Deflecting the Social Engineer: CSO Guidance from BrandProtect

Posted by Ben Bradley on Fri, Sep 20, 2013

social engineer The grifter, conman and the thief makes a great story and an even better film. But in today’s reality, what once was the debonair Paul Newman in the Sting, has become a social engineer.

Theft of personally identifiable information, customer information, business plans, infrastructure access and other high value assets more commonly than not starts at the human level – with your employees. Here’s information to help build awareness of the social engineering process and what you can do to stop it.

The Social Engineer

A social engineer is a skilled, often trained expert in gathering secret information sometimes used to breach a company’s security systems. Social engineers use many methods to acquire information and can collect it over a long period of time. The most publicized collection methods are high-tech, but we also should be aware that private information is still elicited during seemingly ordinary human conversations.


Many people easily spot email phishing scams, but elicitation is another, non- technical way of gaining secretive information during verbal interaction. Most people don’t realize it when they are victims. Elicitation can occur during telephone conversations, LinkedIn and other social media interactions as well as in-person meetings.

Social engineers are masters at taking advantage of human nature in order to get the information they need. They exploit our desire to be polite and help others, as well as any tendency to brag, gossip or persuade.

How to Protect Yourself and Your Company

Awareness of social engineering and elicitation is the first step in detecting and stopping information theft. You don’t have to be suspicious of every person striking up a conversation, but do notice if a question or comment seems odd or unusually intrusive.

Elicitation Red Flags

Take note of these five techniques used in elicitation. A skilled elicitor may use many of these during a single conversation.

1. Pretexting and/or False Identity

The elicitor pretends to be someone in a position of authority in order to manipulate you. He has done prior research on you, your family, your history and your personal information. He may pretend to have common acquaintances and common hobbies to make you feel more comfortable about opening up.

2. Confidentiality

Be cautious of anyone providing you with confidential information. If the conversation takes this turn, be aware that the other person may be using this technique in order to have you reciprocate.

3. Gossip and Criticism

This sort of negative banter is non-beneficial anyway, but it can be used as a tool for extracting a great deal of information during a defense. Beware of conversations promoting these modes of discussion.

4. Validation and Flattery

These techniques involve the listener validating the person’s feelings, providing flattery and support in order to encourage them to continue opening up and divulging information.

5. Playing Dumb

This technique plays on the human desire to be helpful and provide mentoring. The elicitor pretends to be a newbie and asks for guidance and information.

Deflecting Elicitation

If you feel any suspicion during a phone call, meeting or in any communication, you may deflect elicitations in several ways.

  • Be suspicious of anyone who surprises you with an excessive level of knowledge about you personally or professionally. Immediately change the subject or end the conversation if it becomes too personal.
  • Refer someone to an outside source of information rather than providing the information to them first hand.
  • Stop someone from asking too many questions by asking your own or saying, “Why do you want to know?” Don’t hesitate to be blunt by telling them you cannot answer the question or cannot discuss the matter. 
Make it a point to not give out personal information to anyone.

If you feel strongly that someone may be a threat to you or your company, report it to your security office.


Like this article? Subscribe to our blog



Topics: Identity Theft, Brand Protection, Security, data breach, scam, risk management, Privacy Protect, defamatory

Recent Posts

Posts by Topic

see all