In AP Cybersecurity, elicitation is the social engineering goal of manipulating someone into revealing sensitive information, like passwords, codes, or personal details, using psychological tactics rather than technical hacking.
Elicitation is the act of getting someone to hand over sensitive information without them realizing they're being manipulated. It's one of the main goals behind a social engineering attack. The attacker isn't breaking into a system with code. They're working on the human instead, using psychology to pull out a password, a one-time code, or personal details.
The CED lists elicitation as one of three things social engineering attacks try to achieve (EK 1.1.A.1). The other two are getting you to download a malicious file or click a malicious link. Elicitation is the "talk you into telling me something" branch. It can happen in person, but it usually arrives through email, text message, or social media, where the attacker pretends to be someone you'd trust.
Elicitation sits in Unit 1, Topic 1.1 (Understanding Social Engineering), and it's tied to all three learning objectives in that topic. Under [AP Cybersecurity 1.1.A], you identify it as one of the outcomes social engineering aims for. Under [AP Cybersecurity 1.1.B], you explain how tactics like intimidation and urgency push a victim toward revealing that information. Under [AP Cybersecurity 1.1.C], you describe the damage when elicitation works, like an adversary collecting your name, birthdate, or pet's name to answer security challenge questions, or grabbing a one-time password to log in as you. Elicitation is the why behind almost every social engineering scenario you'll see early in the course.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view gallerySocial Engineering (Unit 1)
Elicitation is one of the three goals social engineering aims for, alongside getting you to download malware or click a bad link. Think of social engineering as the whole attack strategy and elicitation as one of its possible payoffs.
Intimidation and Urgency (Unit 1)
These are the levers an attacker pulls to make elicitation work. Urgency makes you act fast before you think, and intimidation makes you act out of fear, both lowering your guard so you spill information you'd normally protect.
Phishing and Smishing (Unit 1)
These are the delivery methods elicitation usually rides in on. Phishing (email) and smishing (text) are the channels where a fake bank message asks you to "verify your credentials," which is elicitation in action.
Impacts of Social Engineering (Unit 1)
Successful elicitation directly causes the harms in EK 1.1.C. The personal info you reveal can be used to answer security challenge questions, and a leaked one-time password lets an attacker log in as you.
Multiple-choice questions in Unit 1 usually describe a scenario and ask which tactic or goal is at work. A classic stem: a "bank" emails you saying your account will be closed unless you verify your information immediately. The tactic there is urgency, and the goal that urgency serves is elicitation, getting you to reveal credentials. You should be able to look at a scenario and name both the psychological tactic being used and what the attacker is trying to extract. No released FRQ has used "elicitation" verbatim, but understanding it helps you explain the full chain of how a social engineering attack succeeds.
Phishing is the method (a fraudulent email pretending to be a trusted source), while elicitation is the goal (getting the victim to reveal sensitive information). A phishing email is often the vehicle that carries out elicitation, but elicitation can also happen in person or by phone with no phishing email involved.
Elicitation is the social engineering goal of manipulating someone into revealing sensitive information, not a hacking technique that targets machines.
It's one of three things social engineering aims for, alongside getting you to download malware or click a malicious link (EK 1.1.A.1).
Attackers use tactics like urgency and intimidation to make elicitation work by pushing victims to act before they think.
Successful elicitation can hand over personal details used for security challenge questions, or a one-time password that lets an attacker log in as you.
Elicitation can happen in person, but it most often arrives through email, text, or social media messages.
Elicitation is the goal of getting someone to reveal sensitive information, like a password or personal details, through psychological manipulation rather than technical hacking. The CED lists it as one of the main outcomes social engineering attacks try to achieve (EK 1.1.A.1).
No. Phishing is the delivery method, usually a fake email, while elicitation is the goal of pulling sensitive information out of the victim. A phishing email is often how elicitation is carried out, but elicitation can also happen in person or by phone.
They use psychological tactics like urgency and intimidation. Urgency pressures you to act fast before you stop to think, and intimidation uses fear of negative consequences, both of which make you more likely to reveal information you'd normally keep private.
They go after things like your name, birthdate, address, or pet's name, which are often used as security challenge questions, plus secure data like a one-time password (OTP) that lets them log in as you (EK 1.1.C.1 and 1.1.C.2).
You'll see it in Unit 1 social engineering scenarios, usually in multiple-choice questions that describe an attack and ask which tactic is used or what the attacker is trying to obtain. Know it as the goal behind those scenarios, even if the question word is "urgency" or "intimidation."
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.