From Learn to be a true Social Engineer
Elicitation is used to get to know people better. We use this to make mental judgments of IF and HOW we will develop a relationship with a person. In the case of an individual or group of people, this is something we do everyday by talking, listening, and asking questions.
Social Engineering Tactic
Of course it takes on a different role when used as part of a social engineer tactic. The goal of elicitation is to extract information that is meaningful and relevant to the overall objective of gaining access to the target assets. For example, if you’re objective is to obtain a username and password and your conversation with the secretary yields only that she makes fantastic cakes then you have a bit more work to do in the elicitation process. You can build on that information but it’s not what you were after.
Familiarity of the process can help when you’re engaged in active elicitation from a target. The simple process of having a conversation, sharing information, and asking well placed questions should not trigger a defensive reaction from the individual if it’s done in a seemingly innocent and casual manner. It allows you to probe for information you can build on or perhaps even the specific information you need in the first place. That casually probing conversation is analogous to port scanning a target machine for any open ports that will respond. Once you know what ports and/or protocols are active, it allows you to focus your efforts on the areas that are meaningful to the target. This keeps them engaged and provides more opportunities for eliciting information from them.
On The Internet
Elicitation via electronic means is also a viable and active attack vector. Spoofed emails and malicious websites that fool a user into providing their personal information or account credentials are excellent examples of eliciting information for use in obtaining access to a target system.