Scattered Spider's Playbook: What Every CISO Needs to Know

Who Is Scattered Spider?

Scattered Spider is a loosely organized but highly effective threat actor known for targeting large organizations. They specialize in social engineering rather than sophisticated malware. Reports suggest that the group is composed of young, English‑speaking hackers who collaborate via online forums. Their hallmark is the use of vishing and MFA fatigue to bypass technical controls.

The group gained notoriety by breaching MGM Resorts and Caesars Entertainment in 2023. By social‑engineering help‑desk agents, they reset MFA devices and passwords, gaining legitimate credentials. The attacks cost MGM an estimated US$100 million and Caesars tens of millions. Scattered Spider’s success lies not in advanced exploits but in carefully crafted social‑engineering campaigns.

The Social Engineering Tactics They Use

Scattered Spider’s playbook relies on manipulating humans at the help desk. Key tactics include:

• Pre‑attack reconnaissance – Attackers gather personal data about targets from social media, LinkedIn and data breaches. They learn employees’ roles, manager names and even project details. This allows them to answer security questions and build rapport.
• Impersonation and vishing – Using the collected information, they call the help desk posing as an employee. They spoof caller IDs and sometimes use voice cloning to sound authentic. They claim to have lost their phone or changed numbers.
• MFA reset requests – The attackers request that the help‑desk agent remove the existing MFA device and enroll a new device. The Hacker News explains that scammers may ask the agent to send the reset link to a new email or phone. Once the new device is enrolled, the attackers can reset the password and take over the account.
• Targeting high‑privilege accounts – Because many help desks use uniform processes, attackers can reset the MFA of administrators just as easily as regular users. The Hacker News warns that this uniformity allows attackers to skip typical privilege‑escalation steps.
• MFA fatigue – In addition to vishing, Scattered Spider may bombard a victim with push notifications until they accept one out of frustration. They might call the victim pretending to be IT support to encourage them to approve the login.

These tactics are effective because they exploit human psychology and weak verification processes.

Why They Target Help Desks

Help desks are attractive targets for several reasons:

• High impact – Help‑desk agents have the authority to reset passwords and enroll MFA devices. Compromising an agent or tricking them into approving a reset can give attackers immediate access to sensitive systems.
• Human vulnerability – Agents are trained to help and may fear disciplinary actions for delaying requests. Attackers use urgency and emotional manipulation to coerce them.
• Lack of rigorous verification – Many help desks rely on knowledge‑based authentication and are not equipped with tools to verify identity beyond phone numbers and emails.
• Uniform processes – There is often little differentiation between regular and high‑privilege accounts. Attackers can target executives or IT administrators using the same script.

How CISOs Can Build Defenses That Work

Defending against Scattered Spider requires addressing the human layer. CISOs should focus on:

1. Strong identity proofing – Replace security questions with secure, out‑of‑band verification that requires scanning government IDs and selfies. This ensures the caller is who they claim to be.
2. Phishing‑resistant MFA – Deploy hardware security keys and passkeys. Google’s experience demonstrates that security keys can prevent phishing.
3. Scripted help‑desk workflows – Enforce call‑backs to numbers on file and multi‑party approval for high‑privilege accounts. Automate policy enforcement to remove human discretion.
4. Training and awareness – Conduct regular vishing simulations and training to educate agents about Scattered Spider tactics. Encourage employees to report suspicious calls and repeated push notifications.
5. Zero‑trust principles – Treat every request as untrusted until verified. Verify both the identity and device of the requester.
6. Monitoring and reporting – Log all password resets and MFA changes. Use analytics to detect patterns such as multiple resets or calls from the same number. The FBI recommends prompt reporting of incidents.
7. Engage legal and communications teams – Prepare a response plan that includes legal counsel and public relations. In the event of a breach, coordinated communication is critical to maintaining trust and complying with regulations.

By implementing these measures, CISOs can close the gaps exploited by Scattered Spider and similar groups. Remember that these attackers thrive on human error. By strengthening verification, automating workflows and fostering a culture of vigilance, you can make their tactics ineffective.

Conclusion

Scattered Spider’s playbook centers on social engineering rather than technical exploits. Their success stems from persuasive phone calls, abundant personal data and weak verification processes. Understanding their tactics, pre‑attack reconnaissance, impersonation, MFA resets and targeting high‑privilege accounts, is the first step to defending against them. CISOs must implement strong identity proofing, phishing‑resistant MFA, scripted workflows and continuous training. By addressing the human layer, organizations can thwart Scattered Spider and stay ahead of evolving threats.