Who Are Scattered Spider?

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) describe Scattered Spider as:

‘a cybercriminal group that targets large companies and their contracted information technology (IT) help desks’.

Suspected to be a loose group of young, native English-speaking cybercriminals, they are likely part of a larger global hacking organization referred to as “the Community” or “the Comm”.

The gang has executed several high-profile attacks in recent years, including US-based Caesars Entertainment and MGM Resorts International in 2023 and UK retailers Marks & Spencer and CO-OP in early 2025.  Recent hacks of financial services, insurance companies, and airlines have also been attributed to the group.

What’s Their Modus Operandi?

Scattered Spider are believed to start their attack by acquiring employee login credentials. Methods vary from compromising internal servers to using spoofing of corporate SSO login sites. Once they have user credentials, their next task is to bypass MFA controls. To do this, they fall back on social engineering techniques, targeting the IT help desk of the organisation and persuading an agent to reset MFA for the compromised employee.

Despite huge advances in digital security, IT help desk agents have relatively few tools at their disposal to verify callers and will rely on simple security measures, such as asking for knowledge factors or sending a one-time code to the employee’s phone number.

Unsurprisingly, Scattered Spider are one step ahead, they can research employees on platforms such as Linked In to get background information, use SIM Swap methods to take control of their cell phone number and/or execute a Man-In-The-Middle attack to play both sides of the conversation between the employee and IT help desk, taking the opposite role depending who they are speaking to.

The new fear is that Scattered Spider will soon adopt GenAI deepfaking technology to replicate the voice and live image of the target employee, which will render safeguards such as video calls, selfies, and liveness verification redundant.

How Can I Stop Them?

IT help desks need to equip themselves with tools that can digitally challenge the caller and extract a wealth of information from them that can be analysed for risk using trusted data sources, in real time. For example, Trusona’s ATO Protect service allows the agent to send a company-branded URL to employees via SMS that prompts them to scan an identity document such as a US Drivers Licence or passport.

However, even with such a system, there are 10 steps that enterprises must take to stop Scattered Spider from attacking their IT help desk.

1. Perform a SIM Swap Check. Best practice is to use the already on file cell phone numbers when sending identity challenges to an employee. Fraudulent callers will claim to have lost the original phone or be experiencing a tech issue and present a new number. But even with trusted numbers, an immediate SIM Swap check is essential to ensure the SIM has not been hijacked before the call.
2. Acquire and plot the device IP location on a map. When interacting digitally with the caller via a challenge link, it is extremely useful to obtain the scanning device’s internet service provider and plot their IP location on a map. While this will not give an exact caller location, it is a useful proxy and can show if VPNs are being used to disguise the true IP location.
3. Get the caller’s GPS location. Agents can request that the caller share their current GPS location, plot it on a map, and match it to the address on the driver’s licence. GPS location is notoriously hard to spoof, and this additional check will complement the IP location check in the previous step. Legitimate employees should be happy to comply, fraudsters not so much.
4. Detect Man-in-the-Middle attacks. Hackers will try to socially engineer both sides of the call, sharing verification links, and with the right technology, this can be detected by identifying suspicious multi-device interactions and isolating them from normal multi-device behaviour.
5. Detect replay document scans. Fraudsters will deploy malware on mobile devices that can record legitimate document scans and then replay them on demand. However, by capturing key parameters, the right technology will detect this behaviour by determining if the interaction is unique or a replay of a previous document scan.
6. Cross-reference document details and mobile provider data. Even if the caller is on a trusted number, this check gives confidence that it is registered to the same name, date of birth, and even street address shown on the ID document. MNO data is a highly trusted 3^rd party data source, and this check can also be used at the agent’s discretion if a new number is presented. If the caller says they’re using their personal device, then the registered details should still match.
7. Verify ID details with a trusted 3^rd party data source.  A scammer may try and create a fake ID document in the employee’s name, but checking a drivers license with the DMV in real time will quickly detect this. Similarly, data from passports or other national IDs can be cross-checked using global sources such as Lexis Nexis.
8. Detect counterfeit documents. The right technology will be able to detect scans of copied documents, manipulation, and other document tampering attempts.
9. Compare device parameters to expected values. Every device will reveal its configuration during a digital interaction, and this can be compared to expected values for the given employee.
10. Summarise the risk. With multiple signals based on device, document, and data, the agent needs a simple, actionable final risk status to decide whether to agree to the employee request (i.e., No Risk) or escalate the situation.