How you can recognize and respond to elicitation techniques
Elicitation is one of the oldest forms of espionage in the world. All it requires is someone who knows how to manipulate a conversation to get information they want without the other person realizing they’re giving up secrets they shouldn’t. When elicitation happens, there are ways to combat it, known as counter-elicitation.
What is Elicitation?
Elicitation is the act of discreetly gathering information. It’s used everywhere, from corporations to government organizations to phishing scams to the dating scene. The person attempting to elicit information is looking for things that aren’t publicly available, such as a company secret recipe or classified government information.
A key component of elicitation is it doesn’t feel like an interrogation. Typically, these attempts look and feel like any other casual conversation. An elicitor is trying to play on natural tendencies people have, such as a desire to be polite and helpful, to look intelligent, or to feel appreciated. Depending on the environment, the elicitor may buy their target alcoholic drinks in the hopes of making them more willing to disclose things they otherwise wouldn’t.
This can happen anywhere. An elicitor may approach their target through social media, at a party or as a new hire at their company acting as an insider threat. Since there isn’t any one way that an elicitor may engage with someone, it’s crucial to be able to spot the techniques they employ to gain information.
Elicitation Techniques
There are numerous ways someone may try to elicit information from a person. Here are some common examples:
Assumed Knowledge: The elicitor will pretend to have knowledge or associations in common with someone. This could include pretending to work at the same place, go to the same church or having knowledge of the field the person works in. This is also common in phishing and scam attempts.
Bracketing: In this method, the elicitor will provide an estimated range of a number in the hopes the person will give a more specific number, like a range of how much a price of a product the person works on will increase.
Criticism: For this technique, the elicitor will make a targeted criticism of the organization the person is associated with in the hopes they will correct them and provide information as evidence, such as asserting their company’s dominance in a specific industry due to a cutting-edge technology they’re using.
Deliberate False Statements: The elicitor says something they know is false in order to get the target to correct them and give them correct information.
Macro to Micro: When seeking one specific piece of information, the elicitor may strike up a more general conversation covering a lot of topics. They will guide the conversation to the information they want to receive, like the name of a childhood pet that’s being used as a password, then continue the conversation in a less specific direction. Ideally, the target won’t even remember divulging the micro information and will just remember the macro conversation.
Counter-Elicitation techniques
If you’re in a situation where you recognize someone is trying to pull information from you through elicitation, you can then engage in counter-elicitation, which will redirect or shut down the conversation without the elicitor getting what they’re after. Once they receive some pushback, elicitors will often back off their line of questioning since they don’t want to further raise suspicions.
Related: Common Security Mistakes and How to Address Them
These are simpler techniques than the many types of elicitation. The core of it is knowing what information is sensitive and always guarding it. If someone is dancing around asking questions that you know you need to protect, that’s the time to start employing your counter-elicitation.
For starters, you can point the person asking questions to a public source, such as a company website. You can deflect the topic of conversation away from anything risky and to safer topics. If they’re persistent in asking questions that is getting at information you’re meant to protect, ask, “Why do you ask?” Elicitors tend not to have a good answer to this question, and you can easily deflect from there. Playing dumb will also effectively shut down the conversation if you pretend not to know the answer to their questions. You can also tell them simply that you can’t discuss that information or that you’d need to clear any further discussion of it with your security officer.
If you’re an FSO trying to strengthen your company’s security through a better security culture, Adamo can help. Our FSO support services can help you with engaging and memorable trainings and briefings, sending periodic email reminders, or just freeing you up to focus on what’s most important by taking on the Personnel Clearance (PCL) management part of your job. Contact us today to learn what difference Adamo can make for your facility.
