Notifications
Clear all
Topic starter
25/06/2026 3:18 pm
TL;DR: Scattered Spider-style attacks have shown that help desk social engineering, phishable MFA, and identity impersonation can bypass traditional defenses and drive large-scale retail damage, according to HYPR. The real failure is not just weak authentication, but an identity assurance model that still assumes human operators and manual verification can absorb adversarial pressure.
NHIMG editorial — based on content published by HYPR: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
By the numbers:
- The attackers in groups like Scattered Spider are often between 16 and 22 years old.
Questions worth separating out
Q: How should security teams stop help desk abuse in identity attacks?
A: Security teams should treat recovery and enrolment as high-risk access changes, not routine support.
Q: Why do phishable MFA methods still fail against social engineering?
A: Phishable MFA still fails because it can be relayed, captured, or bypassed through session theft and help desk manipulation.
Q: What do security teams get wrong about identity assurance?
A: Many teams equate identity assurance with login security, but the real exposure often sits in recovery, device binding, and exception handling.
Practitioner guidance
- Harden account recovery workflows Require stronger proof for password reset, device enrolment, and MFA replacement than for ordinary sign-in.
- Replace phishable factors with phishing-resistant authentication Move high-value users and support-adjacent roles to passkeys or other domain-bound methods that cannot be relayed through fake login pages.
- Treat help desk actions as privileged events Log, review, and alert on credential resets, MFA changes, and identity proofing exceptions with the same seriousness as PAM activities.
What's in the full analysis
HYPR's full blog covers the operational detail this post intentionally leaves for the source:
- The specific Scattered Spider behaviours HYPR maps to help desk compromise and identity impersonation.
- The authentication and verification controls HYPR positions as alternatives to passwords and phishable MFA.
- The article's breakdown of why deterministic identity verification changes the support workflow.
- The article's narrative examples showing how social engineering moves from reconnaissance to credential reset.
👉 Read HYPR's analysis of the Scattered Spider retail attack pattern →
Retail social engineering attacks: are identity controls keeping up?
Explore further
25/06/2026 4:46 pm
Social engineering is an identity assurance failure, not just a user-awareness problem. Scattered Spider-style attacks succeed because the organisation trusts the help desk to act as a human validation layer. That assumption was designed for cooperative users and bounded requests, not adversaries who can impersonate a legitimate employee with pressure, context, and timing. The implication is that identity assurance has to be engineered into the recovery path itself, not outsourced to operator judgement.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when a help desk reset enables a breach?
A: Accountability should sit with the identity and support owners who designed the recovery workflow, not only the agent who took the call. If the process allowed a low-assurance reset, the control failure is systemic. That makes governance, approval design, and auditability part of the accountability model.
👉 Read our full editorial: Social engineering is breaking identity assurance in retail attacks
