Threatonomics

How Scattered Spider’s vertical-focused strategy creates industry-wide security emergencies

by Emma McGowan , Senior Writer
Published

Why organizations need comprehensive defenses against this new breed of cybercriminal

This post is based on a threat intelligence report by Resilience Director of Threat Intelligence Andrew Bayers.

Scattered Spider has emerged as a sophisticated threat actor whose advanced social engineering tactics blur the lines between common cybercrime and nation-state tradecraft. Their tendency to tackle specific verticals at a time – as they did in the recent retail attacks in the UK and their attacks on casinos last year – means when they hit, they hit in a massive surge. 

That factor, combined with recent reports that they may be targeting insurance companies as the 7/1 transition date approaches, means it’s imperative that organizations of all types are on the lookout for attack attempts. Here’s what you need to know.

What makes Scattered Spider different

Unlike traditional cybercriminals who rely primarily on automated attacks, Scattered Spider employs real-time interaction with victims, dramatically increasing their success rates. Their operational security is tight: they frequently rotate infrastructure and identities to avoid detection, making them particularly challenging to track and counter.

Perhaps most concerning is their ability to exploit the very trust mechanisms organizations put in place to protect themselves: multi-factor authentication (MFA), IT support processes, and third-party identity providers. They’ve weaponized the trust employees place in internal systems and support staff. Here’s how they do it.

1. IT impersonation

Scattered Spider attackers pose as internal IT support or help desk staff, using publicly available information from LinkedIn and corporate websites to make their impersonation convincing. A typical attack might involve a call like: “Hi Bob, this is Alice from IT. We’re seeing issues with your account and need you to re-authenticate. I’ll send a push to your phone.”

2. SIM swapping operations

By socially engineering telecom providers, Scattered Spider attackers port victims’ phone numbers to attacker-controlled SIM cards. This allows them to intercept SMS-based MFA codes and phone calls, effectively bypassing traditional two-factor authentication.

3. Advanced voice phishing (vishing)

These aren’t amateur cold calls. Scattered Spider operates call center-style operations with detailed scripts that reference internal systems like Okta, Azure AD, and VPN portals. They enhance credibility through spoofed caller IDs, voice modulation, and automation.

4. MFA fatigue attacks

Scattered Spider floods victims with repeated MFA requests, hoping frustration or confusion will lead to approval. This is often combined with real-time communication—calling the victim during the attack while pretending to be IT support.

5. Sophisticated phishing portals

Their credential harvesting operations involve cloning login pages for enterprise applications, complete with corporate branding. These fake portals are hosted on compromised domains or legitimate cloud services to avoid detection.

6. Identity provider exploitation

Once Scattered Spider gains initial access, they pivot through identity providers like Okta or Azure AD to enumerate users and escalate privileges, taking advantage of single sign-on (SSO) trust relationships across cloud and SaaS platforms.

7. Insider recruitment

Perhaps most alarming, they actively recruit insiders through forums and social media, offering substantial payments for credentials, access to internal portals, or assistance with MFA bypass.

8. AI-enhanced attacks

While not yet widely confirmed, there are reports suggesting potential use of AI-generated voice content and deepfakes to enhance their impersonation attempts, pointing to an even more sophisticated future threat landscape.

How to protect your organization 

Given the sophistication of these attacks, traditional security measures alone aren’t sufficient. Organizations need a comprehensive approach that addresses both technical vulnerabilities and human factors.

Strengthening identity verification begins with implementing multi-layered identity verification that requires multiple forms of confirmation before acting on requests. Organizations should establish strict, documented authentication policies for help desk interactions and train staff to verify identities through out-of-band communication channels. This creates multiple checkpoints that make it significantly harder for attackers to maintain their deception.

Zero trust principles must be enforced consistently across all systems by applying the principle of least privilege and restricting access to powerful administrative tools to a small number of trusted users. Role-based access controls should be implemented with regular reviews to ensure permissions remain appropriate as roles change. This approach assumes that no user or system should be trusted by default, regardless of their location or credentials.

Connected application security requires maintaining strict control over who can authorize or install connected applications, using IP-based restrictions and allowlisting for approved applications, and monitoring all connected app activities. Since Scattered Spider often targets platforms like Salesforce, organizations should pay particular attention to tools like Data Loader and permissions such as “API Enabled” and “Customize Application.”

Real-time monitoring capabilities should include security event monitoring tools to track suspicious activities like mass data downloads, endpoint detection and response (EDR) systems to detect credential-stealing malware, and automated alerts for unusual access patterns. The goal is to detect and respond to threats as they occur, rather than discovering them after damage has been done.

MFA implementation needs to go beyond basic requirements to include phishing-resistant MFA using physical security keys that comply with FIDO2 standards. While requiring MFA for all access, including APIs and connected applications, is essential, organizations must also train users to recognize and report suspicious MFA requests, particularly the flood of requests characteristic of fatigue attacks.

Human-centered security investments should provide regular, targeted security training for help desk and IT personnel while educating privileged users about social engineering tactics and current threat trends. Creating a culture where employees feel comfortable questioning suspicious requests is crucial, as many successful attacks rely on victims’ reluctance to challenge apparent authority figures.

Third-party risk management involves auditing and limiting vendor access to only necessary systems, using temporary credentials where possible for external access, and monitoring third-party activities for unusual behavior patterns. Since Scattered Spider often exploits trust relationships, organizations must be particularly vigilant about external access points.

The bottom line

The threat landscape is evolving rapidly, and so must our defenses. By understanding these tactics and implementing comprehensive countermeasures, organizations can significantly reduce their risk of falling victim to these sophisticated social engineering campaigns.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]

The essential guide to cyber incident response leadership and decision making

When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens.  This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head […]

Navigating the growing personal liability facing CISOs

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at […]