While some recent cyberattacks targeting retailers—like Victoria’s Secret, Dior, North Face, Adidas, Whole Foods, and the UK’s Co-op—have involved moves like credential stuffing and network reconnaissance, some cyber tactics are more theatrical than technical.
A data breach of UK retailer Marks & Spencer (M&S), its CEO said, reportedly involved social engineering and tricking a third-party provider into providing access.
The cybercriminal collective Scattered Spider, which the UK’s National Crime Agency is currently eyeing as it investigates the wave of retailer breaches, is known for its effective impersonations. (In a memorable 2023 attack against Las Vegas’s Caesars Entertainment and MGM Resorts, one that many attribute to Scattered Spider, a “smooth-talking” hacker reportedly duped a help-desk worker to hand over credentials.)
Pros who spoke to IT Brew recommended ways to prep teams for aggressive social engineering.
Fake and bake. Verizon’s latest Data Breach Investigations report found that social engineering factored into 22% of 9,754 external data breaches studied between Nov. 1, 2023 and Oct. 31, 2024.
A recent report from ReliaQuest found that Scattered Spider’s members, in addition to exploiting help-desk systems and impersonating employees to breach organizations, also fake site domains. Over eight in 10 (81%) of Scattered Spider’s domains mimic technology vendors, targeting services like single sign-on (SSO), VPNs, and IT-support systems.
And the hackers do their homework—building out profiles of CEOs, CTOs, and the help-desk pro they’re calling, according to Michael McPherson, senior VP of security operations at ReliaQuest.
“This is not a prank call,” he told us. “This is not just, ‘Hey, let’s go take a shot and call some shop down the street and see if they make a mistake.’”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Retail organizations accounted for 11% of data leak site victims this year—an increase from 8.5% in 2024 and 6% in 2022 and 2023, according to a recent Google Cloud post. Retail may attract malicious hackers, the Google writers noted, due to the orgs’ possession of personally identifiable information and financial data.
Google Cloud, in its May 6 report, recommended best practices, including the enforcement of on-camera and in-person verification, out-of-band verification, and authenticator apps that require tougher-to-fake features like number matching and geo-verification.
Keith Wojcieszek, global head of threat intelligence at Kroll, recommends procedures to hinder fast-paced, phishy authentication resets, like placing the caller on hold, calling back to a personal phone, or getting a supervisor’s approval.
Some identity verifications may require a shared code word or secret. A July 2024 Bloomberg report revealed how a Ferrari exec thwarted a CEO-impersonating fraudster by asking about a specific book known to both parties.
Wojcieszek compares that kind of authentication to the World War II series Band of Brothers, where soldiers used verbal callsigns “flash!” and “thunder!” to identify approaching friendlies.
IBM put the average cost of a data breach in 2024 at $4.9 million. M&S recently estimated costs from the cyber incident to reach $400 million.
“You want to create policies and procedures that are more difficult for attackers to fake, and you want to educate the help desk and other people about these sorts of attacks and let them know that if you follow the policy, you won’t be fired,” Roger A. Grimes, data-driven defense evangelist at KnowBe4, told us last year.