Deception, Elicitation, and Social Engineering in Executive Security | CloseProtectionHire

In 2023, the FBI’s Counterintelligence Division published a public reference document summarising social engineering methods targeting US corporate executives. It was not particularly surprising reading for those familiar with the field. What was notable was the reach of the targeting: small and mid-size companies in sectors far removed from obvious national security sensitivity, targeted because they held data useful to a larger intelligence picture or because their senior personnel had connections the targeting actor wanted to map.

Social engineering is, in the most straightforward terms, the exploitation of human nature as a vulnerability. It requires no technical skill. It is rarely dramatic. It is the most common method by which hostile actors – whether state intelligence services, organised crime, or corporate competitors – gather intelligence on executives without triggering any technical security measure.

What Elicitation Looks Like

Elicitation is the structured gathering of information through conversation without the subject’s awareness. It is distinguished from direct questioning by technique. The elicitor does not ask “What is your company’s strategy on Project X?” They ask questions that progressively reveal the answer while appearing to engage in ordinary professional conversation.

The FBI’s Elicitation Awareness training materials (Public Reference 4, 2021) identify the following common elicitation techniques:

Flattery: Complimenting the target’s expertise in a specific area, creating an incentive for them to demonstrate that expertise by providing detail. “You clearly know more about this market than anyone in the room – what’s your view on…”

Volunteering false information: Stating something the elicitor knows to be incorrect, triggering a correction. “I understand your company has withdrawn from the Southeast Asian market.” A knowledgeable executive will correct this instinctively, providing accurate information in the process.

Assumed knowledge: Asking questions that presuppose the target knows about a specific project or plan, drawing a confirmation or correction either of which is informative. “I heard you’re expanding the Singapore operation – is that still on track?”

Third-party attribution: “A colleague mentioned that your company was involved in…” This distances the information request from the elicitor and creates social permission for the target to confirm or deny.

Feigned ignorance: Appearing less well-informed than the elicitor actually is, encouraging the target to fill the knowledge gap.

These techniques are used singly and in combination. In a conference bar or a dinner setting over several hours, an experienced elicitor can extract a significant picture of an executive’s business activities, travel plans, personal relationships, and corporate strategy without the executive registering that they have been questioned.

State-Sponsored Targeting: Patience as a Method

MI5’s corporate security guidance, published through the Centre for the Protection of National Infrastructure (now NPSA) and directly on the MI5 website, identifies state intelligence services – specifically naming China and Russia – as conducting systematic elicitation operations against UK business executives. The guidance notes that cultivations may extend over months or years before an information request is made.

The documented method involves establishing a professional contact through a legitimate channel – a conference introduction, a LinkedIn connection, a shared professional association. The cultivating actor invests in the relationship: they provide useful information, make appropriate referrals, demonstrate genuine knowledge of the executive’s field. By the time a request is made, the executive has no reason to be suspicious. The relationship feels like a professional friendship or mentorship.

This method has been documented in cases including:

Operation Gladio (2013-2015): A US Department of Justice prosecution involved a Chinese intelligence officer who had cultivated contacts in the US energy sector over multiple years, using academic conferences as the initial contact point.

The LinkedIn False Profiles Campaign (CPNI Advisory, 2021): MI5 and NCSC jointly advised that over 10,000 UK nationals had been approached via LinkedIn by accounts subsequently assessed to be operated by a state-sponsored intelligence service. The contacts were concentrated in defence, finance, technology, and government advisory roles.

The Honeywell and GE Cases (DOJ, multiple years): Multiple prosecutions involving Chinese nationals convicted of economic espionage involved elicitation of colleagues and contacts rather than, or in addition to, technical intrusion.

Pretexting and Impersonation

Where cultivated relationships are not available, hostile actors use pretexting – fabricating a plausible scenario to justify an information request. Common pretexts targeting executives include:

Regulatory or compliance contact: A caller claiming to be from a regulatory body, law firm, or auditor requesting information or verification. The pretext is credible because executives receive legitimate contacts of this type.

Press or research inquiry: A caller or emailer presenting as a journalist or academic researcher. Executives often respond to these requests because engagement with media and academia carries professional benefit. The NCSC notes this as a documented vector.

Vendor or supplier contact: Someone presenting as a supplier representative gathering information for a proposal. Requests about internal processes, budget cycles, or procurement decision-makers are framed as routine.

IT support: The IT support pretext – directing an executive to provide credentials or install software because of a security or system problem – remains one of the most effective because of its urgency framing. The NCSC’s Phishing Guidance (2024) covers this in detail. The technique works on executives as readily as on general staff.

The Conference Environment

Industry conferences create ideal conditions for elicitation. They gather knowledgeable professionals who are socially primed to share information. The social norm is professional exchange. Alcohol is often present and norms of discretion are temporarily suspended. The setting removes the usual office environment cues that trigger information security awareness.

Both NCSC and MI5’s corporate security materials specifically identify major industry conferences as environments where deliberate targeting is documented. Trade shows in defence, energy, pharmaceuticals, and financial technology are specifically mentioned.

The close protection team attending a conference with an executive has a function here that is separate from physical threat management. The team can:

Observe approach patterns: Who has approached the principal? Have the same individuals appeared on multiple occasions or in multiple venues across the event? Does anyone’s presence seem inconsistent with their stated role?

Monitor extended conversations: Is the principal being drawn into extended one-to-one conversations with unfamiliar contacts? Is the conversation becoming progressively more detailed about corporate specifics?

Provide natural interruptions: A close protection officer who understands elicitation can create natural breaks in a conversation that appears to be developing in a direction the executive has not recognised as problematic.

This function is not surveillance of the principal. It is the team doing what the principal cannot do while simultaneously engaging in professional conversation: watching the room.

The Inner Circle Vulnerability

Executives are often briefed on their own social engineering risk. Their immediate support staff, family members, and contractors typically are not.

The personal assistant knows the executive’s schedule in detail. They book travel, manage access, and are the first point of contact for many external parties. A hostile actor who cultivates a relationship with a PA – appearing as a vendor, a professional contact, or a personal connection – can gather schedule and access information without ever approaching the executive.

The NPSA’s Insider Threat guidance notes that the most useful intelligence for planning a physical security operation against an executive is often obtainable from the executive’s support network rather than the executive themselves.

Security awareness briefings must include:

• The PA and executive assistant team
• Household staff with access to the executive’s residence or schedule
• Regular vendors and contractors
• Immediate family members who may be approached socially

This is not a comfortable briefing to give. The implication – that trusted people in the executive’s life may be unwitting intelligence sources – requires careful framing. But it is a documented vulnerability.

Counter-Measures

The NCSC’s social engineering counter-measures guidance specifies the following:

Verification procedures: All requests for sensitive information – financial data, system access, schedule details – must be verified through a confirmed channel before being acted on. The requestor’s provided contact number is not a confirmed channel.

Need-to-know culture: Information about the executive’s schedule, travel plans, and corporate activities should be restricted to those who need it to perform their function. Wide disclosure creates wide exposure.

Awareness training: Staff in the executive’s immediate environment should receive specific training on elicitation and pretexting techniques. The NCSC’s “Suspicious Contact” reporting guidance (2024) outlines what to report and to whom.

Suspicious contact reporting: A clear route for staff to report approaches that felt unusual, without the need to be certain that the approach was hostile. Most successful elicitation campaigns are identified in retrospect because multiple contacts reported separately – when aggregated – reveal a pattern. The protective intelligence function should be the collection point for these reports.

For the state-sponsored economic espionage context – how intelligence services use elicitation and relationship cultivation as primary vectors for IP theft, the Economic Espionage Act 1996, the CPNI advisory on insider recruitment, academic sector targeting, and counter-measures including the trade secret audit and need-to-know access controls – see our counter-economic espionage guide.

For complementary coverage, see TSCM and technical surveillance countermeasures and threat intelligence for executives.