A growing cybersecurity threat is employing new methods to carry out social engineering attacks by impersonating employees and C-suite executives alike, bypassing traditional cybersecurity controls.
The latest cyber threat, known as Scattered Spider, is actually an international cyber gang that uses sophisticated tactics to exploit human vulnerabilities rather than technical security defects.
Unlike typical social engineering schemes, attackers carry out this latest cyber threat by impersonating company executives to specifically target your helpdesk team.
The cybercriminals are then able to convince helpdesk team members to take some action, like changing authentication or login credentials — unwittingly giving them a foothold into your systems.
It’s been linked to attacks on U.K. and U.S. retailers, but has since targeted airlines, technology companies, and insurers, along with their third-party vendors.
A spate of recent social engineering cyberattacks have all been attributed to Scattered Spider, prompting the FBI to issue a warning.
Like a tsunami, the attacks have mushroomed in size and strength, leaving a path of destruction in its wake.
In this article, we’ll explore this latest cyber threat and provide steps you can take to protect your business and sensitive data from these increasingly surreptitious tactics.
As with other social engineering attacks, the criminal enterprise behind Scattered Spider isn't trying to force their way into your network.
Rather, these cybercriminals circumvent traditional cybersecurity hardware and software tools by relying instead on exploiting human vulnerabilities.
In these types of attacks, which frequently target C-suite executives, bad actors often bypass common security tools using a variety of methods. Key company officials that are frequently targeted are chief financial officers (CFOs), chief operating officers (COOs), chief information security officers (CISOs), and system administrators.
As with other types of social engineering, the bad actors behind this latest scheme secretly gather key background information on high-value targets within an organization by strategically combing public online sources, like social media pages and the web.
They use that information to develop a profile and build trust with the target. Often, this trust-building exercise is spread out over a period of time before they ask the individual to do something using various phishing scams.
According to the FBI, attackers have been targeting large corporations and their third-party vendors, putting many businesses at risk in a snowball effect to strike multiple businesses from a single hit.
"These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," the agency said in an alert on X.
"These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts."
They may even impersonate helpdesk staff to trick other individuals within your organization or third-party vendors to take some adverse action to gain unauthorized access.
Once they get access, the threat actors use the stolen credentials to snoop through your sensitive business records, files, and communications and scope out your contacts. They can then take control of your systems, effectively shutting down your operations.
Then, they can use the stolen information as an extortion chip as part of a larger ransomware attack, malware attack, or data breach.
Related Article: Ransomware Target: How Secure Is Your Virtual Private Network (VPN)?
In a well-coordinated attack that occurred in late May, Scattered Spider operatives targeted the chief financial officer (CFO) of an unnamed company. They used the executive’s stolen credentials to take control of critical internal systems and functions.
The cybercriminals were able to carry out the expansive attack with precision.
The multi-pronged attack reportedly started after the malicious actors used the organization’s public-facing Oracle cloud portal to steal the CFO’s single sign-on credentials, according to ReliaQuest.
They also managed to do some additional digging to obtain the last four digits of the CFO’s social security number and date of birth. Then, posing as the CFO, attackers used implicit trust to convince the company’s helpdesk to reset the MFA device and account authentication credentials, according to the ReliaQuest report.
Once this was accomplished, the threat actors had unfettered access to the organization’s systems and data.
Armed with privileged administrator access, the attackers were then able to locate and steal vast quantities of secret information, compromise on-premises systems, and take control of the company’s cloud environment.
In addition, cybercriminals were then able to spread the attack to the organization’s third-party vendors and partners.
In another recent security incident targeting supplemental insurer Aflac, the tactics mirrored those used in a string of recent Scattered Spider attacks targeting the insurance sector.
On June 20, the company disclosed that on June 12, 2025, it detected unauthorized activity on its network. This marked the third attack against an insurance company within the same week.
Aflac has said it’s still in the process of assessing the damage, including to what extent personal information was stolen or compromised, such as social security numbers, health records, claims information, and other sensitive data.
In the meantime, it said its operations are continuing as normal.
The latest round of attacks have been targeting the aviation industry, with several airlines impacted, including U.S.-based Hawaiian, Canada's WestJet, and earlier this week, Australian airline Qantas.
Although the bad actors behind Scattered Spider are using stealthy measures to prevent detection, there are signs to watch out for with these and similar social engineering threats.
They include:
Newly created domain names (most domains used by Scattered Spider threat actors are less than a week old)
Domains featuring keywords like “helpdesk,” “vpn,” “sso,” and “Okta,” along with old domain names previously used by a company
Urgent requests to your helpdesk, particularly from internal C-suite executives, to change device or account credentials or reset passwords, usually through phishing or smishing attempts (see below)
Suspicious multi-factor authentication (MFA) requests, including requests for MFA password resets or one time passcodes, or repeated MFA notifications within a short time span
Unexpected requests for remote access
Unusual login attempts from IP addresses for privileged accounts
Scattered Spider is just the latest in the rapidly changing threat landscape. There are many other ways attackers can try to trick users into unknowingly take some adverse action that can give them an opening into your systems, despite having security guardrails in place.
Related Article: How an IT Provider in Connecticut Can Help You Avoid Social Engineering Attacks
Other methods include:
Business email compromise (BEC): fraudulent emails targeting high-value company officials
Vishing: voice phishing or fake voicemail messages or phone calls
Smishing: fake SMS text messages
SIM swapping: transfers a user’s legitimate phone number to a phony one controlled by an attacker
Token theft: uses stolen authentication tokens to bypass MFA and other access controls
Login credential theft or credential harvesting: steals login information, including usernames and passwords, to gain unauthorized access
Related Article: How Token Theft Bypasses MFA & How Conditional Access Can Reduce Risk
Social engineering attacks can have devastating consequences, such as operational disruptions, data loss, significant recovery costs, reputational damage, revenue loss, and even legal and regulatory consequences.
Although threats are constantly evolving, there are concrete steps your business can take to mitigate the chances of falling prey to a social engineering scheme.
They include:
Map out the security protocols, policies, and procedures employees must follow as part of your company’s overall security strategy.
A comprehensive security plan for your environment will help ensure that you implement the right security equipment, software, and policies to protect your critical data. It also helps ensure continuing compliance with regulatory and industry requirements.
Related Article: Why A Weak Or Outdated Cybersecurity Policy Puts Your Business At Risk
Provide regular employee cybersecurity awareness training to educate your team about new and emerging cyber threats, how to spot them, and how best to avoid them. Your training program, which should involve your entire team, should include real-world modules with simulated social engineering and phishing attempts.
Employee training is critical since employees are your first line of defense against cyber incidents. Human error is the leading cause of data breaches.
Strengthen helpdesk identity verification processes and procedures when onboarding a customer’s new employee or device, or when asked to reset the credentials of an existing employee (particularly a C-suite executive).
Establish strict access controls, including strong passwords and role-based access controls (RBAC). RBAC limits access to your data, systems, devices, and other IT resources to authorized users based on pre-determined parameters.
Use software to spot and block phishing found in emails, messages, websites, and other sources to mitigate risks.
Regularly perform vulnerability scans to find hidden defects and conduct controlled penetration testing to gauge how effective your security controls are at detecting and blocking threats.
Implement an endpoint detection and response (EDR) system to enhance visibility across your infrastructure, track unusual activity, quarantine potential threats, and send automatic alerts to your team.
After reading this article, you now understand how cybercriminals behind Scattered Spider craftily compile background information on an executive target, and exploit human error with helpdesk support as a workaround to security controls to gain unauthorized access to your network.
Although cybercriminals are constantly looking for ways to infiltrate your systems to steal or compromise your data for financial gain, there are proactive measures you can put in place to reduce the chances of a data breach or cyber incident.
A big part of data security starts with your employees. Check this article to learn more about how providing employee security awareness training can arm your team with critical information about emerging cyber threats and the evolving tactics being used to carry out cyberattacks.
At Kelser, a managed services provider (MSP), we have helped hundreds of customers test their networks for vulnerabilities.
We know that managed IT isn’t right for everyone, but if you don’t have the in-house staff to handle your day-to-day IT challenges and establish robust, proactive security controls, our team can provide the expert guidance you need to help you evaluate and implement cybersecurity solutions tailored to meet your unique business needs.
If you're unsure what your organization's current security posture is, click the button below to get your no-obligation cybersecurity checklist.