Internal threats: the impact of elicitation

Riesgo interno: el impacto de la elicitación

The Public TransportationAuthority of the Spanish city of Valencia suffers a scam through elicitation techniques to a directive reaching four million euros.

A board transfers the amount to an external account after allegedly being a victim of CEO fraud. It is a social engineering fraud based on elicitation.

Elicitation (from the Latin elicitus, “induced” and elicere, “catch”) is a term associated with psychology that refers to the transfer of information fluidly from one human being to another through language. Specifically, its use in the context of information security refers to the techniques used by attackers to obtain information or to carry out actions by their victims, resulting in data leaks or, as has been the case. case, a direct economic impact.

The victim director had been working at the EMT in Valencia for 35 years and has been dismissed in a fulminating way. In less than three weeks he ordered eight transfers from the Caixabank account where the company has deposited the funds to another Bank of China in Hong Kong, which did not correspond to the payment of supplies or services and that violated the EMT internal protocol for the authorization of payments, for a total amount of 4,040,000 euros.


The main hypothesis is that the former head of administration was the victim of an internationally extended scam that is that the top manager of a company receives by email what appear to be instructions from the president or owner of the company indicating that he must urgently transfer a high sum of money to an external account under the pretext of closing an operation. The board received a false email on behalf of the Minister of Sustainable Mobility, in which he was ordered to carry out a mysterious operation to acquire a company in China that he had to keep secret.

It is essential to know the degree of vulnerability (both by the psychological configuration itself and by lack of awareness) of employees against elicitation techniques.Elicitation is one of the 10 types of risk that Kymatio identifies to work to strengthen employees.

More information. Article El País newspaper (Spanish).

Definition of Elicitation on Wikipediaón

To prevent internal risk and strengthen employees, contact Kymatio.