A quid pro quo attack is a low-level form of hacking that relies on social engineering. An example would be when an attacker calls your phone pretending to be from one of your service providers’ technical support representatives. He or she will offer you some assistance, which would, however, only work if you’re experiencing some difficulty.
Availing of the hacker’s “service” actually gives him or her access to your computer, device, or home network to plant malware. Therein lies the rub, as successful ransomware installation, for instance, can let attackers hostage your files for large sums of money.
Read More about a “Quid Pro Quo Attack”
A quid pro quo attack is also known as a “something-for-something attack.” It is a form of baiting, as attackers offer victims a service or benefit if the latter perform specific tasks or give out information or access.
Why Are Quid Pro Quo Attacks Dangerous?
Quid pro quo attacks are harmful because they can lead to disastrous consequences, such as:
On average, spear-phishing or targeted phishing victims lose US$1.6 million to attackers. It doesn’t help that 97% of users don’t recognize phishing emails, and only 3% report attacks to security departments or the management. These facts have caused 85% of organizations to succumb to a phishing attack at least once.
Quid pro quo attack victims could easily be led to phishing pages and enter their login credentials, allowing attackers to hack into their companies’ accounts. Or victims could hand out their login credentials to perpetrators, thinking the latter are true representatives of the organization they claim to be part of.
In 2020, the total amount victims lost to ransomware attacks stood at an estimated US$20 billion. And each small and medium-sized business (SMB) that mistakenly pays the ransom lost an average of US$84,116. That amount goes up to as much as US$780,000 for a large enterprise. That’s not all. Apart from money lost to paying off ransoms, affected organizations also lost as much as US$283,000 due to downtime.
Quid pro quo attack victims, in this case, could be tricked into installing a ransomware variant onto their computers. And if these are connected to a home or corporate network, the infection could spread, letting the attackers hold their files and data hostage. The worst part? Very few, if any at all, get their files back if they pay the ransom. That’s why giving in to attackers’ demands is not advisable.
Business email compromise (BEC) scam
BEC scammers netted an average of US$80,000 per attack in 2020.
A quid pro quo attack in this scenario will succeed if the victim happens to be a C-level executive. His or her email account could be hijacked and used to convince a finance employee to pay a considerable amount to an attacker’s account.
How Can Companies Avoid the Repercussions of Quid Pro Quo Attacks?
The usual preventive measures against social engineering attacks would work against quid pro quo, including:
- Security awareness training should be required regularly in any company. As the phishing statistics above showed, many employees still can’t tell a phishing email or page from a legitimate one. They may also remain unaware of the dangers of social engineering or its signs. Security awareness refresher courses can be your first line of defense against social engineering, including quid pro quo attacks.
- Use antimalware and other endpoint security tools on all Internet-connected devices. These can identify and block obvious phishing messages or those related to malicious websites or Internet Protocol (IP) addresses listed in publicly available threat intelligence databases. They can also block malicious processes, as these are executed on devices.
While quid pro quo attacks may have meager chances of succeeding, you can’t rest easy as a single compromised device can lead to devastating consequences.