By Richard Ford, chief technology officer, at Integrity360
The recent wave of cyber attacks against UK based retailers including M&S, Co-op and Harrods has laid bare that social engineering is one of the most effective weapons in a threat actor’s arsenal. Currently, these attacks are attributed to the Scattered Spider group and signal just how vulnerable many retail organisations can be to such tactics. This is also not unique to Retail, and all organisations should be paying attention. Using the lessons learned to strengthen their security controls in order to withstand these types of attacks.
While the disruption to services at M&S and the confirmed data breach at Co-op rightly drew headlines, the deeper concern is the method of compromise. These were not cases of highly sophisticated attacks, exploiting zero-day vulnerabilities, but exploiting people and gaps in procedure and policy. In this case, specifically the successful impersonation of staff members to target IT helpdesks to gain credential resets. This was followed by remote access through legitimate tools, and finally, the deployment of DragonForce ransomware to encrypt systems and extract sensitive data for double extortion. Although not confirmed, it is likely SIM swapping would have been used to bypass multi-factor authentication.
This should serve as a wake-up call. Social engineering isn’t new, but it is evolving. Today’s threat actors are fluent in the processes and language of IT support teams, capable of replicating internal procedures convincingly. Scattered Spider is made up of US & UK hackers, so are also fluent in English to help impersonate employees. That said, advances in AI deepfakes can allow any attacker to fake a voice or language making the job of defending these attacks even more difficult. In many cases, their use of “living off the land” techniques, which is where threat actors use standard built-in administrative tools to carry out some or all of their attack, allows them to blend in with normal user activity allows and move undetected within an organisation to inflict damage.
In addition, at Integrity360, we are seeing a growing number of UK organisations that remain underprepared for these kinds of attacks, particularly when it comes to incident response maturity. In several cases, poor readiness and lack of incident response plans has significantly slowed recovery time and increased the impact of the breach. This has been claimed (but not confirmed) as to why the M&S breach has taken so long to recover from.
The retail sector is increasingly in the crosshairs. According to Google’s Threat Intelligence Group, 11% of all posts on ransomware data leak sites in 2025 so far have involved retail organisations, up from 8.6% in 2024. With rich customer data, large attack surfaces, and often complex IT estates, the sector presents a high-value target.
So how should retailers and other vulnerable sectors respond?
First, helpdesk procedures must be reviewed and hardened. Staff responsible for password resets or credential changes must follow strict verification protocols. These could include live on-camera verification or mandatory challenge/response questions. No reset should be issued based on a single vector of identity confirmation. Callbacks to known numbers (voice-based authentication) and SMS are the weakest forms of multi-factor authentication, so should be avoided or only used alongside other methods.
Second, authentication methods need to evolve. Phishing-resistant MFA, such as hardware tokens or biometric systems, should replace less secure methods. Passwordless authentication, while not yet universally adopted, offers a significant reduction in risk. Ultimately, to implement their attack, threat actors need to elevate their access and compromise an administrative level attack, Privileged Access Management (PAM) solutions should be deployed to limit exposure of high-value credentials.
Third, incident response plans must be tested, not just written. A plan is only as good as the last time it was rehearsed. Regular tabletop exercises, including simulated social engineering attacks, can expose weak points before adversaries do. Often, the successful recovery is dependant on the availability of backups, and how quickly they can be restored. Backups are targeted by attackers to prevent this so should be stored offline, so called immutable backups.
Finally, organisations must accept that social engineering is not a technical flaw, it’s a human one. That means culture, training and vigilance are just as vital as firewalls and endpoint detection tools. Staff must be aware that oversharing on social media platforms can aid an attacker. Technical teams must be trained to spot subtle warning signs. And leadership must invest not only in protection, but in preparation.
The DragonForce campaign is unlikely to be the last of its kind. But future incidents do not have to be successful. With the right strategy and security measures in place organisations can build resilience against even the most deceptive adversaries.
