What Is A Quid Pro Quo Attack? (& 7 Ways To Avoid Becoming A Victim)
We’ve all heard about people who have fallen victim to a social engineering ploy that puts their organization’s sensitive information at risk.
There are a lot of different tactics out there. It can be difficult to keep track of and understand them all.
At Kelser, we provide comprehensive managed IT services designed to minimize the opportunity for social engineering attacks. We know that managed IT isn’t right for everyone, so we post informative, easy-to-understand articles (like this one) that business leaders and IT professionals can use to keep their organizations safe.
In this article, we’ll dive into the topic of quid pro quo attacks. I’ll explain what they are, who may be targeted, and what they look like. I’ll also explore ways to spot a quid pro quo attack, how to avoid falling victim to one, and steps you can take to protect your organization.
After reading this article you will be well-versed in quid pro quo attacks and will have the confidence and knowledge you need to avoid becoming a victim.
What Is A Quid Pro Quo Attack?
Let’s start with a definition of quid pro quo. Merriam-Webster defines the term as “something given or received for something else.” It clarifies that the term itself doesn’t imply illegal activity, but that when used in a legal context it often refers to something that is, in fact, illegal.
The Merriam-Webster definition uses the example of a company giving a government official money in exchange for a contract that “rightly should be given to whatever company is best able to meet the requirements for the contract.”
So, what does the term mean in IT?
A quid pro quo attack capitalizes on the human need to reciprocate a favor. As a form of social engineering, a quid pro quo attack promises a particular service in return for information a user provides.
Who Do Quid Pro Quo Attacks Target?
Anyone can fall victim to a quid pro quo attack. While individuals can fall victim to identity theft as a result of quid pro quo attacks, companies often suffer a large-scale loss of data and sensitive information.
Some of the consequences of quid pro quo attacks include financial losses and IT infrastructure breaches as well as identity theft and fraud.
What Does A Quid Pro Quo Attack Look Like?
There are different scenarios for quid pro quo attacks.
Attackers may impersonate someone from an internal or external IT group and promise to provide a free virus scan to make the user’s computer operate more efficiently in exchange for the user's login and password. Even with this basic information, an attacker could gain access to the company network and install malware.
Or maybe a home-based employee gets a call from a particular credit union offering a low-interest credit card or refinance rate for employees of XYZ company. All the employee needs to do to claim the deal is provide their social security number, employee id number, and birthday to verify their credit score. (A list of company employees can often be found via a quick internet search, lending credibility to the ploy.)
In most quid pro quo plots the attacker provides enough information to make the offer sound plausible (and most people are up for a good deal), so the user provides the information without thinking through the potential liabilities.
Unlike baiting which typically promises tangible goods in exchange for information, quid pro quo attacks usually promise some type of service in exchange for information. They may be instigated via telephone calls, email links, websites, or other formats.
Quid pro quo attacks can also involve people impersonating government officials (such as the Internal Revenue Service, Department of Motor Vehicles, or Social Security Administration). They may offer to clear up a dispute if the user will simply confirm their social security or some other personally identifiable information, allowing the perpetrator to steal the victim’s identity.
How To Spot A Quid Pro Quo Attack
Whenever someone contacts you unexpectedly and asks for personally identifiable information in exchange for a service (whether at home or work), your guard should immediately go up. Unless you can verify the person’s identity through another separate source, don’t provide the information.
7 Ways To Avoid Becoming A Victim Of A Quid Pro Quo Attack
1. Verify Identity
Never provide your personal information over the telephone or via email without verifying the identity of the requestor through another means.
You can offer to get back to them after verifying their identity. If what they are offering is legitimate, they won’t mind the delay.
2. Question Unsolicited & Unexpected Offers
Always question unsolicited offers that seem too good to be true. Remember the expression, “There’s no such thing as a free lunch.”
3. Update Anti-Malware and Anti-Virus Software
Keep your anti-malware and anti-virus software updated and patched. Many updates provide protection for the latest social engineering ploys. Nothing provides 100 percent protection, but the more up-to-date your software, the better protected you will be.
4. Implement, Update and Follow Policies & Procedures
If your organization doesn’t have policies and procedures in place regarding the safe use of technology, implement them. If the policies exist, make sure to review them so they stay current, and reflect the latest threats.
Communicate your organization’s policies for reporting social engineering attacks. Make sure that employees know how and when to report suspicious activities.
5. Protect Login Credentials
Login credentials can be extremely valuable to hackers. Multi-factor authentication, strong passwords, and password managers provide extra layers of security to protect this information.
6. Provide Employee Cybersecurity Awareness Training
Employees can be your strongest defense against cybersecurity threats, but only if they know about them. Regular cybersecurity awareness training for all employees is a cost-effective way to ensure that the threats stay top of mind. Be sure employees understand the role they play in responding to and reporting threats.
7. Be Mindful Of Public Social Media Posts
The more information people can find about you on social media, the easier it is for them to craft a social engineering attack that can sound plausible. Limit access to the information posted on your social media.
Next Steps To Protect Yourself From A Quid Pro Quo Attack
By reading this article, you now have a better understanding of what a quid pro quo attack is. You understand who these attacks can target, what they look like, and how to spot them. You also know 7 steps you can take to protect yourself from becoming a victim.
If there are protections outlined in this article that your organization doesn’t have in place, consider implementing them. Large organizations likely have an IT staff that can help with implementation. Organizations with limited (or no) IT support staff may need help from an outside IT service provider.
At Kelser, we provide comprehensive managed IT services that help keep our customers protected from a variety of social engineering attacks.
We know that managed IT isn’t the right solution for every organization. Whether you work with us or not, we are committed to providing honest, easy-to-understand information you can use to select the IT solutions that will keep your organization’s IT infrastructure and data safe.