Quid Pro Quo attacks are characterized by “give and take” exchanges. It literally means something for something. This concept of exchange is very important because we humans obey the laws of psychological reciprocity. This means that every time someone gives us something or gives us a benefit, we feel obliged to return that benefit.
Taking into account, the promised profit or the profit in exchange for information is usually in the form of a service (in the form of goods, it is a decoy attack).
Suppose you are contacted by an IT representative who suggests running a scan on your computer to remove potential viruses that could affect your computer’s performance. However, he needs your login and password to do this. Nothing is more natural than this! After you have been complaining about slowing down your computer for months, you give him this information without discussion. This exchange of good intentions may not be good, except that you may have fallen into the trap of a Quid Pro Quo attack. The
Quid Pro Quo attack is based on trust manipulation and abuse. Therefore, it falls into the category of social engineering techniques such as phishing attacks (including spear phishing and whaling attacks), baiting, or tailgating.
The pretexting method is also a form of social engineering. However, it is based on a fairly sophisticated scenario (pretending to be good) for obtaining sensitive information from victims. Often, this scenario involves the intervention of people with specific authority (managers, technicians, police officers, etc.) and / or certain emergencies that force victims to act swiftly without thinking. For example, hackers claim that they need some information to verify the identity of the victim.
This scenario is more complex than the Quid Pro Quo attack and, unlike the Quid Pro Quo attack is not based on exchange.
Like the baiting technique, the Quid Pro Quo attack is a social engineering technique. Therefore, both of these cyber threats rely on psychological manipulation and trust building to retrieve sensitive data from overly trusted victims. However, in a Quid Pro Quo attack, the hacker provides the victim with services in exchange for sensitive information. Feeding involves “feeding” the victim with attractive offers such as gifts and cash rewards.
Also, retaliation attacks are often easier than baiting attacks. And they don’t require a lot of preparation or sophisticated tools.
As with any type of social engineering, you need to take security measures to protect yourself and your sensitive information. Some of them may include:
Be cautious: “gifts” or “services” will never be completely free.
If it sounds too good to be true, it’s probably! In the worst case, it’s a quid pro quo attack.
Please do not provide any personal or account information until you initiate the exchange.
After the intervention that provided the credentials, change the password so that it will not be used anymore.
If the company contacts you, please call the phone number listed on the website again.
Do not call back the phone number you received from the person you talked to. If you are not sure about the call you received, it’s wise to let it go.
Use a strong password and update your password regularly.
Read the article about passwords to get good habits.
Train to recognize social engineering techniques and other cyber threats.
Protect your organization
You can also use the quid pro quo attack to get information to launch more dangerous attacks against organizations such as: phishing or ransomware attacks. Therefore, this type of attack should not be ignored and the company must take steps to prevent it.
All employees need to be aware of cyber threats and cyber security.
You need to be able to identify the operational tactics used in quid pro quo attacks and other types of social engineering techniques.
Refrain from sending sensitive information by phone or email.
Use cyber security tools to protect your computer system, such as firewalls and antivirus software.
Save the information using secure tools.
Do not forget your email. Email protected by end-to-end encryption ensures that only validated recipients can read messages sent by employees.
Enable two-factor authentication (2FA) each time your website or application provides it. Back up your data to another medium on a regular basis. One of them is stored outside the company.
If possible, also implement a disaster recovery plan. If your data is compromised, it’s easier to maintain activity and avoid financial loss.