Elicitation is the process of collecting or acquiring data from human beings. This is different than information gathered about human beings—in elicitation, a social engineer will attempt to learn or access useful information by contacting people who may provide certain key insights. The advantage of this approach is that some knowledge useful to an attack or pen test can only be acquired by other people.
Like impersonation, elicitation is not a social engineering attack per se, but an approach that may be used as part of an actual attack. Some specific elicitation techniques include:
- Requests, where the social engineer in a trusted position requests that the target provide them with some useful information. This is the most direct method of elicitation.
- Interrogation, where a social engineer directly asks people questions with the intention of extracting useful information. The social engineer may be posing as an authority figure to improve their chances of eliciting answers.
- Surveys, where a social engineer indirectly collects data from volunteers. Surveys are effective where interrogation is not a viable option.
- Observation, where a social engineer examines the target's behavior in a particular environment, with or without their knowledge. A person's behavior and day-to-day routine can provide the social engineer with insight into how they think or act in certain situations.
Elicitation is useful in supporting a variant of phishing called a business email compromise (BEC). In a BEC, an attacker usually impersonates a high-level executive or directly hijacks their email account. They then send an email to financial personnel, requesting money via a method like a wire transfer. Because the financial personnel believe the request is legitimate, they will approve the transfer. The attacker successfully elicits this payment without stealing it directly.