We continue our series on social engineering with this explanation of Quid Pro Quo, the social engineering tactic that relies on a criminal’s ability to tempt victims with a free service or gift. Latin for “this for that,” Quid Pro Quo is yet another classic social engineering scheme, relying on an individual’s gullibility to allow a criminal to access sensitive information.
How is Quid Pro Quo Done?
Quid Pro Quo occurs when an attacker promises a free service or gift in exchange for information. The attacker could impersonate an IT service person who calls all direct lines within a company hoping to reach a person that is in legitimate need of IT assistance. Once this person is reached, the attacker will “help” solve the IT issue. Convinced that network access credentials are required to fix the IT problem, the victim willingly shares this sensitive information and gives the attacker direct control of the company computer or access to the company network.
Quid Pro Quo tactics also extend beyond IT fixes. Less sophisticated real world scenarios include employees sharing their passwords in hopes of winning a prize for the strongest password in the company. In another case, workers participated in a survey and revealed their network access credentials in return for free gifts like pens or chocolate bars.
How to Recognize the Quid Pro Quo Scheme
As social engineers have become more sophisticated in their tactics, employees must increasingly exercise vigilance in the workplace and approach incoming calls with a healthy dose of caution.
It would be worthwhile to encourage all employees to consider whether a free service or gift is truly without cost. If it seems too good to be true, is it truly free? Although tempting, the seemingly free gift could very well have a hefty price cost associated with it: an unauthorized intrusion of the company’s network and the resulting security breach.
How to Secure Your System against Quid Pro Quo
As with other social engineering schemes, Quid Pro Quo is best prevented by ensuring that employees are aware of this tactic and trained on an appropriate response. Work teams should hold ongoing discussions about which company information is appropriate to share and in which scenarios. An employee should never divulge sensitive information unless the employee initiated the exchange. If an outside caller initiated the exchange, the employee would be wise to call this person back at the phone number on the caller’s company website.
Dara Security’s employee security training program is designed to help you secure your company information. We have tested client environments for social engineering attacks and trained our clients’ employees on recognizing and appropriately responding to such attacks. We realize that social engineers are continually honing their craft, and the most cautious of people can very well fall victim to a social engineering attack. In working with your team, we share the latest tactics, necessary tools, and skills so that your workforce is well-positioned to protect your company’s information against social engineering schemes.
