Elicitation: how online scammers steal your personal data

Elicitation: how online scammers steal your personal data
Elicitation: how online scammers steal your personal data

VALKYRIE (GB) LIMITED often post about the threat posed by online hackers/scammers who attempt to steal personal data – Social Engineering (SE) is a popular tactic among attackers because they often find it easier to exploit people over a network/software vulnerability. SE will be the first step in a larger campaign to infiltrate a system/network. However, there are other more traditional ways criminals attempt to gain access to info. One technique is ‘elicitation’.

Elicitation means using ploys to discreetly gather info/knowledge about an individual, their work, or their colleagues without them knowing. In the spy-world, the term is applied to the subtle extraction of info during an apparently normal/innocent conversation. This may seem like something out of a movie, but it’s actually more prevalent than you might expect especially in the corporate world.

How often have you been asked this seemingly innocent question on an plane, at a party, or at some other random location where strangers might engage in conversation – ‘so, what do you do?’ Believe it or not, this question has been the catalyst for derailing business deals, R&D projects or instrumental in the financial success/failure of corporations. The reason this question is so powerful, is that it opens up a ‘pandora’s box’ for individuals (particularly during travel) to disclose info that is of value to the person asking. Simply put, it’s an invitation from business competitors, Govt. intel services, and/or other nefarious individuals to subtly get inside your head without you realising.

There are many different elicitation techniques. Which one used depends on the situation and the skill of the elicitor, they include: active listening, pretend to have knowledge/associations in common with someone, open-ended/probing questions, criticism, the use of empathy or concern, non-verbal body language, humour, fake ignorance and storytelling.

In order to resist elicitation, you can do various things, these include: only answer with info in the public domain, ignore questions/change the subject, answer a question with a question, answer by asking, ‘why do you ask?’ give a predictable answer, say you don’t know the answer, or you don’t know anything about the subject, let them know you don’t want to talk about that subject.

In a world where info (personal/professional) is ever more important and can be of value to others when engaging in a conversation with a stranger (or even not a stranger), pause for a moment and reflect on how you are going to answer – ask yourself, 1) am I being elicited? 2) what is this person’s need to know?’ and, instead of handing out specific answers be defensive and resort to vague responses or change the subject. If an elicitor realises you are not budging, they will likely back off.

Valkyrie Updates


Stay informed with the latest insights, expertise and innovations in the world of security with Valkyrie’s news, reports and white papers