone or through electronic communication of various types such as email, online chat, etc.
This is by no means an exhaustive list but these are some of the key elicitation techniques you may encounter:
- Flattery: The adversary will complement you on personal and or professional aspects of your life to build rapport and increase your likelihood to talk openly. This may include requests for advice based on your “expertise”, etc.
- False Statements: The adversary may make statements he or she knows are incorrect in order to prompt you to correct them by providing the correct information.
- Provocative Statements: Similar to the false statement the adversary may make a statement that he or she knows will initiate an emotional response on your part an a desire to either strongly agree or disagree with them.
- Disbelief: The adversary will feign disbelief at a statement you make to prompt you to elaborate more fully.
- Naivete: Similar to disbelief the adversary will feign ignorance to get you to “educate” him or her.
- Quid pro Quo: The adversary may volunteer some innocuous or more likely false information about themselves so that by social convention you feel compelled to reveal something to them.
These are just some techniques that may be used to get information about your schedule, your security profile, your business dealings, you personal wealth, your employer and so on. By recognizing when you might be encountering them you can make a conscious decision to reduce the amount of information you provide or break off the conversation.
While some of these are relatively sophisticated methods they have been and may be employed by foreign intelligence agencies and internal security units, organized crime groups, terrorists and others. Keep in mind as well that they may be aimed not only at you directly but also at your employees, associates, domestic staff, etc. Its important to train these people — even if its just at a very rudimentary level — to be cautious about people asking questions or try to get them to divulge information about you or your activities.