Scattered Spider are a decentralized cyber-criminal collective turning helpful IT staff into unwitting accomplices.

When Your Help Desk Becomes the Front Door: How Scattered Spider is Weaponizing Human Trust

The call came in at 2:47 PM on a Tuesday. An employee claiming to be locked out of their account after losing their phone needed immediate help to access critical project files. The help desk technician, trained to be helpful and responsive, reset the multi-factor authentication token and sent new credentials to the employee’s backup email address.

Within hours, Marks & Spencer’s entire IT infrastructure was compromised. The “employee” wasn’t an employee at all; it was Scattered Spider, a decentralized cyber-criminal collective that has perfected the art of turning helpful IT staff into unwitting accomplices.

This wasn’t an isolated incident. Over the past weeks, Scattered Spider has intensified their attacks against major enterprises, focusing particularly on retailers, airlines, managed service providers (MSPs), and IT vendors. The group’s weapon of choice isn’t sophisticated malware or zero-day exploits; it’s something far more dangerous: our fundamental human desire to help.

The New Battleground: Your Help Desk

Traditional cybersecurity focuses on technical defenses: firewalls, encryption, endpoint protection. But Scattered Spider has identified the weakest link in even the most sophisticated security architecture: human psychology. Their recent campaigns reveal a troubling evolution in cyber warfare, where the most dangerous attacks begin not with code, but with conversation.

The group’s most prominent tactic involves impersonating internal IT help desk staff or employees in distress. The approach is deceptively simple: attackers contact employees via phone or platforms like Slack or Microsoft Teams, claim to be from support, and create a sense of urgency. Sometimes they flood targets with spam to add authenticity to their “emergency.” Then they convince victims to install remote-access tools or, more commonly, persuade actual help desk staff to reset credentials or MFA tokens.

What makes this particularly insidious is how it exploits the very qualities we want in our IT support teams (responsiveness, helpfulness, and empathy). The attackers understand that help desk staff are trained to solve problems quickly, especially when employees claim to be locked out of critical systems.

Scattered Spider's attack on UK retailer Marks & Spencer caused hundreds of millions in lost profits.
Scattered Spider’s attack on UK retailer Marks & Spencer caused hundreds of millions in lost profits.

Beyond Retailers: The Expanding Target List

While Scattered Spider’s attacks on UK retailers like Marks & Spencer made headlines—with the M&S breach alone causing hundreds of millions in lost profits—their ambitions extend far beyond the retail sector. Most recently, the group has turned its attention to the aviation industry, with WestJet and Hawaiian Airlines both confirming cyberattacks in June 2025. The FBI issued a warning specifically about Scattered Spider targeting aviation companies and stated they are “actively working with aviation and industry partners to address this activity and assist victims.”

The group is also systematically targeting managed service providers and IT vendors, treating these organizations as stepping stones to access downstream customers. This strategy represents a fundamental shift in their approach. Rather than attacking individual companies one by one, they’re targeting the infrastructure that supports multiple organizations. When they compromise an MSP, they potentially gain access to dozens or hundreds of client networks simultaneously.

The scope of their infrastructure is staggering: security researchers have identified over 600 domains registered by the group, with 81% mimicking legitimate technology companies and help desk portals (e.g., Okta, Microsoft Entra, Zendesk). This isn’t a small-scale operation; it is a deception machine designed to blur the lines between legitimate and malicious communications.

The Multi-Factor Authentication Illusion

Organizations that believed multi-factor authentication (MFA) would protect them are discovering an uncomfortable truth: MFA is only as strong as the human processes that support it. Scattered Spider has developed multiple techniques to bypass these protections:

Help Desk Social Engineering

Attackers impersonate employees using carefully gathered personal information or credentials, then request password or MFA resets. They cite plausible scenarios (a lost phone, a forgotten password before an important presentation) and direct help desk staff to send reset links to attacker-controlled contact points.

SIM Swapping and Phishing

The group continues to use SIM swapping to intercept SMS-based MFA codes while deploying sophisticated credential-phishing campaigns, often targeting IAM accounts. They’ve adopted “Attacker-in-the-Middle” (AiTM) phishing kits like Evilginx to capture live session tokens, enabling them to circumvent most MFA protections in real time.

MFA Fatigue (Push Bombing)

Perhaps most concerning is their use of push-notification spamming to overwhelm users into approving malicious authentication requests. By flooding users with authentication prompts, they exploit human psychology; eventually, someone will click “approve” just to make the notifications stop.

The Ransomware Connection

What transforms these social-engineering attacks from annoying to devastating is Scattered Spider’s partnership with major ransomware operations, including ALPHV/BlackCat and RansomHub. These collaborations provide the group with sophisticated infrastructure, ransomware-deployment capabilities, and professional ransom-negotiation services.

The attacks follow a predictable pattern: social engineering provides initial access, rapid lateral movement identifies high-value targets, and ransomware deployment creates maximum disruption. The group particularly targets VMware environments, understanding that virtualization infrastructure offers the highest impact for their efforts.

In the M&S case, attackers didn’t just steal data; they demonstrated how low-tech social engineering can bypass high-tech defenses to gain privileged access. Once inside, they had the access and tools necessary to cause catastrophic operational disruption.

Warning Signs Hidden in Plain Sight

The most troubling aspect of Scattered Spider’s success is how their attacks exploit normal business communications. The warning signs exist, but they’re often dismissed as quirks of modern remote work:

  • Employees who consistently avoid video calls during verification processes
  • Urgent requests that bypass standard authentication procedures
  • Multiple password-reset requests from the same user in short timeframes
  • Requests to send credentials to personal email addresses or messaging apps

Local and international government entities have issued specific warnings about these tactics, urging organizations to strengthen help desk verification processes. But warnings aren’t enough when the attacks exploit fundamental human psychology and established business processes.

The Human Element: Why Technology Alone Isn’t Enough

Scattered Spider’s success reveals an uncomfortable truth about modern cybersecurity: our strongest technical defenses are only as effective as our weakest human processes. Traditional security training focuses on helping employees identify phishing emails or suspicious websites. But how do you train a help desk technician to distinguish between a legitimate employee in distress and a skilled social engineer who’s done their homework?

The attackers understand organizational psychology. They know that help desk staff are measured on response times and customer satisfaction. They exploit the pressure to resolve issues quickly, the natural human desire to help, and the assumption that anyone calling internal numbers must be legitimate.

This represents a fundamental challenge for security professionals: balancing security with usability, verification with responsiveness, and paranoia with productivity. The solution isn’t to make systems harder to use; it’s to make verification seamless and automatic.

A New Paradigm for Identity Verification

The Scattered Spider threat highlights why traditional approaches to identity verification are no longer sufficient. When attackers can social-engineer their way past help desk procedures and bypass MFA through technical manipulation, organizations need verification methods that don’t rely solely on human judgment or user cooperation.

Modern identity verification must be:

  • Continuous – Not just at login, but throughout user sessions
  • Biometric – Based on unique biological characteristics that can’t be easily spoofed
  • Automated – Removing human judgment from critical security decisions
  • Contextual – Understanding normal behavior patterns to identify anomalies

The future of cybersecurity isn’t about building higher walls; it’s about ensuring that the people inside those walls are actually who they claim to be.

Incode Workforce redefines enterprise identity verification by closing the gaps that attackers like Scattered Spider exploit.
Incode Workforce redefines enterprise identity verification by closing the gaps that attackers like Scattered Spider exploit.

The Economic Impact of Trust

The financial implications of Scattered Spider’s campaigns extend far beyond immediate ransom payments. Organizations face:

  • Operational disruption during incident response and recovery
  • Regulatory scrutiny and potential penalties for data breaches
  • Customer trust erosion and long-term reputational damage
  • Insurance implications as carriers become more sophisticated about social-engineering exclusions
  • Competitive disadvantage as sensitive strategic information potentially reaches competitors

More concerning is the precedent these attacks set. If sophisticated social engineering can reliably bypass multi-million-dollar security investments, other criminal groups will inevitably adopt similar tactics. What we’re witnessing isn’t just a crime spree; it’s the emergence of a new attack methodology that threatens the foundation of digital trust.

The Path Forward

Scattered Spider’s campaigns underscore that cybersecurity has evolved beyond traditional technical controls. The most dangerous attacks now begin with human psychology, not code vulnerabilities. Organizations that fail to adapt their security strategies to this reality will continue to fall victim to increasingly sophisticated social-engineering campaigns.

The solution isn’t to eliminate human interaction from business processes; it’s to augment human decision-making with automated verification that doesn’t depend on user cooperation or attacker honesty. When identity verification becomes seamless and automatic, the social-engineering attack surface effectively disappears.

For security professionals and business leaders, the message is clear: the weakest link in your security chain isn’t your technology; it’s the assumption that voice calls, email addresses, and employee credentials can be trusted without independent verification.

The question isn’t whether your organization will encounter social-engineering attacks like those deployed by Scattered Spider. It’s whether you’ll have the verification systems in place to recognize them before they succeed.

How Incode Workforce Stops Social Engineering at the Source

Incode Workforce redefines enterprise identity verification by closing the gaps that attackers like Scattered Spider exploit. By eliminating human discretion and guesswork from identity verification workflows, Incode turns a historically vulnerable process into a hardened, biometric-driven control point.

Biometric verification for every access event ensures only the legitimate employee can initiate high-risk actions like password resets or credential changes. Stolen personal data or insider knowledge becomes useless.

Continuous, passive authentication detects suspicious or unusual access even when attackers have valid credentials and stops social engineering-based breaches in progress.

End-to-end automation of identity proofing removes help desk vulnerabilities by replacing subjective decision-making with irrefutable biometric evidence.

With Incode Workforce, identity becomes an immutable trust anchor. By automating and securing the entire identity lifecycle, from interviewing to onboarding to recovery, Incode effectively erases the social engineering attack surface that groups like Scattered Spider rely on.

Learn more about how Incode protects against sophisticated identity threats.

Additional Resources

The Hacker News – Scattered Spider: Understanding Help Desk Attacks
Cybersecurity Dive – Scattered Spider Targets MSPs and IT Vendors
UK National Cyber Security Centre – Help Desk Security Guidelines
BleepingComputer – Scattered Spider: Three Things the News Doesn’t Tell You
NBC News – North American Airlines Targeted by Cyberattacks