Back to Learning CenterSecurity

What is a quid pro quo attack?

By Samuel ChenardJuly 18, 20267 min read
What is a quid pro quo attack?

A quid pro quo attack is a social engineering technique where an attacker offers a service or benefit — tech support, a gift card, a job — in exchange for information or access. The Latin phrase means "something for something," and that is the whole trick: the victim feels they are getting a fair trade while actually handing over credentials, letting malware in, or granting a foothold. Unlike phishing that leans on fear or urgency, quid pro quo leans on the appeal of a favour, which makes it easy to miss.

Quick Takeaways

  • A quid pro quo attack exchanges a fake favour for sensitive information or system access.
  • The classic version is a fake IT-support call: "I'll fix your issue — just give me your login to proceed."
  • It is a form of social engineering, closely related to baiting, pretexting, and impersonation.
  • Because the exchange happens in real time, attackers can improvise — name-dropping your manager the moment you sound suspicious.
  • Common lures include free software, gift-card surveys, technical help, and too-good-to-be-true job offers.
  • Defences are behavioural: verify identity out-of-band, never share credentials, and give staff a no-blame way to report offers that feel off.

How does a quid pro quo attack work?

A quid pro quo attack works by pairing a request with an incentive so the request feels reasonable. The attacker leads with the benefit, then asks for the thing they actually want:

  • Pick a plausible favour. The attacker chooses something the target would welcome — help with a slow computer, a reward for a quick survey, early access to software, or a lucrative contract.
  • Open with the offer. They make contact by phone, email, chat, or social media and lead with the benefit, not the ask. This lowers the target's guard because the interaction looks like the attacker is giving, not taking.
  • Attach the "small" condition. To deliver the favour, they need something: your password "to log in and fix it," a code read off your screen, a file installed, or a form filled out on a spoofed page.
  • Collect and pivot. Once the target complies, the attacker harvests credentials, plants malware, or banks the access for later. Because it is a live conversation, they adapt — if you hesitate, they add pressure or borrow authority by dropping a real colleague's name.
The exchange is entirely one-sided: the "favour" is either never delivered or is itself the payload.

What are common examples of quid pro quo attacks?

Quid pro quo attacks reuse a handful of reliable scripts:

  • Fake IT support. An attacker calls employees claiming to resolve a known issue — a password reset, a "security update" — and asks for login credentials or a remote-access session to proceed. In a large organisation, some employee is usually genuinely waiting on IT, so the timing lands.
  • Gift-card or survey lures. An email promises a reward — a coffee voucher, an Amazon gift card — for completing a short "employee satisfaction survey." The survey link leads to a spoofed login page that harvests corporate credentials.
  • Free software or "premium" access. The offer is a free tool, license key, or upgrade; the download is trojanised, or activation requires disabling security controls.
  • Job-offer traps. Attackers pose as recruiters with an attractive role. In one well-documented case, a criminal group set up a fake cybersecurity company and advertised penetration-testing jobs, tricking applicants into deploying ransomware on live targets as part of their supposed "work."
Each one trades on reciprocity — the instinct to give something back when we have been given something first.

How is quid pro quo different from other social engineering?

Quid pro quo overlaps with several tactics but is defined by the exchange:

  • Baiting dangles a tempting item — a "lost" USB drive, a free movie download — and waits for curiosity to take over. Quid pro quo is more interactive: the attacker is present and asks directly for something in return.
  • Pretexting invents a backstory to justify a request (posing as an auditor, a bank, a supplier). Quid pro quo often uses a pretext, but its defining feature is the promised benefit attached to the ask.
  • Phishing and spear phishing usually push fear or urgency ("your account is locked"). Quid pro quo pulls with a reward instead, which can slip past staff trained only to spot threats.
  • Impersonation attacks and tailgating or piggybacking may be layered in — an attacker might impersonate a vendor to make the favour credible, then trade it for building or system access.
It is one of the harder tactics for an untrained eye to spot precisely because it feels helpful rather than hostile.

How do you prevent quid pro quo attacks?

Because quid pro quo targets people rather than systems, the strongest controls are behavioural, backed by technical guardrails:

  • Verify identity out-of-band. If someone offers IT help or a reward, confirm through a known channel — your real help-desk number or a manager — not the contact details the offer arrived with.
  • Make "no credentials, ever" a rule. Legitimate IT and vendors do not need your password to help you. Treat any request for one as an attack, full stop.
  • Be sceptical of unsolicited rewards. Gift-card surveys, surprise bonuses, and free premium software from outside your normal procurement are classic bait. Check links with a phishing link checker before entering anything.
  • Train with realistic scenarios. Include reward-based and phone-based pretexts in security awareness exercises, not just scary phishing emails, so staff recognise the "helpful stranger" pattern.
  • Report without blame. Give people a fast, judgement-free way to flag suspicious offers. Early reports let you warn everyone else before the campaign spreads.
  • Reduce what a single credential unlocks. Strong multi-factor authentication and least-privilege access limit the damage when someone is fooled.
None of this is about smarter people — it is about giving ordinary busy staff a reflex to pause and verify before they trade.

Common issues with spotting quid pro quo attacks

Why do these attacks bypass phishing training?

Most awareness training conditions staff to look for threats — locked accounts, angry executives, urgent invoices. Quid pro quo inverts that by offering a benefit, so it does not trip the "this feels threatening" reflex. Training has to explicitly cover reward-based lures.

Isn't caller ID or the sender address enough to verify?

No. Caller ID is trivially spoofed, and a friendly display name tells you nothing about the real sender. Out-of-band verification — contacting the person or department through a number or address you already trust — is the only reliable check.

We have MFA, so are we safe from this?

MFA helps but is not a cure. Attackers on a live call can walk a victim through approving a push or reading back a one-time code as part of the "fix." MFA raises the bar; it does not remove the need to verify who you are actually talking to.

Frequently asked questions

Is a quid pro quo attack the same as phishing?

Not exactly. Phishing is the broad category of deceptive messages that trick people into acting; quid pro quo is a specific social-engineering tactic built around a promised favour. A quid pro quo attack can be delivered by phishing, but its defining feature is the exchange.

What is the most common quid pro quo attack?

The fake IT-support call is the classic: an attacker offers to fix a problem and asks for a password or remote-access session to do it. It works because there is almost always someone in a large organisation genuinely waiting on tech help.

Can email authentication stop quid pro quo attacks?

Partly. DMARC, SPF, and DKIM stop attackers from spoofing your own domain, which cuts off one convincing delivery route. But quid pro quo also arrives by phone, chat, and social media, so authentication is one layer among several — not a complete answer.

Palisade shuts down the email side of these attacks by enforcing DMARC so criminals cannot impersonate your domain to make an offer look internal — and it surfaces the gaps that let lookalike senders through. See where your domain stands with the Email Security Score.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles