Kymatio Isotype
Why Kymatio
Partners
Book a demo
Book a demo
EN
Kymatio Isotype
Why Kymatio
Partners
Book a demo
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

I acceptSettings
Cookie settings
Kymatio uses cookies to make your experience better. Check our Privacy Policy to learn more.
Strictly necessary (always active)
Cookies required to enable basic website functionality.
Accept all cookiesSave settings
Close
articles
Internal threats: the impact of elicitation
Cyberattacks
Cybersecurity Glossary

Internal threats: the impact of elicitation

by
Kymatio
|
October 11, 2019

The Public TransportationAuthority of the Spanish city of Valencia suffers a scam through elicitation techniques to a directive reaching four million euros. A board transfers the amount to an external account after allegedly being a victim of CEO fraud.

IN THIS article
Text Link
Book a demo

Internal Threats: The Impact of Elicitation

The Public Transportation Authority (EMT) of Valencia, Spain, suffered a €4 million scam through elicitation techniques targeting a senior executive — a case of CEO fraud, a form of social engineering based on psychological manipulation.

What Is Elicitation?

From the Latin elicitus (“induced”) and elicere (“catch”), elicitation in psychology refers to the smooth transfer of information from one person to another through conversation.

In information security, it refers to techniques attackers use to obtain sensitive information or manipulate victims into actions that result in data leaks or direct economic losses — as in this case.

The Incident

The victim, a director at EMT Valencia for 35 years, was dismissed immediately after authorizing eight transfers in less than three weeks from the company’s Caixabank account to a Bank of China account in Hong Kong.

These transfers:

  • Totaled €4,040,000.
  • Did not correspond to any authorized payment for supplies or services.
  • Violated EMT’s internal payment authorization protocol.

How the Scam Worked

The main hypothesis is that the executive was a victim of an international CEO fraud scheme:

  1. A top manager receives an email appearing to come from the company’s president or senior official.
  2. The message contains urgent instructions to transfer a large sum to an external account, often framed as part of a confidential acquisition or deal.
  3. The victim, under pressure and secrecy, complies without following standard verification procedures.

In this case, the false email appeared to come from the Minister of Sustainable Mobility, ordering the purchase of a company in China under strict confidentiality.

Lessons Learned

It is essential to know employees’ degree of vulnerability — due to psychological traits or lack of awareness — against elicitation techniques.

Elicitation is one of the 10 risk types identified by Kymatio to strengthen employees and prevent insider incidents.

More Information

To prevent internal risk and strengthen employees, contact Kymatio.

related articles

Explore more articles

Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
Cyberattacks
Cybersecurity Prevention
Why an AI-Phishing Benchmark is Critical for Your 2025 Strategy
by
Kymatio
|
August 19, 2025
NIS2 vs. DORA comparison — what applies to your organization
Cyberattacks
Cybersecurity Glossary
NIS2 vs. DORA comparison — what applies to your organization
by
Kymatio
|
August 1, 2025
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
Cyberattacks
Cybersecurity Prevention
Annual Campaign Calendar: Phishing, Smishing, Vishing and QRishing
by
Kymatio
|
July 29, 2025
ACTIVATE YOUR HUMAN FIREWALLS

Ready to uncover the real risk within your organization

Book a demo
Know the real risk
4.8 in Capterra

Join the Kymatio® newsletter and get the latest insights, research, and practical tips on cybersecurity awareness prevention straight to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Services
HRMAssessment  & AwarenessAttack SimulationsBreach ScanDigital Wellbeing
Use cases
Public SectorFinancial SectorHealthcare SectorLarge enterprises
About us
Why KymatioKnow KymatioOur valuesSuccess Stories
Resources
BlogWebinarsWhitepapersNews
Get in touch
ContactLinkedInXFacebookYoutube
© 2025 Kymatio. All Rights reserved.
Privacy policy
·
Compliance
·
Cookies Policy
·
Legal Notice
·
AI Policy