What is quid pro quo?
Quid pro quo is a Latin phrase that literally means “something for something,” or “this for that.” We use it to signify an exchange of goods, services, favours, or other things of value. It’s an attack beloved by mal-actors.
In this attack, a mal-actor either offers to provide help (“Let me help you) or asks for help (“Can you help me”) causing the victim to feel obliged to assist. For example, you may get a call from someone who says they’re from your IT help desk. They need you to help by sending them a file using a new file transfer facility they’re checking out. In return they’ll give you a free account, all you have to do is to create an account. Unknown to you, the website you have to go to is fake and it passes on your username and password to the mal-actor.
Or perhaps they offer you a free gift (an expensive box of chocolates, a case of wine, etc.) and all you have to do is to answer some questions. Answers to which reveal information about you that can be used in a later phishing attack.
The idea is that many people reuse username/password combinations. Now the mal-actor has these and can try logging in to other sites using them – maybe your PayPal, eBay, or Amazon accounts.
In essence, the mal-actor offers you something of value for you to do something that seems simple and insignificant.
Kevin Mitnick, the author of The Art of Deception and the world’s acknowledged expert on social engineering, used this tactic many times to con information from unsuspecting victims – that is until he got caught and spent time in jail!
In fact, his book is so good I’ve used some of it as the basis for my seminar on social engineering, called – no surprise – The Art of Deception.
How do you protect yourself?
First, Don’t reuse passwords. Use a password manager to generate and remember secure and unique passwords for every website that you log in to.
Second. Set up 2- or multi-factor authentication. This will add an extra layer of protection in case a mal-actor does get your username and password.
Also, you can protect yourself using the same techniques as described in What is pretexting?
Do you want to learn more?
Network Midlands runs seminars to help you detect and defeat social engineering attacks. Find out more at “The Art of Deception“.