Last Updated on September, 2023 by Edison
If you’re an aspiring SE, ethical hacker, business owner, or just an individual fascinated by this topic (like me), you might want to read this article.
It will help you understand how social engineers and con men use psychology to steal money or hurt your business.
FBI defines elicitation as “A technique used to discreetly gather information.” You construct the conversation in such a way that makes him give information without you asking for it.
Many governments warn their employees about elicitation because it is commonly used by spies worldwide.
Why does it work?
If we know something that doesn’t directly affect us, we are more willing to talk about it.
Jack Schaffer, ex-FBI agent and author of Truth Detector gives an example of an exercise with his students.
He asked his student to go into a jewelry store, have a conversation with the clerk, and get the needed information as if he wanted to rob the place.
By having a simple conversation with the clerk, he could learn that:
- The cameras in the store don’t work.
- Mall security officers are incapable of doing their job properly.
- The clerk won’t be a problem for the shoplifter because he was instructed not to engage with them.
- The store won’t bother shoplifting unless the loss is greater than $1200
- There are $2200 in the store right now, and the safe is broken
Based on the clerk’s information, he could steal an item that costs $1200 or less and walk away without fear of getting caught or even reported.
The clerk wasn’t aware of the sensitive information he was giving. And since it didn’t affect him directly, he didn’t care.
Of course, not everyone will reveal so much information. But your job is to collect pieces of seemingly unimportant information that will help you complete the big picture.
Another reason elicitation works is that most people feel insecure. We might feel inferior to people who we think are better than us.
So, this insecurity drives us to show others we’re just as smart or smarter than them. That’s why we correct others when they give incorrect information.
In other words, we feel good when we correct others and keep doing it. You can exploit this tendency simply by presenting incorrect information.
#1 Be confident. Nothing kills the conversation more than being uncomfortable.
#2 Educate yourself. You need to know the subject you’re talking about. But mostly, you’ll ask well-thought-out questions to encourage him to talk more about his area of expertise. Make the conversation about them.
#3 Common conversation openers are the weather, asking for advice on technology, and general questions about kids, pets, and sports.
#4 When someone does a small favor for you, it makes them more willing to do you another favor.
You can thank them for taking the time to meet you, for being early, or for arriving on such brief notice.
#4 Don’t be greedy. Your goal is to get information. Yet, that shouldn’t be your sole focus because the target will lose interest.
Make the conversation a give-and-take unless you are with someone who wants to dominate the conversation. Here, let him dominate.
If you got the answer, don’t go deeper and deeper into the conversation because it can raise a red flag.
Appealing to their ego – This technique is simple but effective because many people take pride in their work.
They often link their identity with their work. That’s why they’ll talk freely about their professional accomplishments.
You: “You must have an important job, X seems to think highly of you.”
Target: “That is so nice of you to say, but my job isn’t that important. All I do here is…”
Or, I bet you were the key person in designing this product.
Appealing to their ego is simple and effective, but don’t overdo it or when you’re not sincere because it can turn people off.
Presumptive Statements – You make a statement that might be right or wrong and wait for them to respond.
If your statement is correct, he will agree and provide additional information.
If your statement is wrong, he will probably provide the correct answer and give a detailed explanation.
Criticize – You criticize their company, hoping he will give information during the defense.
e.g., “How did your company get the contract? Everyone knows E Corp has better engineers for that work”.
Oblique Reference – You discuss a topic related to the main issue.
For example, you discuss the catering at a work party when you want to know the type of access outside vendors have to the facility.
Questions – You ask open-ended questions to get small bits of information that will complete the bigger picture.
It can also create the illusion of authority. In conversations, we perceive the one asking questions to have more power.
Alcohol – The SE might offer alcohol to their targets because drunk people talk more than they have to.
Elicitation Sandwich – People tend to recall the first and last thing in a conversation.
So, where should you put the elicitation? Exactly. In the middle.
After you have established rapport… start with small talk… deviate the focus of the conversation to the elicitation topic… then go back to the first topic.
Experts say that most security breaches happen because of human error.
Often, the breach won’t be intentional, but sometimes it is.
An employee might hold grudges against the company, and they might have no choice but to stay there. And the managers might not know this.
An unhappy employee can be a great help to the attacker.
They could establish network backdoors, provide legitimate passes, or directly give business data to the attacker.
You can meet with employees in smoking areas, local cafes, or even on public transport they take.
Then, you can start a conversation and focus on work-life in general.
You probably heard about the Milgram experiment and its results. A man in a lab coat at Yale University convinced strangers to harm other people.
He had no real authority to force a person to follow orders, just perceived authority.
Authority is so powerful that it overrides decision centers in the brain and shuts off our sense of responsibility.
Businesses expect employees to perform tasks set by the management. So, if the employee believes the SE is part of the management, he will conform to any reasonable request. He might provide sensitive information and wouldn’t raise any alarms.
You can also impersonate a security guard. Of course, it would need more than a fake uniform to use authority to great effect. You can ask to see an employee’s badge to make a security check.
The chances of challenging and questioning a security guard are very slim.
Remember that authority should be part of every aspect of impersonation. A good suit or uniform can be enough for the looking part. But the sounding part is a little more challenging.
A trick in creating the illusion of authority is to ask questions. In conversations, we perceive the one asking questions to have more power.
Another technique that can help you to pretext is…
Priming is when you get exposed to something like a word, feeling, or image… that influences your behavior later on without your awareness.
Researchers at the University of Nijmegen conducted an interesting experiment about priming:
They divided volunteers into two groups, and each would give a test on general knowledge.
The first group was primed with the stereotype of professors.
The second group was primed with the stereotype of hooligans.
The first group performed significantly better than the second group.
In other words, the mere perception of a person or a group of people causes you to act similarly – at least for a short period.
Now, priming is a powerful tool you can use to improve your pretext.
For example, let’s say you have to pretend to be an IT professional.
What is the perception people have about them? Or, more accurately, what is the stereotype?
It’s a socially awkward person obsessed with technology who can fix anything computer-related, right?
This is not the case with everyone, but it’s all about perception.
One way to prime the stereotype of someone from IT would be writing down everything that comes to your mind related to their behavior and appearance.
The key is that the priming works when you have expectations it is going to work. You don’t force it; you simply allow that persona to flow into your pretext. You know, it helps you on an unconscious level.
So, when you are out there pretending to be someone else, you instinctively know how to behave, And you don’t spend mental energy worrying about how you look.
Working at the Company
If you can get a job at the target company, everything becomes easier.
Often, social engineers apply for a cleaning role, which has two advantages.
First, it doesn’t require any specific qualifications.
Second, it is doubtful for a business to do thorough research on applicants due to the low privileges of that job.
The irony is that the cleaners have more access to the building than other employees.
I understand that it will take a great deal of time, but the payoffs are high and low risk.
It’s a complicated technique involving a lot of planning and careful timing.
The social engineer provides help that aids the attack.
The target asks for something from SE when it’s usually the other way around.
For example, the SE impersonates someone from the IT department, asking, “Are you experiencing any computer issues?” Most likely, someone will have a problem. And the SE could help them solve it.
He/she could ask for the user’s credentials to log in remotely. Or it could ask them to visit a particular website to test connectivity, which is malicious.
A more complex strategy is to sabotage and assist. The SE causes an issue and then presents himself as someone who can solve it.
Another attack could be Introduce-Sabotage-Assist. You introduce yourself as a new member of IT, give your phone number, explaining they could call any time if they have a problem.
You’re not asking for any information, which won’t raise any alarms. The target will call the SE when the problem occurs, asking for assistance.
Targeting an Individual
If you want to perform a targeted attack on an individual instead of a group, then consider the following:
- Recent holidays
- close friends
- Family members
- What bank do they use
- What car do they drive
Here are some scenarios that are used as a basis for attacks.
If your target went to a particular school, then you can send an email like this:
We’re organizing an XYZ high school reunion party for the class of 1990 and hope you can join us.
We’ve set up an account on http://www.fakeschoolreunion.com where you can rsvp.
Also, we uploaded pictures of everyone back then.
Sorry if you find them embarrassing.
Hope to hear from you soon.
Another email might include a malicious PDF file based on where they shop regularly.
XY is offering 50% off all products! Please print off the attached voucher and bring it to the store.
Pick up lines
As we have seen in many cases, a social engineer can hijack accounts, steal identities, or infiltrate corporate offices. They use pick-up lines to encourage communication with their targets.
Here are the most common ones:
I’m stuck in X place, and I lost my wallet. Can you wire some money?
The SE probably hacked a friend’s Facebook account and sent the message pretending to be him. He might say he has no money due to a lost wallet or robbery.
You should be careful and ensure you’re talking to your friend or family member. You can ask him to send you a picture of that place or ask a specific question to which he would know the answer.
Click this link
As in the examples above, the social engineer encourages the target to click a link. They might pose as your friend, work colleague, or even a company where you’re a client.
They include logos and variation links to websites such as facebookk.com, paypall.com, etc.
Simona Halep’s Instagram was hacked.
The attackers posted several messages, such as:
“Hey, can anybody help me? I’m stuck in Switzerland and my bank account is not working here. I need 500$, I am willing to pay 1,500$ by the weekend”.
Social Engineering Penetration Testing by Gavin Watson, Andrew Mason, and Richard Ackroyd
The Ellipsis Manual: Analysis and engineering of human behavior by Chase Hughes
We recommend reading the following: