The 5 Steps to Successful
Without a doubt there are many skills to becoming a successful
social engineer. It also seems that each skill is equally as important
as the next. This month I wanted to focus on one that can truly enhance
your every day communications as well as your ability to be a very successful
can be defined as the process of extracting information from someone, and
most commonly done through conversation or questions. This is more than
just asking, “Cold out today huh?” Sure the response is “information”
but it is not really elicitation. Instead along the same lines what
about simply changing that question to, “What do you think of today’s
That simple change can help you to find out a lot more of what that person
thinks and feels. That information alone can help you when developing a
profile on the target and developing your next line of questions.
That is why I thought it would be smart to outline the 5 steps you must have
in order to become a successful elicitator.
Step One: Know How to Communicate
This one sounds really complex, but it is essential. We all have ways
that we like to be communicated with, but our style of communication may not
be for everyone we meet. What can we do?
Learn how to communicate
with people of all sorts. Learn how to speak softer, or speak louder,
fast or slower, less or more. Some people enjoy to be close enough to
touch and others have a wide personal space. Learning to read these
different styles can make a huge difference in the type of questions you will
In everyday life, learning how to communicate with all types of people is
very important. As an example, the other day I was running really late,
but I had to run to the bank. I had a goal in mind, to make this
deposit. But I had forgotten by bank book at home and couldn’t go
through the drive through. I decided to go and try to just make it as
quickly as possible. As I walked in the bank I noticed that the woman
behind the counter looked very angry. She was rushing around and I
heard her speak rudely to the guy in front of the line of me.
First noticing her very rushed appearance allowed me to determine I could not
just walk up and tell her I forgot my bank book, her already irritated
demeanor would have been made worse. Noticing that she was a little
rude to the previous patron would normally put me off, but I had to put that
aside and ask, “Is there a way I can make HER day better…” These simple
thoughts helped me to see that she needed some validation and someone who
wasn’t going to put any pressure on her to hurry more.
I decided that, although my goals where important to me, I would not achieve
them with out her help and getting her help would require more than just
asking. When it was my turn in line I approached her, quickly reading
her business card and said to her, “Barbara, you look as busy as I feel
today….” With a slight pause allowing her to laugh and feel validated I
was then able to make my request.
Step Two: Be Adaptive
All the paths of the first step lead to this. Noticing the person’s
communication style doesn’t really amount to much if you do not adapt.
Being able to adapt to the targets communication style will mean changing the
type of questions. Adapting in the style of communication, both verbal
and non-verbal, can make the target feel at ease, open up and be more willing
to give the information you are requesting.
I have a friend who hates being touched at all. He has a very serious
phobia when it comes to anyone touching him. If you want to properly
communicate with him you need to avoid getting close to him at all. You
can’t touch him, even prolonged handshakes make him uncomfortable. To
make him feel at ease it would be important to notice his body language and
then adapt so as not to turn him off.
Being adaptive is probably one of the most important aspects of the five
steps to elicitation.
While in the bank I am usually all business. I am there for one purpose
and I don’t really fancy hanging out in the bank. Usually I am in and
out and it is over. Today with the change in this woman’s attitude I
had to adapt my normal style of telling her plainly, my problem and expecting
her to fix it and not irritate her more. I could not expect her to
adapt, but instead it was me who had to adapt to her to create the
environment I wanted.
Step Three: Building Rapport is Essential
Really the first two steps are completed to accomplish one goal: to build
rapport. We open up and we talk to our friends. We buy,
we give advice, we take hints all from people we deem as our friends.
If we can keep our targets at ease then even take that a step further and
make them our friend they will tell us everything we ask.
Building rapport is no easy topic, that can be and literally there are,
volumes of books written on this topic. There is not quick way to sum
it all up perfectly but I can tell you this: If come in acting like you
have rapport and you believe it, your body language, non-verbals and voice
will reflect that and send the signals confirming that.
Be confident, maintain normal eye contact and adapt to their communication
style can help put the target at ease and feeling very friendly. Once
the person feels rapport they will even allow certain “mistakes” that you may
make be forgiven. Rapport can help you feel at ease too and make
communication very natural.
With Barbara the bank lady there was a few key pointers that made this
work. First, I used her name in a very calm and confident way. I
didn’t demand or demean, instead I validated her feelings of being
busy. With a quick joke and a smile after using her name I was able to
build a very strong bond with in only a few seconds.
Step Four: The Cover Must Match the Book
What do I mean by that? Well it is important that whatever pretext
you are using matches the type of questions you will be asking or the
conversation you will be having. If your pretext is a lost tourist
asking for directions and you start asking overly personal questions, it
might cause a disconnect with the target.
Imagine in a scenario where elicitation might be used to gather intel.
You approach your target as a potential vendor looking for internal contact
information and some information about their present vendors. All of
this is information you may use as an attack vector later on, but if you
approach the target and your questions are too personal or show you have too
much internal knowledge you can cause the target to feel uneasy, break
rapport and end your chances of success.
As you develop your pretext outline:
• What type of questions would this kind of person ask of
• How would they ask for this information?
• Would they have any need for personal information?
• At what point do you know that your pretext would make
the target uncomfortable?
Having all this clearly defined and even written out will help you succeed in
being an amazing elicitator.
Of course, I wasn’t really on planning a pretext when I visited the
bank. I merely had a goal in mind, but in a way it is like a pretext.
Lets word it this way… My “pretext” had to change from a busy guy who just
wanted to get in and out, to a very understanding equally busy man. If
my non-verbals screamed “I AM IRRITATED” (anger on the face and breaking eye
contact) the messages would not have matched and my potential success could
have been effected.
Step Five: Ask the right questions
Up till now we haven’t mentioned one aspect that actually involves asking
questions, all of the four previous steps revolve around setting up the
perfect environment to make the target feel comfortable and at ease so your
elicitation goes the smoother.
The final step is to learn to ask questions that force a response. What
do I mean by that? Lets refer back to the introduction where I spoke
about asking about the weather. Simply asking, “Pretty warm out
today?” Will elicit a very limited choice of answers – “Yup”, “Nah”,
“hrmph” or the like.
By changing the question just a little we can “force” a much deeper response
from the person, “What do you think of this weather?” Now the person
has to dig deep and tell us their feelings. This will reveal a lot
about that person and their likes and dislikes.
Now most of the time our goals are more than a weather report, but think
about how you can word the questions and/or interactions for the maximum
effect. Think about the scenario about the bank I spoke above
before. My first step after noticing her irritation was to validate her
being very busy. That validate is a vital step as it makes the person’s
feelings and actions justified. This can bring the target a lot of
comfort. Next, after I noticed her body language change, not so rigid
but more relaxed I was able to then make my request. Now I know that
this bank hates when the patrons forget their bank books and have to make
deposits the “manual” way, so I worded it like this,
“Barbara, maybe you can help me out? I was running around like a
frantic chicken this AM and realized I forgot my bank book. I really
need to make this deposit, but what do you think is the best way to do this
quick so I can get out of your hair?”
This allowed her to be the “savior” of this poor forgetfully sap and in
addition, I validated her hectic schedule by telling her I wanted to get out
of her hair. She smiled at me and said,
“No problems, it will only take a second. “ Not only did she do the
deposit, but she completely filled out the slip with all my information and
details. Mission accomplished.
What Can You Do?
Being a great elicitator is definitely a skill that all social engineers will
want. On the flip side though, elicitation is a very potent tool in the
wrong hands. The NSA’s
website had information about this danger that we archived on the SE
I am not one to promote that we need to walk around double
guessing everyone’s motives, but in reality we have to be more cautious with
information leakage. I have seen and heard people give out credit card
numbers over their cell phones in public, access bank account details on
public hotel lobby computers and not think twice about overly information
packed badges being worn with pride. These “little” things can lead to
a breach when mixed with elicitation.
Staying aware of your surroundings, thinking about the information being
requested and not releasing too many details – even to the most friendly of
folks – can go a long way in keeping you secure.
As a social engineer though, this skill is one that is easy to practice
without having to step into the dark side. Once you do this you will be
amazed at how much information you can glean from people – simply by asking
Till next month.
Written by Christopher Hadnagy
Looking for Professional Social Engineering Services?
Social-Engineer is branching out with our new website
We are providing some of the following services:
Engineering Risk Assessments
Information Gathering Services
For more information on any of the above or how we might be able
to help you protect your company from malicious social engineers contact us