Threatonomics

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

by Emma McGowan , Senior Writer
Published

Why organizations need comprehensive defenses against this new breed of cybercriminal

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers.

Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the recent retail attacks in the UK and their attacks on casinos last year – means when they hit, they hit in a massive surge. 

That factor, combined with recent reports that they may be targeting insurance companies as the 7/1 transition date approaches, means it’s imperative that organizations of all types are on the lookout for attack attempts. Here’s what you need to know.

What makes Scattered Spider different

Unlike traditional cybercriminals who rely primarily on automated attacks, Scattered Spider employs real-time interaction with victims, dramatically increasing their success rates. Their operational security is tight: they frequently rotate infrastructure and identities to avoid detection, making them particularly challenging to track and counter.

Perhaps most concerning is their ability to exploit the very trust mechanisms organizations put in place to protect themselves: multi-factor authentication (MFA), IT support processes, and third-party identity providers. They’ve weaponized the trust employees place in internal systems and support staff. Here’s how they do it.

1. IT impersonation

Scattered Spider attackers pose as internal IT support or help desk staff, using publicly available information from LinkedIn and corporate websites to make their impersonation convincing. A typical attack might involve a call like: “Hi Bob, this is Alice from IT. We’re seeing issues with your account and need you to re-authenticate. I’ll send a push to your phone.”

2. SIM swapping operations

By socially engineering telecom providers, Scattered Spider attackers port victims’ phone numbers to attacker-controlled SIM cards. This allows them to intercept SMS-based MFA codes and phone calls, effectively bypassing traditional two-factor authentication.

3. Advanced voice phishing (vishing)

These aren’t amateur cold calls. Scattered Spider operates call center-style operations with detailed scripts that reference internal systems like Okta, Azure AD, and VPN portals. They enhance credibility through spoofed caller IDs, voice modulation, and automation.

4. MFA fatigue attacks

Scattered Spider floods victims with repeated MFA requests, hoping frustration or confusion will lead to approval. This is often combined with real-time communication—calling the victim during the attack while pretending to be IT support.

5. Sophisticated phishing portals

Their credential harvesting operations involve cloning login pages for enterprise applications, complete with corporate branding. These fake portals are hosted on compromised domains or legitimate cloud services to avoid detection.

6. Identity provider exploitation

Once Scattered Spider gains initial access, they pivot through identity providers like Okta or Azure AD to enumerate users and escalate privileges, taking advantage of single sign-on (SSO) trust relationships across cloud and SaaS platforms.

7. Insider recruitment

Perhaps most alarming, they actively recruit insiders through forums and social media, offering substantial payments for credentials, access to internal portals, or assistance with MFA bypass.

8. AI-enhanced attacks

While not yet widely confirmed, there are reports suggesting potential use of AI-generated voice content and deepfakes to enhance their impersonation attempts, pointing to an even more sophisticated future threat landscape.

How to protect your organization 

Given the sophistication of these attacks, traditional security measures alone aren’t sufficient. Organizations need a comprehensive approach that addresses both technical vulnerabilities and human factors.

Strengthening identity verification begins with implementing multi-layered identity verification that requires multiple forms of confirmation before acting on requests. Organizations should establish strict, documented authentication policies for help desk interactions and train staff to verify identities through out-of-band communication channels. This creates multiple checkpoints that make it significantly harder for attackers to maintain their deception.

Zero trust principles must be enforced consistently across all systems by applying the principle of least privilege and restricting access to powerful administrative tools to a small number of trusted users. Role-based access controls should be implemented with regular reviews to ensure permissions remain appropriate as roles change. This approach assumes that no user or system should be trusted by default, regardless of their location or credentials.

Connected application security requires maintaining strict control over who can authorize or install connected applications, using IP-based restrictions and allowlisting for approved applications, and monitoring all connected app activities. Since Scattered Spider often targets platforms like Salesforce, organizations should pay particular attention to tools like Data Loader and permissions such as “API Enabled” and “Customize Application.”

Real-time monitoring capabilities should include security event monitoring tools to track suspicious activities like mass data downloads, endpoint detection and response (EDR) systems to detect credential-stealing malware, and automated alerts for unusual access patterns. The goal is to detect and respond to threats as they occur, rather than discovering them after damage has been done.

MFA implementation needs to go beyond basic requirements to include phishing-resistant MFA using physical security keys that comply with FIDO2 standards. While requiring MFA for all access, including APIs and connected applications, is essential, organizations must also train users to recognize and report suspicious MFA requests, particularly the flood of requests characteristic of fatigue attacks.

Human-centered security investments should provide regular, targeted security training for help desk and IT personnel while educating privileged users about social engineering tactics and current threat trends. Creating a culture where employees feel comfortable questioning suspicious requests is crucial, as many successful attacks rely on victims’ reluctance to challenge apparent authority figures.

Third-party risk management involves auditing and limiting vendor access to only necessary systems, using temporary credentials where possible for external access, and monitoring third-party activities for unusual behavior patterns. Since Scattered Spider often exploits trust relationships, organizations must be particularly vigilant about external access points.

The bottom line

The threat landscape is evolving rapidly, and so must our defenses. By understanding these tactics and implementing comprehensive countermeasures, organizations can significantly reduce their risk of falling victim to these sophisticated social engineering campaigns.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]