.webp)
Last week, Marks and Spencer reported that its 2025/26 annual profits fell 24% - a direct result of a cyberattack that cost the company £131.3 million in disclosed costs and forced seven weeks of suspended online clothing orders. The attack disrupted click-and-collect services, hit food availability in stores, and added unexpected logistics and waste costs throughout their supply chain.
What matters here isn't the size of M&S. It's how the attackers got in.
The group responsible - Scattered Spider - reportedly gained initial access by calling M&S's IT help desk and impersonating employees to get authentication credentials reset. No zero-day exploit. No malware dropped through a phishing email. A phone call. That's the whole entry point.
This tactic works against organizations of every size, and it's worth understanding how - because the same gaps that existed at M&S exist at thousands of small and mid-sized businesses right now.
How the Attack Worked
Scattered Spider is a threat group that specializes in social engineering - specifically targeting IT help desks and identity platforms. Their core technique exploits something built into every IT support role: the instinct to be helpful and solve problems quickly.
In the M&S case, attackers reportedly called IT support posing as employees and requested that authentication credentials be reset. Once a help desk agent completed the reset, the attackers had valid access to internal systems. From there, they moved laterally through the network, escalated privileges, and eventually deployed ransomware that took systems offline for weeks.
Scattered Spider used the same playbook against MGM Resorts in 2023, reportedly spending around 10 minutes on the phone with a help desk agent before gaining access. The M&S breach shows the approach is still working years later - because the vulnerability isn't technical, it's procedural.
Why Help Desk Vishing Is So Hard to Stop
Help desk social engineering, sometimes called vishing (voice phishing), is effective for a few specific reasons:
Urgency pressure works. Attackers typically impersonate a senior employee or someone who sounds frustrated and time-pressed - "I'm traveling, I'm locked out, I need this fixed now." The social pressure to resolve it quickly overrides the impulse to slow down and verify carefully.
Verification procedures are often informal. Many organizations don't have documented, consistently enforced processes for confirming identity before performing a credential reset. A name, employee ID, or plausible-sounding story can be enough to get through.
Help desk teams are measured on speed. Resolution time is a common support metric. That creates a structural incentive to close tickets fast - which directly conflicts with taking extra steps to verify who's actually on the phone.
It bypasses technical controls entirely. MFA, endpoint detection, email filtering - none of these help when an attacker convinces a real human to hand them access. The attack lives entirely in the gap between your technical defenses and your human processes.
The Full Cost Is Larger Than the Disclosed Figure
M&S's £131.3 million figure covers direct breach-related costs - incident response, system recovery, legal fees, and logistics disruption. It doesn't fully capture seven weeks of lost online clothing revenue, ongoing reputational impact, or the months of leadership attention diverted from running the business.
For a smaller business, the numbers are different but the proportions aren't. A breach that takes systems offline for even a week can affect payroll processing, customer orders, vendor payments, and employee productivity simultaneously. Most SMBs don't carry the reserves to absorb that kind of disruption without consequences that last well beyond the breach itself.
IBM's Cost of a Data Breach research consistently shows that early detection and containment dramatically reduce total cost. The longer an attacker operates inside your environment undetected, the more they can access, the more they can damage, and the more expensive the recovery becomes. M&S's attackers had enough time to deploy ransomware across multiple systems before detection - earlier visibility would have changed that outcome.
What Help Desk Security Looks Like in Practice
Protecting your IT help desk from social engineering doesn't require expensive tooling. It requires consistent processes and the organizational permission to follow them even when callers push back. Here's what actually works.
Second-Channel Identity Verification for Every Credential Reset
Every credential reset - whether requested by phone, ticket, or chat - should require verification through a channel the caller doesn't also control. In practice, this means:
- A push notification to the employee's registered device via your identity platform (Okta, Microsoft Entra ID, Duo, or similar)
- A callback to a phone number already registered in your HR or identity system - not a number the caller provides on the spot
- Supervisor authorization for accounts with admin or elevated privileges
- A time-delayed reset for high-privilege accounts, creating a window for security monitoring to catch anything unusual
The principle is simple: the verification channel needs to be one the attacker can't also control. Confirming someone's identity by asking questions they could have researched in advance doesn't actually verify anything.
Tiered Procedures for Privileged Accounts
Not every account carries the same risk. Resetting credentials for a standard user is very different from resetting them for a domain administrator, a finance system account, or anyone with access to sensitive data. Build more friction into high-privilege resets - more verification steps, a supervisor approval, or a mandatory hold period.
Some security teams add a 30 to 60 minute delay before admin-level resets take effect. Even if an attacker tricks the help desk, that window gives monitoring systems a chance to catch the anomaly before the attacker can use the access.
Security Awareness Training That Covers the Phone
Most security awareness training programs focus on phishing emails. That's important, but it's not the complete picture. Anyone who handles support requests - your internal IT team, a front desk that routes calls, an outsourced help desk - needs specific training on recognizing phone-based social engineering.
Effective vishing awareness training covers the psychological tactics attackers use (urgency, authority, name-dropping, manufactured frustration), gives staff clear permission to slow down and verify even when callers push back, includes practice with simulated vishing scenarios, and provides a defined script for declining requests that don't meet verification requirements. The goal is to make "I need to verify your identity before I can do this" feel like a normal professional response rather than a personal confrontation.
Zero-Trust Identity Thinking
The underlying principle is zero trust applied to human verification: don't assume that because someone knows an employee's name and department, they are that employee. Identity should be verified through systems, not just through conversation.
Modern managed cybersecurity platforms include identity threat detection that flags anomalous authentication events - a credential reset followed immediately by a login from an unusual location, an account accessing systems it hasn't touched before, or new admin accounts created outside normal business hours. These detections don't prevent the initial social engineering, but they can catch an attacker before significant damage is done.
What Happens After the First Login
Even with strong verification controls, breaches happen. The question becomes how quickly you detect and contain them. M&S's experience shows what an undetected breach looks like when attackers have enough time to establish persistence, move laterally, and deploy ransomware across multiple systems.
A managed Security Operations Center monitors specifically for the behavior that follows a successful credential compromise - unusual login times, bulk data access, lateral movement between systems, new privileged account creation. These signals often don't trigger standard endpoint tools, but they're visible to analysts watching for them.
For most SMBs without dedicated security analysts on staff, a managed SOC provides that monitoring capability without the overhead of building an internal team. Think of it as the difference between having security cameras and having someone actually watching the footage.
An Honest Self-Assessment
Here's a useful question to ask about your organization: is your IT help desk a security control, or a potential attack path?
If your team regularly processes credential resets by phone without a documented verification process, that's a gap worth closing - not because the people doing it are careless, but because without a defined process, security depends entirely on individual judgment under social pressure, and attackers know how to work that.
A few things worth reviewing internally:
- Do you have a written procedure for verifying identity before any credential reset?
- Is it followed consistently, or does it get skipped under pressure?
- Do you have stricter procedures for admin and privileged accounts than for standard users?
- Does your security awareness training cover phone-based social engineering, not just email phishing?
- Would you have visibility into anomalous login behavior following a credential reset?
If the answers are mostly "not sure" or "probably not," a security audit that maps your actual procedures against these gaps is a reasonable starting point. Burgi Technologies works with businesses across Orange County on exactly this kind of assessment - looking at procedural controls alongside technical ones, because that's where attacks like the M&S breach actually succeed.
If you'd like a practical conversation about where your help desk security stands, reach out here or call us at (949) 381-1010.
Frequently Asked Questions
What is help desk social engineering (vishing)?
Vishing is a form of social engineering where an attacker calls your IT support team, impersonates an employee, and uses psychological pressure to get credentials reset or access granted. No technical exploit is needed - the attacker just needs to be convincing enough to get a help desk agent to skip normal verification steps.
How did the M&S cyberattack happen?
Marks and Spencer was reportedly attacked by a group called Scattered Spider, who called the company's IT help desk posing as employees to get authentication credentials reset. Once they had valid credentials, they moved through internal systems and deployed ransomware. M&S disclosed £131.3 million in direct costs and a 24% drop in annual profits as a result of the breach.
Can this type of attack target small businesses?
Yes. The social engineering tactics that worked against M&S work equally well against smaller companies - and often more easily, because security procedures at smaller organizations tend to be less formalized. The attack doesn't require identifying a high-value target; it just needs a help desk and a gap in verification procedures.
What is the single most effective change for help desk security?
Implementing mandatory second-channel verification before any credential reset. This means the person requesting the reset must confirm their identity through a push notification to their enrolled device - not just by answering questions on the phone. Combined with training that covers phone-based social engineering, this addresses the core of the vulnerability without requiring significant technical investment.
What should I look for in a managed IT provider's security approach?
Ask specifically about their identity verification procedures for help desk interactions, whether their security awareness training includes phone-based social engineering scenarios, and whether they provide SOC-level monitoring for anomalous authentication activity. A provider that can only describe technical tools but not their procedural controls around identity verification may have the same gap that enabled the M&S breach.
