We’ve all heard about people who have fallen victim to a social engineering ploy that puts their organization’s sensitive information at risk.
There are a lot of different tactics out there. It can be difficult to keep track of and understand them all.
At Kelser, we provide comprehensive managed IT services designed to minimize the opportunity for social engineering attacks. We know that managed IT isn’t right for everyone, so we post informative, easy-to-understand articles (like this one) that business leaders and IT professionals can use to keep their organizations safe.
In this article, we’ll dive into the topic of quid pro quo attacks. I’ll explain what they are and who may be targeted. I'll cover a few examples of quid pro quo attacks and show you how to spot a quid pro quo attack, how to avoid falling victim to one, and steps you can take to protect your business.
After reading this article you will be well-versed in the social engineering tactics that hackers use in quid pro quo attacks and will have the confidence and knowledge you need to avoid becoming a victim.
What Is A Quid Pro Quo Attack?
Let’s start with a definition of quid pro quo. Merriam-Webster defines the term as “something given or received for something else.” It clarifies that the term itself doesn’t imply illegal activity, but that when used in a legal context it often refers to something that is, in fact, illegal.
The Merriam-Webster definition uses the example of a company giving a government official money in exchange for a contract that “rightly should be given to whatever company is best able to meet the requirements for the contract.”
So, what does the term mean in IT and how does it work?
A quid pro quo attack in IT is a type of social engineering attack. What is a social engineering attack? Simply put, it’s a way of tricking people, in this case the user of the computer to give up confidential information or data to access their system.
Here’s a quick breakdown of how a quid pro quo attack works.
First the malicious actor will pose and someone helpful, this is often someone offering IT support or a service to the user. This service could be help with fixing a computer or software problem, removing malware or providing some form of technical support.
The malicious actor then offers this service or IT support in exchange for "something" from the user.
This “something” is usually confidential information like login credentials, credit card numbers, bank account details and other sensitive information.
Quid pro quo attacks are effective because they use social engineering tactics where the malicious actor often appears to be offering something of legitimate value to the user, and therefore the user is more likely to trust them, and eventually become a victim.
Who Do Quid Pro Quo Attacks Target?
Anyone can fall victim to a quid pro quo attack. While individuals can fall victim to identity theft as a result of quid pro quo attacks, companies often suffer a large-scale loss of data and sensitive information.
Some of the consequences of quid pro quo attacks include financial losses, data breaches as well as identity theft and fraud.
More Examples Of What A Quid Pro Quo Attack Looks Like?
There are different scenarios for quid pro quo attacks. Here are a few examples.
Attackers may impersonate someone from an internal or external IT group and promise to provide a free virus scan to make the user’s computer operate more efficiently in exchange for the user's login and password. Even with this basic information, an attacker could gain access to the company network and install malware.
Or maybe a home-based employee gets a call from a particular credit union offering a low-interest credit card or refinance rate for employees of XYZ company.
All the employee needs to do to claim the deal is provide their social security number, employee id number, and birthday to verify their credit score. (A list of company employees can often be found via a quick internet search, lending credibility to the ploy.)
In most quid pro quo plots the attacker provides enough information to make the offer sound plausible (and most people are up for a good deal), so the user provides the information without thinking through the potential liabilities.
Quid pro quo attacks offer a service in exchange for information, unlike baiting which offers tangible goods. They can happen through phone calls, emails and email links, malicious websites, or other ways.
Quid pro quo attacks can also involve people impersonating government officials (such as the Internal Revenue Service, Department of Motor Vehicles, or Social Security Administration).
They may offer to clear up a dispute if the user will simply confirm their social security or some other personally identifiable information, allowing the perpetrator to steal the victim’s identity.
How To Spot A Quid Pro Quo Attack
Whenever someone contacts you unexpectedly and asks for private information in exchange for a service (whether at home or work), your guard should immediately go up. Unless you can verify the person’s identity through another separate source, don’t provide the information.
7 Ways To Avoid Becoming A Victim Of A Quid Pro Quo Attack
1. Verify Identity
Never provide your personal information over the telephone or via email without verifying the identity of the requestor through another means.
You can offer to get back to them after verifying their identity. If what they are offering is legitimate, they won’t mind the delay.
2. Question Unsolicited & Unexpected Offers
Always question unsolicited offers that seem too good to be true. Remember the expression, “There’s no such thing as a free lunch.”
3. Update Anti-Malware and Anti-Virus Software
Keep your anti-malware and anti-virus software updated and patched. Many updates provide protection for the latest social engineering ploys. Nothing provides 100 percent protection, but the more up-to-date your software, the better protected you will be.
4. Implement, Update and Follow Policies & Procedures
If your organization doesn’t have policies and procedures in place regarding the safe use of technology, implement them. If the policies exist, make sure to review them so they stay current, and reflect the latest threats.
Communicate your organization’s policies for reporting social engineering attacks. Make sure that employees know how and when to report suspicious activities.
5. Protect Login Credentials
Login credentials can be extremely valuable to hackers. Multi-factor authentication, strong passwords, and password managers provide extra layers of security to protect this information.
6. Provide Employee Cybersecurity Awareness Training
Employees can be your strongest defense against cybersecurity threats, but only if they know about them. Providing regular security awareness training for all employees is a cost-effective way to ensure help educate them so they know how to identify and respond to cyber incidents.
7. Be Mindful Of Public Social Media Posts
The more information people can find about you on social media, the easier it is for them to craft a social engineering attack that can sound plausible. Limit access to the information posted on your social media.
8. Social Engineering Penetration Testing
Conduct a social engineering penetration test for your business. This proactive security test will simulate various types of social engineering attacks in a controlled environment where potential malicious actors will try to gain sensitive information or system access through your employees.
Some of the types of social engineering tactics used will be :
a. Simulated phishing email, which try to trick employees to click malicious links.
b. Pretexting, which is a quid pro quo attack where someone tries to trick employees into revealing sensitive information.
Social engineering penetration testing will help you find and close any vulnerability gaps you may have and give you an idea of how susceptible your employees are to social engineering attacks.
Next Steps To Protect Yourself From A Quid Pro Quo Attack
By reading this article, you now have a better understanding of what a quid pro quo attack is. You understand who these attacks can target, what they look like, and how to spot them. You also know 8 steps you can take to protect yourself from becoming a victim.
If there are protections outlined in this article that your organization doesn’t have in place, consider implementing them. Large organizations likely have an IT staff that can help with implementation. Organizations with limited (or no) IT support staff may need help from an outside IT service provider.
At Kelser, we provide comprehensive managed IT services that help keep our customers protected from a variety of social engineering attacks.
We know that managed IT isn’t the right solution for every organization. Whether you work with us or not, we are committed to providing honest, easy-to-understand information you can use to select the IT solutions that will keep your organization’s IT infrastructure and data safe.
If you find yourself wondering whether your organization’s security tools are up to the latest cyber threats, click the link below for a free checklist you can use to:
✔️Understand where your organization's cybersecurity policy needs improving
✔️Learn five best-practices and actions you can take to keep your organization's data secure
✔️Help ensure your organization follows the latest cybersecurity best practices
Get your free cybersecurity checklist now, so you can take action against the latest cybersecurity threats and keep your business secure.
Or, if you prefer to talk to a human like we do, click the link below and we’ll schedule a 15-minute call to discuss your IT pain points and see if we might be a good fit to work together.
