Threatonomics

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

by Emma McGowan , Senior Writer
Published

Why organizations need comprehensive defenses against this new breed of cybercriminal

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers.

Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the recent retail attacks in the UK and their attacks on casinos last year – means when they hit, they hit in a massive surge. 

That factor, combined with recent reports that they may be targeting insurance companies as the 7/1 transition date approaches, means it’s imperative that organizations of all types are on the lookout for attack attempts. Here’s what you need to know.

What makes Scattered Spider different

Unlike traditional cybercriminals who rely primarily on automated attacks, Scattered Spider employs real-time interaction with victims, dramatically increasing their success rates. Their operational security is tight: they frequently rotate infrastructure and identities to avoid detection, making them particularly challenging to track and counter.

Perhaps most concerning is their ability to exploit the very trust mechanisms organizations put in place to protect themselves: multi-factor authentication (MFA), IT support processes, and third-party identity providers. They’ve weaponized the trust employees place in internal systems and support staff. Here’s how they do it.

1. IT impersonation

Scattered Spider attackers pose as internal IT support or help desk staff, using publicly available information from LinkedIn and corporate websites to make their impersonation convincing. A typical attack might involve a call like: “Hi Bob, this is Alice from IT. We’re seeing issues with your account and need you to re-authenticate. I’ll send a push to your phone.”

2. SIM swapping operations

By socially engineering telecom providers, Scattered Spider attackers port victims’ phone numbers to attacker-controlled SIM cards. This allows them to intercept SMS-based MFA codes and phone calls, effectively bypassing traditional two-factor authentication.

3. Advanced voice phishing (vishing)

These aren’t amateur cold calls. Scattered Spider operates call center-style operations with detailed scripts that reference internal systems like Okta, Azure AD, and VPN portals. They enhance credibility through spoofed caller IDs, voice modulation, and automation.

4. MFA fatigue attacks

Scattered Spider floods victims with repeated MFA requests, hoping frustration or confusion will lead to approval. This is often combined with real-time communication—calling the victim during the attack while pretending to be IT support.

5. Sophisticated phishing portals

Their credential harvesting operations involve cloning login pages for enterprise applications, complete with corporate branding. These fake portals are hosted on compromised domains or legitimate cloud services to avoid detection.

6. Identity provider exploitation

Once Scattered Spider gains initial access, they pivot through identity providers like Okta or Azure AD to enumerate users and escalate privileges, taking advantage of single sign-on (SSO) trust relationships across cloud and SaaS platforms.

7. Insider recruitment

Perhaps most alarming, they actively recruit insiders through forums and social media, offering substantial payments for credentials, access to internal portals, or assistance with MFA bypass.

8. AI-enhanced attacks

While not yet widely confirmed, there are reports suggesting potential use of AI-generated voice content and deepfakes to enhance their impersonation attempts, pointing to an even more sophisticated future threat landscape.

How to protect your organization 

Given the sophistication of these attacks, traditional security measures alone aren’t sufficient. Organizations need a comprehensive approach that addresses both technical vulnerabilities and human factors.

Strengthening identity verification begins with implementing multi-layered identity verification that requires multiple forms of confirmation before acting on requests. Organizations should establish strict, documented authentication policies for help desk interactions and train staff to verify identities through out-of-band communication channels. This creates multiple checkpoints that make it significantly harder for attackers to maintain their deception.

Zero trust principles must be enforced consistently across all systems by applying the principle of least privilege and restricting access to powerful administrative tools to a small number of trusted users. Role-based access controls should be implemented with regular reviews to ensure permissions remain appropriate as roles change. This approach assumes that no user or system should be trusted by default, regardless of their location or credentials.

Connected application security requires maintaining strict control over who can authorize or install connected applications, using IP-based restrictions and allowlisting for approved applications, and monitoring all connected app activities. Since Scattered Spider often targets platforms like Salesforce, organizations should pay particular attention to tools like Data Loader and permissions such as “API Enabled” and “Customize Application.”

Real-time monitoring capabilities should include security event monitoring tools to track suspicious activities like mass data downloads, endpoint detection and response (EDR) systems to detect credential-stealing malware, and automated alerts for unusual access patterns. The goal is to detect and respond to threats as they occur, rather than discovering them after damage has been done.

MFA implementation needs to go beyond basic requirements to include phishing-resistant MFA using physical security keys that comply with FIDO2 standards. While requiring MFA for all access, including APIs and connected applications, is essential, organizations must also train users to recognize and report suspicious MFA requests, particularly the flood of requests characteristic of fatigue attacks.

Human-centered security investments should provide regular, targeted security training for help desk and IT personnel while educating privileged users about social engineering tactics and current threat trends. Creating a culture where employees feel comfortable questioning suspicious requests is crucial, as many successful attacks rely on victims’ reluctance to challenge apparent authority figures.

Third-party risk management involves auditing and limiting vendor access to only necessary systems, using temporary credentials where possible for external access, and monitoring third-party activities for unusual behavior patterns. Since Scattered Spider often exploits trust relationships, organizations must be particularly vigilant about external access points.

The bottom line

The threat landscape is evolving rapidly, and so must our defenses. By understanding these tactics and implementing comprehensive countermeasures, organizations can significantly reduce their risk of falling victim to these sophisticated social engineering campaigns.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Cybersecurity and insurance predictions for 2026

The cyber threat landscape is evolving at breakneck speed, and the challenges organizations will face in 2026 look dramatically different from those of even a year ago. To understand what’s coming, we gathered insights from Resilience’s leading cybersecurity and cyber insurance experts: Dr. Ann Irvine, Chief Data and Analytics Officer; Chris Wheeler, CISO; David Meese, […]

Risk-based vendor tiering that actually works

Welcome back to the Resilience third-party management series. In our first three posts, we covered why third-party vendor discovery matters, how to locate vendors across your environment, and which high-risk vendor categories most organizations overlook. Now we turn to the next step: prioritizing those vendors based on actual cyber risk—not contract spend. Most vendor management […]

The vendors you’re probably missing

While the seven data streams from our previous post will capture the majority of your vendor relationships, they’re primarily designed to find digital services and traditional procurement relationships. Today, we’re exploring the vendor categories that fall through the cracks of most discovery programs, as well as why they often represent some of your highest-risk relationships. […]

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]