Social engineering: Quid Pro Quo attacks
Quid pro quo is a kind of social engineering attack where a hacker promises a profit in exchange for information that can later be used to steal money, data, or take control of a user account on a website.
What is a Quid Pro Quo attack?
A quid pro quo attack is characterized by a “give and take” exchange. It literally means something for something. This notion of exchange is crucial because as human beings, we obey the law of psychological reciprocity. This means that every time someone gives us something or does us a favour, we feel obliged to return the favour.
In the case of quid pro quo, the promised benefit or advantage in exchange for information usually takes the form of a service (when it takes the form of a good, it is a baiting attack).
Let’s say you are contacted by an IT employee who offers to perform an audit on your computer to remove potential viruses that could lower your computer’s performance. But to do this, he needs your login and password. Nothing could be more natural! You provide him with this information without any discussion: after all, you’ve been complaining about your computer’s slowdown for months. Except that this exchange of goodwill may not be a good one, and that you may have just fallen into the trap of a quid pro quo attack.
Quid pro quo attacks are based on manipulation and abuse of trust. As such, they fall into the category of social engineering techniques, such as phishing attacks (including spear phishing and whaling attacks), baiting or pretexting.
What is the difference between Quid Pro Quo and Pretexting?
The pretexting technique is also a form of social engineering. But it is based on a fairly elaborate scenario (a good pretext) to obtain sensitive information from the victim. Often, this scenario involves the intervention of people with a specific authority (manager, technician, police officer, etc.) and/or implies a certain urgency, to force the victim to act quickly, without thinking. For example, the hackers will claim that they need to obtain some information to confirm the victim’s identity.
This scenario is more elaborate than the quid pro quo attack, and unlike the quid pro quo attack, it is not based on an exchange.
What is the difference between Quid Pro Quo and Baiting?
Like baiting, quid pro quo attacks are social engineering techniques. As such, both of these cyber threats rely on psychological manipulation and confidence building to obtain sensitive data from an overly trusting victim. However, in quid pro quo attacks, the hacker offers a service to his victim in exchange for sensitive information. In the case of baiting, the victim is “baited” with irresistible offers: a gift or a cash reward, for example.
In addition, quid pro quo attacks are often simpler than baiting attacks. And they don’t require a lot of preparation, nor sophisticated tools.
One of the most common quid pro quo attacks scenarios involves impostors posing as an IT employee. The hacker contacts as many company employees as possible on their direct line to offer alleged IT support.
The hacker will promise to solve a problem quickly in exchange for disabling the antivirus program. Once disabled, the fake technician can install malware on the victims’ computers, posing as software updates.
In another common scenario, the hacker seeks to steal an employee’s credentials. Here again, the scammer will contact the employee by introducing himself as a tech specialist from an IT company specialized in troubleshooting bugs and software problems. After asking the victim a few questions to determine what problems they are having with their PC, he will offer to take a look at it:
No problem, I’ll fix your problems right away! All I need is your login and password!
This is a red flag you should be aware of!
How to avoid Quid Pro Quo attacks
As with other types of social engineering, you should take security measures to safeguard yourself and your sensitive data.
- Adopt a cautious attitude: a “gift” or “service” is never completely free. If it sounds too good to be true, it probably is! In the worst-case scenario, it is a quid pro quo attack.
- Never give personal or account information unless you initiated the exchange. After a possible intervention in which you have given your login details, change your password to prevent further use.
- When a company contacts you, call them back using the phone number listed on their website. Never call them back using the phone number provided by someone you have spoken with.
- If you are unsure about a call you received, it is wiser to leave it.
- Use strong passwords and change your passwords regularly. Review our article on passwords to get into good habits.
- Train yourself to recognize social engineering techniques and other cyberthreats. Check out our email security and privacy awareness course to educate yourself.
Protect your organization
One can also use a quid pro quo attack to obtain information to launch a more dangerous attack on a business, such as a phishing or ransomware attack. So you should not neglect this type of attack, and your company should take steps to protect itself against them:
- All of your employees must be aware of cyberthreats and cybersecurity. They must be able to identify the manipulative tactics employed in quid pro quo attacks, or other kinds of social engineering techniques. They should also refrain from transmitting sensitive data via phone or email;
- Adopt cybersecurity tools to protect your computer systems such as a firewall and antivirus software;
- Use secure tools to store your information. Don’t forget your email: an email secured by end-to-end encryption ensures that only the recipients you have validated will be able to read the messages your collaborators will send;
- Enable Two-factor authentication (2FA) every time a site or an application offers it.
- Make sure that you regularly back up your data on different media, one of which will be kept outside your company. If you can, also implement a disaster recovery plan. If your data is compromised, it will be easier for you to maintain your activities, and to avoid financial losses.
A quid pro quo attack is a cyberthreat based on an exchange of goodwill. This makes it more insidious because as humans we think we have to return any service provided in one way or another. Finally, one can use an attack like this to obtain credentials that can be exploited in a much more dangerous malicious act, such as a ransomware attack. As always, you should remain cautious, and check any unexpected contact input. Last but not least, use secure services such as an email suite like Mailfence.
Need more information ? Just email us at firstname.lastname@example.org.
– Mailfence Team
Share This Article
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem