Identifying quid pro quo social engineering and strengthening your company's IT security
A “Quid pro quo (QPQ) attack” is also known as “quid pro quo social engineering.” It’s a form of social engineering and it poses a substantial, potentially catastrophic risk to any workplace.
In this blog post, we offer in-house counsel and attorneys an introductory overview of how to deal with corporate security for social engineering schemes.
Jump to:
Infographic explanation | What is quid pro quo? | ||
What is social engineering? | Prevention tips |
Tech issue identified
A department head in your company gets a call from someone who identifies themselves as a tech support rep in the office.
Social engineer offers a solution.
The rep asks if the department head is having any trouble with their computer, particularly with system access.
The official claims that “this has been an issue for many people in the office.” The rep appears sympathetic and eager to help.
Employee shares sensitive information.
As it turns out, the department head has indeed been having computer issues. Accessing databases has been slow at times and logging into some networks has been difficult, particularly a new cloud portal.
The rep empathizes and wants to “solve the problem.”
The rep asks the department head to provide a detailed walk-through of the login procedure, including step-by-step instructions as to what to do once the login is complete — downloading a software upgrade, for example.
Social engineer gains access to office systems.
This “tech support rep,” however, is in truth a skilled fraudster who has gained access to the company’s systems.
With that access, the fraudster can now plant malware, spy on emails and transactions, and sell any critical information obtained. And all it took was one friendly conversation.
Quid pro quo
While QPQ social engineering has similarities to other identity fraud scams, such as phishing or baiting, it has its unique characteristics. The difference lies in the Latin phrase, “quid pro quo,” which literally translated means “something for something.”
A phishing scheme typically seeks to confuse someone, such as sending a corrupt link for a PayPal login.
A baiting scheme may offer the victim an alluring prize—such as a cash reward—in order to get them to comply.
A quid pro quo scheme, however, is built upon exploiting the human element. Phishing seems scattershot by comparison—a blunt instrument. In quid pro quo, the fraudster seeks to convince the victim that they’re doing the victim a favor, and for free.
In turn, the victim is meant to feel grateful or obligated to give the fraudster what they usually want: access.
What is social engineering?
A QPQ attack is a form of social engineering in which a fraudster draws upon their social skills and exploits the core elements of human interaction to achieve their objectives. Essentially, we are “programmed” as humans to want to be helpful to people who are helpful to us and who are solicitous of our needs.
Leverages a human against machine sentiment
And since computers and network interfaces are typically at the center of these schemes, the fraudster will leverage a “human against machine” sentiment.
They will gripe that a computer interface isn’t user friendly, or sympathize that we all forget our passwords sometimes. They will agree with someone’s complaints about a piece of technology being too slow, and will serve as sources of authority and reassurance when dealing with complex systems.
Gains insider information within a company
QPQ schemes can be intricate and often take time to work. A fraudster may call around a company, gathering pieces of vital information from various sources, until they have enough “insider” information about the company to sound convincing to their main target.
Subterfuge in various contexts
It’s akin to how QPQ is used in other contexts, such as in Title IX and Title VII violations.
They’re primarily a one-on-one interchange, similar to asking someone to do a service in exchange for a bribe or sexually harassing a colleague by exploiting inter-office power dynamics, whether in the workplace (Title VII) or in education (Title IX).
However, the basis of an attack is subterfuge: the fraudster claims to be someone in authority, while in other contexts the offender may truly be someone in authority.
Prevention tips
There are a number of ways that users can protect themselves against QPQ schemes, starting with knowing the risks. But more important is that a company have plans and procedures to mitigate that risk across all users
Clear, standardized company policies
What’s essential is that employees get structural support from the top levels of their organization.
A QPQ attack is aimed at an individual. So if this individual has only muddled or spotty messaging from their superiors, the chances of them falling prey to a QPQ scheme could increase.
Toolkit by Practical LawCyber Risks |
Be ultra cautious if working fully remote
Further, the rise of remote work also increases the possibility of falling prey to a scam: it’s easier to pull off an attack when an employee’s interactions with others in their company are conducted virtually.
If someone’s relationship with their IT department consists of exchanging emails, communicating on Slack channels or having phone conversations, it would not seem overly suspicious to receive a call from a fraudster claiming to be from IT.
Strengthen IT identification standards
Any employee should have an easy reference to identify their IT officials:
- names
- faces
- emails
- phone numbers
- ID numbers
If contacted by anyone claiming to be from IT, the IT official must first supply any/all of this information.
A business could mandate that all IT-related conversations must be done in person or via video-conferencing, so that the employee can verify the tech person is who they say they are.
Establish IT security protocols
Whether in onboarding new employees or briefing veterans, a company should establish its IT protocols.
These could include mandating that no one is authorized to request your login information, or that all IT queries must be initiated by the employee (emphasize that the IT staff will never “cold call” an employee).
Bolster protections
These could range from mandating two-factor login authentication to having strict restrictions as to who can access which cloud portals and databases.
Need to support your company’s risk tolerance?
QPQ attacks are sneaky and can come from any direction. Defending against them starts with understanding your company and industry’s particular risk profile – what risks are most common, what level of risk is expected, and where the biggest dangers lie.
Get more insights A white paper for General Counsels about aligning to their company’s risk tolerance. |