Scattered Spider and the Help Desk: How a Phone Call Took Down UK Retail

The most expensive intrusion in recent UK retail history did not begin with a zero-day. It began with a phone call. In April 2025, the threat group tracked as Scattered Spider (UNC3944) tore through Marks & Spencer, Co-op and Harrods in what investigators later classified as a single combined cyber event — with estimated impact running from roughly £270 million to as much as £592 million, and Co-op alone reporting around $107 million in losses. The initial access vector was not technical wizardry. It was a human, on a phone, impersonating an employee to an IT help desk.

What actually happened

Scattered Spider — an English-speaking offshoot of the loose cybercrime community known as The Com — specialises in social engineering rather than exploits. Their playbook against these retailers followed a now-familiar pattern: identify an employee, gather enough personal detail to pass identity questions, then call the service desk impersonating that person and request a password or MFA reset. At Marks & Spencer, reporting indicated the attackers leveraged compromised accounts associated with the global IT contractor TCS to gain their foothold. They also deployed Evilginx-based phishing pages — adversary-in-the-middle infrastructure that captures not just credentials but live session cookies, neatly side-stepping MFA entirely.

Four suspects aged 17 to 20 were later arrested by the UK's National Crime Agency. Teenagers, a telephone, and a help desk that trusted the voice on the other end. That is the entire attack chain that cost three household-name retailers a combined fortune.

The identity lesson nobody wants to hear

We have spent a decade hardening authentication and a fraction of that effort hardening identity verification — the process by which a human decides another human is who they claim to be. The help desk is the soft underbelly of every identity programme, because its entire job is to help people who are locked out, under pressure, and frustrated. That is precisely the emotional state an attacker manufactures and exploits.

What I would change on Monday

• Re-engineer help-desk identity proofing. Knowledge-based verification (date of birth, employee ID, manager's name) is dead — all of it is buyable or guessable. Move to verification that an impersonator cannot satisfy: a push to a pre-enrolled device, a one-time code through a separate trusted channel, or manager call-back for high-risk resets.
• Treat privileged-account resets as high-risk by default. A reset request for an administrator or an account with access to crown-jewel systems should never be a routine ticket. Escalate it, add friction, require out-of-band confirmation.
• Adopt phishing-resistant MFA. Evilginx defeats one-time codes and push approvals by stealing the session. FIDO2/WebAuthn binds the credential to the legitimate origin, so an adversary-in-the-middle page cannot replay it. For high-value populations this is no longer optional.
• Govern your contractors' identities as your own. The TCS angle is the recurring third-party lesson: an attacker only needs the weakest trusted identity in your supply chain. If you cannot enforce your verification standards on a partner's accounts, you have inherited their weakest control.
• Shrink the blast radius. Social engineering gets someone in. Least privilege, segmentation, and just-in-time access determine how far they get. The retailers that fared best were those where a compromised account opened a door, not the whole building.

The strategic takeaway

Scattered Spider is not sophisticated in the way we usually mean it. They are sophisticated about people — and people are the part of the identity stack we under-invest in most. Every organisation I assess has a documented MFA policy and an undocumented, ad-hoc help-desk reset process run by junior staff under time pressure. Until identity verification is engineered with the same rigour as authentication, the cheapest way into any enterprise will remain a confident phone call. The fix is not glamorous. It is procedure, training, out-of-band verification, and treating the help desk as the security control it has quietly always been.