Scattered Spider has dominated the headlines in recent months and has gained significant attention for its use of help desk scams. Here's how they work and what you can do to protect your organization.
Scattered Spider has dominated the headlines in recent months and has gained significant attention for its use of help desk scams. Here's how they work and what you can do to protect your organization.
Scattered Spider have been busy. Major breaches of UK retailers Marks and Spencer and Co-op resulted in the loss of sensitive data and prolonged disruption to in-store and digital services, with M&S feeling the pain of £300m in lost profits and a share value hit approaching £1b, and a multimillion-pound class action lawsuit and possible ICO fines looming.
A series of attacks against retailers worldwide soon followed, at an unprecedented rate. Dior, The North Face, Cartier, Victoria’s Secret, Adidas, Coca-Cola, and United Natural Foods were among the retailers to suffer a breach between May-June 2025.
The latest news links the hackers to attacks on U.S. insurance giant Aflac, Philadelphia Insurance Companies, and Erie Insurance, disclosed through SEC Form 8-K filings which indicate the theft of sensitive customer data and operational disruption.
The top story from recent campaigns is the use of help desk scams. This typically involves the attacker calling up a company’s help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account.
Help desk scams 101
The goal of a help desk scam is to get the help desk operator to reset the credentials and/or MFA used to access an account so the attacker can take control of it. They’ll use a variety of backstories and tactics to get that done, but most of the time it’s as simple as saying “I’ve got a new phone, can you remove my existing MFA and allow me to enroll a new one?”
From there, the attacker is then sent an MFA reset link via email or SMS. Usually, this would be sent to, for example, a number on file — but at this point, the attacker has already established trust and bypassed the help desk process to a degree. So asking “can you send it to this email address” or “I’ve actually got a new number too, can you send it to…” gets this sent directly to the attacker.
At this point, it’s simply a case of using the self service password reset functionality for Okta or Entra (which you can get around because you now have the MFA factor to verify yourself) and voila, the attacker has taken control of the account.
And the best part? Most help desks have the same process for every account — it doesn’t matter who you’re impersonating or which account you’re trying to reset. So, attackers are specifically targeting accounts likely to have top tier admin privileges — meaning once they get in, progressing the attack is trivial and much of the typical privilege escalation and lateral movement is removed from the attack path.
So, help desk scams have proved to be a reliable way of bypassing MFA and achieving account takeover — the foothold from which to launch the rest of an attack, such as stealing data, deploying ransomware, etc.
Avoiding help desk gotchas
There’s lots of advice for securing help desks being circulated, but much of the advice still results in a process that is either phishable or difficult to implement.
Ultimately, organizations need to be prepared to introduce friction to their help desk process and either delay or deny requests in situations where there’s significant risk. So, for example, having a process for MFA reset that recognizes the risk associated with resetting a high-privileged account:
Require multi-party approval / escalation for admin-level account resets
Require in-person verification if the process can’t be followed remotely
Freeze self-service resets when suspicious behavior is encountered (this would require some kind of internal process and awareness training to raise the alarm if an attack is suspected)
And watch out for these gotchas:
If you receive a call, good practice is to terminate the call and dial the number on file for the employee. But, in a world of SIM swapping, this isn’t a foolproof solution — you could just be re-dialing the attacker.
If your solution is to get the employee on camera, increasingly sophisticated deepfakes can thwart this approach.
But, help desks are a target for a reason. They’re “helpful” by nature. This is usually reflected in how they’re operated and performance measured — delays won’t help you to hit those SLAs! Ultimately, a process only works if employees are willing to adhere to it — and can’t be socially engineered to break it. Help desks that are removed from day-to-day operations (especially when outsourced or offshored) are also inherently susceptible to attacks where employees are impersonated.
Comparing help desk scams with other approaches
Taking a step back, it’s worth thinking about how help desk scams fit into the wider toolkit of tactics, techniques and procedures (TTPs) used by threat actors like Scattered Spider.
Scattered Spider has heavily relied on identity-based TTPs since they first emerged in 2022, following a repeatable path of bypassing MFA, achieving account takeover on privileged accounts, stealing data from cloud services, and deploying ransomware (principally to VMware environments).
Credential phishing via email and SMS (smishing) to harvest passwords en masse
Using SIM swapping (where you get the carrier to transfer a number to your attacker-controlled SIM card) to bypass SMS-based MFA
Using MFA fatigue (aka. push bombing) to bypass app-based push authentication
Using vishing (i.e. directly calling a victim to social engineer their MFA code, as opposed to a help desk attack)
Social engineering domain registrars to take control of the target organization’s DNS, hijacking their MX records and inbound mail, and using this to take over the company’s business app environments
And latterly, using MFA-bypass AiTM phishing kits like Evilginx to steal live user sessions, bypassing all common forms of MFA (with the exception of WebAuthn/FIDO2)
So, help desk scams are an important part of their toolkit, but it’s not the whole picture. Methods like AiTM in particular have spiked in popularity this year as a reliable and scalable way of bypassing MFA and achieving account takeover, with attackers using these toolkits as the de facto standard, getting creative in their detection evasion methods and in some cases, evading standard delivery vectors like email altogether to ensure the success of their phishing campaigns.
Stop identity attacks with Push Security
Modern attacks no longer take place on the endpoint or network — they target identities created and used via the web browser. This means that attacks increasingly take place in the browser (or rather, on resources your employees access through the browser).
Push Security’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more.
To help combat help desk scams, we recently released Employee Identity Verification Codes — a simple, browser-based identity check that gives your help desk a reliable way to confirm they’re talking to someone from your organization.
It enables legitimate help desk callers to quickly verify that they’re in possession of their primary device (i.e. laptop) by relaying a rotating 6-digit verification code in their browser via the Push extension. This is a great way to securely confirm caller identity and sniff out fraudulent callers, and can be used as part of a phishing-resistant help desk process.
Get started today!
You can use Employee Verification Codes as a free tool by installing the Push browser extension. Simply sign up for a trial account and you can deploy the extension organization-wide to make use of this feature. While you’re at it, you can trial Push’s full features for up to 10 users for free.
Or if you want to learn more about how Push helps you to detect and defeat common identity attack techniques, book some time with one of our team for a live demo.
