The Conversation With a Purpose

DORADUS LABS

Cybersecurity and Intelligence Analysis

The Conversation With a Purpose

Inside Elicitation, the Quiet Discipline That Turns Small Talk Into Intelligence

A follow-up to The Six Second Threat: Why the Question Is Never About the Time

In the first article in this series, a stranger crossed a restaurant to ask a family for the time. The point was that the question was never really about the time. It was a pretext, and one of the things it set in motion was a brief, deliberate conversation. That conversation deserves an article of its own, because the act of drawing information out of a person through ordinary talk is among the oldest, most reliable, and least understood tools in the intelligence profession. It has a name. It is called elicitation, and once you understand how it works, you begin to hear it.

The Federal Bureau of Investigation, which publishes a public brochure on the subject for exactly the awareness purpose this article serves, defines elicitation plainly. It is a conversation with a specific purpose: to collect information that is not readily available, and to do so without raising suspicion that specific facts are being sought. The Bureau notes that it is usually non threatening, easy to disguise, deniable, and effective, that it can happen in person, by phone, or in writing, and that conducted by a skilled collector it looks like nothing more than normal social or professional conversation. The most sobering line in the brochure is that a person may never realize she was the target of elicitation, or that she provided meaningful information at all.

This article goes deep on how the technique works, the psychology that makes it effective, the specific methods practitioners use, the channels where it happens, the way it feeds modern cyber attacks, and most importantly, how to recognize and deflect it. As before, this is awareness content built on public sources. The goal is to make you the kind of person who notices the conversation for what it is.

1. Why a Conversation Can Be a Weapon

Elicitation is effective for a simple reason. It does not feel like an attack. A direct question about a sensitive subject triggers the analytical mind, and a trained or even an untrained person weighs the request and grows guarded. Practitioners who write about the craft describe this as the difference between compliance and truth: ask directly and you get a filtered, careful answer, while a well constructed conversation bypasses the filter entirely and produces candid disclosure. The target is not lying and is not being coerced. They are simply being a normal, social, helpful human being, which is precisely the vulnerability being exploited.

The information sought is rarely a single classified secret. More often it is the mosaic: small, individually harmless facts that combine into something valuable. The name of a vendor. The version of a system still in use. The fact that a particular manager approves payments. A complaint about a recent migration. The hours the night shift runs thin. None of these feels like a secret when spoken, which is why the speaker shares them freely, and which is why a collector who assembles enough of them ends up with a detailed and exploitable picture.

2. The Psychology: Why We Talk

The Defense Counterintelligence and Security Agency, through its Center for Development of Security Excellence, produced a training job aid titled Accidental Conversations that organizes elicitation techniques by the psychological lever each one pulls. That framework is the clearest available, and it maps neatly onto the broader literature on influence. There are three primary drivers.

Reciprocity

Humans have a deep instinct to balance the social ledger. When someone gives us something, including a piece of information that feels candid or confidential, we feel a quiet obligation to give something back. A collector who confesses a struggle, shares a supposed inside detail, or simply listens with patient attention creates a debt, and the target settles it with disclosure. Reciprocity is the engine behind confidential bait, quid pro quo, mutual interest, mirroring, and the patient good listener.

Social Pressure

We are wired to conform to the expectations of a conversation. We want to appear competent, to be liked, to be helpful, and to correct what is wrong. We are uncomfortable leaving a question unanswered or a silence unfilled. A collector who feigns ignorance invites the target to educate. A collector who flatters invites the target to live up to the praise. A collector who states something provocative or plainly incorrect invites the target to set the record straight. Each of these turns a social reflex into a leak.

Cognitive Cues

Finally, the mind is inconsistent at noticing hidden assumptions, artificial boundaries, and small errors in logic. When a collector states a fact as if already known, the target tends to confirm or refine rather than question how the collector knew. When a collector offers a range of numbers, the target narrows it toward the truth. These are not failures of intelligence. They are the ordinary shortcuts of a brain built for cooperation, not for counterintelligence.

These drivers overlap with the classic principles of influence documented by researchers in persuasion, including reciprocity, authority, scarcity, social proof, liking, and consistency. The security writer Dr. Jessica Barker has made the point that social engineering is not new, but that it is more effective than ever precisely because it plays on human emotion, and emotion does not patch.

3. The Practitioner's Catalog

What follows is a working catalog of elicitation techniques drawn from the FBI brochure, the DCSA job aid, and decades of competitive intelligence and counterintelligence practice. They are presented here so that you can recognize them, which is the entire reason the government publishes them as well. The examples are written in a generic business context and are deliberately mild. In the field, multiple techniques are layered within a single conversation.

Techniques That Exploit Reciprocity

• Confidential bait. Pretend to share something privileged so the target feels safe sharing in return. Example: Between us, our last assessment found a gap in how the firewall rules were written. Did yours ever turn up anything like that?

• Quid pro quo, or volunteering information. Offer a fact, often slightly wrong or incomplete, in the hope the target corrects or completes it. Example: Our system tops out around a few hundred transactions an hour. Yours probably runs about the same.

• Good listener. Exploit the instinct to confide, brag, or vent by listening with patience and validation. Example: Letting a frustrated administrator describe, at length, everything wrong with a recent vendor migration.

• Mutual interest and mirroring. Establish shared ground, a hobby, a hometown, a former employer, and match tone and body language to build rapport quickly. Example: Wait, you worked at that property too? Small world. Who was running IT when you were there?

Techniques That Exploit Social Pressure

• Feigned ignorance or naivete. Pose as a newcomer to trigger the target's urge to teach. Example: I am still learning all this. How does the floor network actually connect back to the cage system?

• Flattery and ego stroking. Use praise to coax a person into demonstrating their knowledge. Example: You clearly designed that integration yourself. Nobody else could have pulled it off.

• Provocative statement. Say something that prompts the target to ask you a question, making your role in the conversation seem innocent. Example: I still regret not taking that role at the larger operator. Their response: why didn't you?

• Criticism. Criticize the target's organization or work so they defend it, disclosing details in the process. Example: Honestly, that platform always struck me as a weak choice. Their defense often reveals the real configuration.

• Opposition or feigned incredulity. Express disbelief so the target proves their point with specifics. Example: There is no way you rolled that out over a single weekend.

• Can you top this. Tell an exaggerated story so the target tries to outdo it with a real one. Example: We once had a system down for two days. The target replies with their own, more detailed, outage.

• Questionnaires and surveys. State a benign purpose and surround the few questions that matter with logical filler. Example: A short vendor satisfaction survey with two pointed questions buried among routine ones.

• Target the associate or the outsider. Approach the contractor, new hire, or vendor representative who is less trained in nondisclosure. Example: Chatting up the temporary technician who has access but little security awareness.

Techniques That Exploit Cognitive Cues

• Assumed knowledge. State something as if already known so the target confirms or corrects it. Example: You are still running the old build, right? A correction reveals the real system.

• Bracketing. Offer a high and low estimate to draw out a precise figure. Example: Your security budget has to sit somewhere between a quarter million and a million. The target narrows it.

• Leading questions. Phrase the question to presuppose the answer you are testing. Example: So you handle all the badge provisioning yourself, correct?

• Macro to micro. Begin with a broad, comfortable topic such as the industry, then steadily narrow toward the specific detail you want. Example: Open with regulatory trends, end with how one property segments its network.

• Oblique reference. Ask about an adjacent subject to reach the real one without naming it. Example: Asking about HVAC contractors to learn who has after hours building access.

• Deliberate false statement, or denial of the obvious. Assert something plainly wrong, relying on the urge to correct. Example: Nobody really uses multifactor on those terminals anymore.

• Word repetition. Echo a key phrase the target used to encourage them to expand on it. Example: A two day cutover, you say. Interesting.

• Silence. Leave a deliberate pause, which the target feels compelled to fill. Example: Saying nothing after a partial answer, prompting the target to keep talking.

4. Where Elicitation Happens

Elicitation is channel agnostic. It happens wherever people talk, and the most productive venues are the ones where professional guards are lowest.

• Conferences and trade shows. The FBI has warned specifically that industry events are fertile ground for elicitation, because attendees are there to network, to be recognized, and to demonstrate expertise. A booth, a hallway, a hotel bar, and a shared cab are all collection environments. The expert who loves to educate is the easiest person in the room to draw out.

• The telephone. Voice contact, including the modern attack known as vishing, layers elicitation onto a fabricated pretext and a spoofed caller identity. The human voice builds rapport and manufactures urgency in a way that text cannot, which is why help desks and finance teams are favored targets.

• Writing and the open web. Elicitation also works in writing. A friendly message on a professional network, a survey, a recruiter inquiry, or a vendor questionnaire can all carry a few pointed questions hidden among innocuous ones. Public profiles supply the raw material that makes the approach credible in the first place.

Targeting is rarely random. Counterintelligence guidance notes that collectors gravitate toward those who hold the levers worth pulling and those least conditioned to resist, the talkative expert, the new employee, the contractor, the disgruntled insider, and the role that controls access, payments, or sensitive systems. Modern threat groups maintain dossiers on exactly these roles.

5. From Conversation to Compromise: The Cyber Pivot

Elicitation is where many cyber intrusions actually begin, because it produces the human intelligence that makes a later technical attack precise. The lifecycle is consistent. A collector elicits the small facts, the role names, the systems, the procedures, the internal language, and that material becomes the pretext for a tailored phishing email, a convincing vishing call, or a credential reset request that sounds exactly like a legitimate colleague.

The pattern is not theoretical. The 2023 breach of MGM Resorts has been widely reported to have begun with attackers identifying a help desk employee through a professional network and then placing a vishing call that impersonated that worker, answering verification questions using information gathered beforehand. Security analysts have catalogued how specialized groups maintain active profiles of help desk technicians, finance staff, and executive assistants for precisely this reason. The professionalization has gone further still, with reporting describing vishing delivered as a paid service, operators working from prepared scripts and compensated per call. More recent incidents follow the same shape, including a 2025 customer relationship management breach reportedly triggered by a single socially engineered phone call, and a 2026 case in which one voice call yielded single sign on credentials that led to the exposure of millions of records.

Artificial intelligence has sharpened every stage. Tools now assemble target profiles in hours rather than weeks, draft pretexts in fluent business English tuned to a person's role and current company events, and generate synthetic voice and video capable of impersonating a trusted executive in a live meeting. The elicited mosaic feeds these systems, and the systems return a more convincing approach. The old craft and the new tooling reinforce each other.

6. Recognizing Elicitation

Because skilled elicitation looks like ordinary conversation, recognition depends less on catching a single trick and more on noticing a pattern and trusting a feeling. The following signals, taken together, deserve attention.

• A conversation that keeps returning to a subject you would not expect a casual acquaintance to care about, especially work systems, finances, schedules, or security.

• Questions that do not fit the relationship, asked by someone who has no clear reason to need the answer.

• Flattery or sympathy that arrives just before a probe, or information offered to you a little too freely, as if to invite an exchange.

• Statements that are obviously wrong about your area, which you feel an itch to correct.

• A persistent, patient listener who asks little but draws a great deal out of you, and the sense afterward that you did most of the talking.

The most reliable detector is the one a trained observer relies on in any setting: a baseline and an instinct. If the interaction does not fit the normal pattern of who talks to you, about what, and why, that mismatch is the signal. The feeling that you have just been gently drawn out is worth respecting rather than dismissing.

7. Deflection and Defense

The encouraging news, emphasized by every serious source on the subject, is that elicitation is defeated by awareness far more than by secrecy. You do not have to be rude, and you do not have to win the conversation. You only have to decline to supply the missing piece.

At the Individual Level

• Know what should not be shared. Decide in advance which categories of information are off limits in casual settings, including system details, security practices, schedules, and the personal information of colleagues.

• Refer to public sources. Deflect by pointing the questioner to a website, a press release, or published material, which answers without disclosing anything new.

• Redirect and stay vague. Change the subject, answer a different question than the one asked, or give a general response where a specific one was sought. Politeness and non disclosure coexist easily.

• Resist the reflexes. Let the silence sit. Leave the wrong statement uncorrected. Decline the invitation to prove your expertise. Recognize reciprocity for what it is and feel no debt.

• Report it. If you believe someone tried to elicit sensitive information, especially about your work, tell your security officer. A single report often reveals a broader pattern across an organization.

At the Organizational Level

• Verification and callback procedures. Require identity verification through a separate, trusted channel for any sensitive request, and never let a password reset or access change ride on a single phone call. Ticketed workflows and out of band confirmation defeat the urgency that vishing depends on.

• Harden the help desk. Treat the help desk as a high value target. Enforce strong, phishing resistant multifactor authentication and strict verification before any account action, since this is the door recent major breaches walked through.

• Assess your own exposure. Conduct open source intelligence against your own organization to see what a collector would find, then reduce it. Keep sensitive operational detail behind authentication rather than on public pages.

• Train for the human layer. Role based awareness training and realistic simulations, including voice and deepfake scenarios, change behavior in a way that knowledge alone does not. People who have rehearsed the pause perform it under pressure.

• Build in layers. No single control stops a patient adversary. Technical safeguards, human awareness, and clear policy together raise the cost of collection until it is no longer worth the effort.

8. The Professional's Perspective

It is worth stepping back to view elicitation as the disciplined craft it is. The reason the FBI and the Defense Counterintelligence and Security Agency publish detailed guidance on it is that the same understanding which lets a professional collect responsibly and lawfully is the understanding that lets a citizen or an employee defend. These agencies treat the public as a partner in security, and the awareness they cultivate protects companies, defense technologies, and national interests against adversaries who would collect by less scrupulous means. The skill itself is neutral. A counterintelligence officer, an investigator, a journalist, a negotiator, and a competitive intelligence analyst all use elicitation within professional and legal bounds every day. The difference between legitimate use and predatory use is purpose, authority, and restraint.

For defenders, the lesson connects directly to the theme that runs through this series. Security is no longer divisible into physical, human, and digital compartments. A conversation at a trade show becomes a profile, a profile becomes a phone call, and a phone call becomes a foothold in a network. Doradus Labs works at exactly that intersection, because that is where modern risk actually lives. The organizations that defend critical environments most effectively are the ones whose people have learned to recognize the conversation with a purpose, to feel no obligation to complete it, and to report it when it comes. Awareness is not paranoia. It is simply knowing the game well enough to choose not to play.

Sources and Further Reading

The following publicly available sources informed this analysis. Inclusion does not imply endorsement of any source.

1. Elicitation Techniques (official brochure). Federal Bureau of Investigation. <https://www.fbi.gov/file-repository/elicitation-brochure.pdf/view>

1. Accidental Conversations: Elicitation Techniques and the Science Behind Them (job aid). Defense Counterintelligence and Security Agency, Center for Development of Security Excellence. <https://www.cdse.edu/Portals/124/Documents/jobaids/ci/Accidental-Conversations.pdf>

1. Counterintelligence: Elicitation Techniques (FBI brochure reproduction). Camden Civil Rights Project. <https://camdencivilrightsproject.com/2016/01/02/counterintelligence-elicitation-techniques/>

1. What Is Elicitation in Cybersecurity? Definition, Techniques and Defense. Keepnet Labs. <https://keepnetlabs.com/blog/what-is-elicitation-in-cybersecurity-a-deep-dive-into-subtle-conversations-with-purpose>

1. The Operative's Field Guide to Elicitation: Bypassing the Filter. Social-Engineer LLC. <https://www.social-engineer.com/operative-field-guide-leadership-elicitation/>

1. Learning from the MGM Security Breach. Social-Engineer LLC. <https://www.social-engineer.com/learning-from-the-mgm-security-breach/>

1. Social Engineering: Cialdini Principles, Examples, Defenses. RansomLeak. <https://ransomleak.com/threats/social-engineering/>

1. Social Engineering Attacks: Types, Examples and Defense. Vectra AI. <https://www.vectra.ai/topics/social-engineering>

1. How Vishing Works and How to Stop It. Vectra AI. <https://www.vectra.ai/topics/vishing>

1. 8 Social Engineering Defense Strategies (with Dr. Jessica Barker). Hoxhunt. <https://hoxhunt.com/blog/social-engineering-defense>

1. What Is Vishing? Defending Against Phone Based Social Engineering. Red Goat Cyber Security. <https://red-goat.com/what-is-vishing/>

1. Social Engineering: Elicitation and How to Counter It. TestPros. <https://testpros.com/cybersecurity/social-engineering-elicitation-and-how-to-counter-it/>

1. Elicitation Techniques (competitive intelligence practice). Ellen Naylor, The Business Intelligence Source. <https://ellennaylor.com/elicitation-techniques/>

Doradus Labs | Intelligent infrastructure, secured.