Cybercriminals Turn to Deception Over Technology
Amid a rising number of cybersecurity breaches affecting major UK retailers — including Co-op, Marks & Spencer, and Harrods — the UK’s National Cyber Security Centre (NCSC) has issued a fresh alert. As covered by BBC News, attackers are increasingly leveraging human manipulation tactics rather than technical exploits. Specifically, they pose as IT support staff to deceive employees into surrendering critical access credentials.
These deceptive strategies often take the form of phone calls in which bad actors pretend to be either technical staff assisting with login issues or legitimate employees needing urgent access. The intent is to bypass digital defenses by exploiting the trust of individuals, tricking them into handing over passwords, security codes, or authentication tokens.
NCSC Recommends Strengthened Staff Verification Processes
In response, the NCSC has released new guidance urging organizations to reassess and reinforce how their internal support teams handle password resets and identity verification, especially for employees with administrative access or privileged system roles.
The NCSC is encouraging organizations to go back to basics: make sure your password reset processes actually verify who’s asking. In today’s threat environment, letting someone change their credentials without proper checks is like leaving the front door unlocked.
Cybersecurity professionals are now calling for layered identity checks, not just relying on what someone says over the phone. One practical solution being explored is using internal code words: simple, agreed-upon phrases that employees and IT teams can use to confirm each other’s identity. It might sound low-tech (“BluePenguin” isn’t exactly high-security), but in a high-pressure situation, that extra layer of trust can stop an attacker in their tracks.
Suspected Group: Scattered Spider or Emerging Collective?
While the NCSC stopped short of attributing the latest incidents to any specific group, it did acknowledge that the tactics bear similarities to those previously used by a loosely affiliated, English-speaking hacking collective nicknamed Scattered Spider. Active across the UK and U.S., this group, mainly composed of tech-savvy individuals in their teens and early twenties, is known for using social engineering via Discord and Telegram to plan and execute breaches against major organizations.
In recent years, Scattered Spider has been linked to high-profile ransomware attacks, including incidents targeting MGM Resorts and Caesars Palace in Las Vegas. Several arrests related to this group have been made across the UK and the U.S., including a 17-year-old from Walsall involved in investigations into attacks on MGM and Transport for London.
Still, in interviews with the BBC, the individuals behind the latest Co-op and M&S breaches denied affiliation with Scattered Spider. Instead, they referred to themselves as “DragonForce” — a name associated with malware-as-a-service offerings used by various criminal actors for data theft and extortion.
Data Breaches and Business Disruption
The group claiming responsibility told the BBC they had gained access to Co-op’s systems and exfiltrated substantial amounts of customer and employee data. They declined to discuss the details of the M&S hack, but it is believed that ransomware associated with DragonForce was deployed, leading to the encryption of critical systems.
While NCSC stated it had “some insight” into the nature of the breaches, it has not formally confirmed whether the incidents are connected. “We are working with the affected organizations and law enforcement partners to establish attribution,” a spokesperson said.
In response, cybersecurity specialists are urging firms to increase vigilance around anomalous login activity, such as access attempts from unfamiliar geographic locations or outside business hours, both signs that credential-based attacks may be underway.
When Firewalls Aren’t Enough, People Become the Target
As security tools get smarter, hackers are getting craftier and instead of breaking down digital walls, they’re walking through the front door by tricking people. This new wave of attacks shows just how vulnerable humans can be when someone sounds convincing enough on the phone.
That’s why regular cybersecurity training (especially for IT help desk staff and those managing account access) is no longer optional. It’s your first line of defense.
Companies are being urged to embrace a zero-trust mindset: never assume someone is who they claim to be, and always double-check before granting access. Minimizing unnecessary admin rights and using multi-factor authentication (MFA) should be the new normal.
Cybersecurity expert Lisa Forte from Red Goat Security puts it: no system is perfect, but small steps, like requiring a second form of verification or flagging logins from unusual locations, can make a big difference when it counts.
Staying Safe Starts with People, Not Just Technology
At NTQ Europe, we recognize that today’s biggest threats don’t always come from malicious code (they often come from moments when people are misled or rushed). As organizations scale their digital operations, identity verification isn’t a “nice to have” – it’s a must-have from day one.
In an age where ransomware can be bought off the shelf, building a culture of awareness and layering security measures isn’t just a technical strategy. It’s one of the most practical ways to keep systems running and teams protected over the long haul.
Source: BBC News
