Scattered Spider is a hacking collective infamous for breaching companies not through high-tech exploits, but by exploiting help desk trust. In one recent case, bleach maker Clorox suffered a massive cyberattack after a hacker simply called their outsourced IT support and requested a password reset – and the help desk complied. This intruder belonged to “Scattered Spider,” a loose band of young, English-speaking hackers who thrive on social engineering over malware . Their attacks target the human factor, tricking IT support agents into granting access, with devastating results. 

The Help Desk: A Prime Target for Social Engineering

Why do groups like Scattered Spider go after help desks? Simply put, a corporate IT support desk has the “keys to the kingdom” in terms of credentials and access. Help desk staff can reset passwords, disable multifactor authentication (MFA), or provision new accounts – all actions that can instantly bypass technical security measures if done without proper verification. Attackers know that support agents are trained to be helpful and quick to resolve issues, making them vulnerable to impersonation. By calling with a sense of urgency or authority, a hacker can lower an agent’s guard. As the UK’s National Cyber Security Centre warned after a spree of such attacks, organizations must “be wary of phony IT helpdesk calls,” because these low-tech ploys can yield high-impact breaches.

Several factors make the help desk an attractive target:

• Human nature to help: Support agents want to fix problems quickly. A clever imposter, especially one who speaks the company’s language and lingo, can exploit an agent’s instinct to assist.
  
  

• High privileges: By design, service desk personnel can reset accounts or MFA. A successful con trick gives attackers legitimate credentials or disables security controls in one stroke.
  
  

• No malware needed: Social engineering lets attackers walk in the front door. There’s no need to hack firewalls or exploit software bugs if you can simply convince someone to let you in.
  
  

• Speed and stealth: A well-crafted vishing (voice phishing) call can yield access in minutes and often doesn’t trigger alarms – the request appears as just another IT support task. In many cases, no antivirus or SIEM will ever flag a phone call.
  
  

In short, help desks offer a high-leverage, low-resistance entry point. Scattered Spider has weaponized this insight, turning basic support interactions into a gateway for full-scale cyberattacks.

Inside Scattered Spider’s Playbook: How They Hack the Help Desk

Scattered Spider’s tactics are methodically simple yet devastatingly effective. Understanding their playbook is the first step in defending against it. Here’s how a typical Scattered Spider attack unfolds:

1. Reconnaissance: The attackers start by researching the target organization and its people. They scrape LinkedIn, company org charts, and data breaches to collect employee names, roles, and even internal jargon . The goal is to craft a convincing persona – for example, a senior employee or a distressed user – to impersonate during the attack. They may even set up fake domains or caller ID spoofing (e.g., mimicking an internal number) to appear legitimate.
   
   

2. Impersonation & Vishing: Armed with this intel, the hacker contacts the IT help desk pretending to be an employee in need of urgent assistance. Scattered Spider is known to impersonate high-ranking staff members (such as a VP traveling who’s locked out) or other trusted personas. The caller uses a convincing pretext – “I’m about to present to the client but I’m locked out!” or “My phone was stolen, I need my 2FA reset ASAP” – and often adopts a friendly but stressed tone to pressure the support agent. They’ll drop insider lingo (“Can you push an Okta reset like you did for Mike last week?”) and even engage in small talk about the local weather or sports, all to sound credible. By establishing rapport and urgency, the attacker persuades the help desk staff to bend the rules.
   
   

3. Credential Reset & MFA Bypass: The moment of truth arrives when the imposter requests a password reset or MFA override for the account they claim to own. If the help desk does not strictly verify the caller’s identity, the attacker wins. In the Clorox breach, “the cybercriminal just called the service desk, asked for credentials… and Cognizant handed the credentials right over.” This is, unfortunately, not an isolated incident – many Scattered Spider attacks have succeeded simply by asking. In some cases, attackers also exploit technical tricks, such as “MFA fatigue” (spamming a user’s authentication app with push requests until they accidentally approve one) or SIM-swapping a user’s phone to intercept OTP codes. But often, these extra steps aren’t even needed. With a new password or disabled MFA in hand, the attacker now has valid user access to the network.
   
   

4. Network Breach and Extortion: Using the compromised account, Scattered Spider operators swiftly escalate privileges and spread within the victim’s systems. They exploit any accessible admin tools (VPN, RDP, remote support software, etc.) and “live off the land” – meaning they leverage built-in system utilities (PowerShell, credential managers, etc.) instead of using obvious malware, to stay under the radar. Once they reach critical systems or sensitive data, the group often hands off to or collaborates with a ransomware affiliate to deploy encryption malware. Scattered Spider has acted as an initial access broker for major ransomware gangs (like ALPHV/BlackCat and others ), so a network they penetrate may suddenly get hit with ransomware and data theft. This “double extortion” playbook – stealing data, then locking systems – maximizes pressure on the victim. In the MGM Resorts hack, for example, Scattered Spider’s phone call to the help desk led to domain-wide ransomware that paralyzed operations for a week. The casino incurred an estimated $100 million in losses from that single intrusion.
   
   

Each of these steps relies on deceiving a person or abusing a process, rather than cracking any code. That’s why traditional security tools sometimes fail to catch these attacks until it’s far too late. By then, the intruders are inside with legitimate credentials, often blending in with normal IT activity.

Real Incidents: Big Breaches from a Simple Phone Call

This social engineering formula isn’t just theoretical. Scattered Spider has pulled it off against numerous high-profile companies across industries. Their campaign, launched in 2022, has targeted over 100 organizations, ranging from telecoms to banks to cloud providers. Here are a few striking examples of the damage caused:

• MGM and Caesars (Sept 2023): In a pair of Las Vegas casino hacks, Scattered Spider showed the world the havoc a phone call can wreak. At MGM Resorts, attackers phoned an IT help desk and impersonated an employee, tricking their way into MGM’s network. They then unleashed ransomware (BlackCat) that shut down casino floors, hotels, and websites for days. MGM reportedly lost ~$100 million from the outage . Caesars Entertainment was hit the same week – intruders gained access via an external IT support vendor and stole a treasure trove of customer data, including driver’s license and possibly Social Security numbers. Caesars opted to quietly pay a $15 million ransom to prevent the data from being leaked. These casino attacks proved that a convincing voice on the phone could defeat a Fortune-500 company’s defenses.
  
  

• Marks & Spencer (London) – The UK retailer M&S was another victim of Scattered Spider’s help desk deception. In April 2025, hackers duped a third-party IT service desk into resetting an M&S employee’s password, which allowed them to infiltrate the retailer’s network. The attackers deployed ransomware (dubbed “DragonForce” by investigators) that forced M&S to halt online orders and disrupt stores nationwide. This attack, along with similar breaches at UK grocery chain Co-Op and luxury store Harrods, prompted Britain’s NCSC to issue warnings about fake support calls . Authorities later arrested four people (mostly teenagers) in connection with the retail hacks – underscoring that the perpetrators can literally be kids on the phone.

  
  

• Clorox and Cognizant (Aug 2023): According to a lawsuit Clorox filed, Scattered Spider hackers called a Cognizant help desk agent (Cognizant is Clorox’s IT outsourcer) and simply asked for an employee’s login credentials – and the agent provided them without proper verification. With that foothold, the hackers penetrated Clorox’s network, eventually detonating ransomware that stopped Clorox’s production lines and supply chain for weeks. Clorox disclosed a staggering $380 million financial impact from the attack (lost sales and remediation costs). In essence, a single phone call to an unsuspecting support contractor led to a multi-million-dollar disaster. This case has been a wake-up call for every managed service provider: if your processes are weak, a hacker can use you to compromise dozens of client companies simultaneously.
  
  

These examples highlight a pattern: Scattered Spider often targets tech vendors, managed service providers (MSPs), and outsourcing firms as intermediate victims. By breaching one IT vendor’s help desk, they can potentially access many companies downstream. In fact, a June 2025 threat report noted that 81% of Scattered Spider’s phishing domains were impersonating popular IT services (with keywords like “okta”, “vpn”, “helpdesk”), indicating a broad campaign against tech providers. If you’re leading a security or support team at a global IT services firm like Cognizant and TCS, you may now be squarely in Scattered Spider’s sights. It’s critical to strengthen your defenses accordingly.

How to Fight Back: Defending the Help Desk from Attack

No organization is helpless against these tactics. Stopping social engineering attacks requires augmenting your human and process defenses. For security and help desk leaders, the goal is to make it much harder for an attacker to sweet-talk their way in. Here are key steps to protect your help desk and foil Scattered Spider’s playbook:

• Enforce Rigorous Identity Verification: Strengthen the protocol for password resets and access requests. Do not rely on a single phone call or email. Require the help desk to perform out-of-band verification – for example, calling the employee back on a known phone number or using a secondary channel to confirm the person’s identity. Implement security questions, employee ID checks, or one-time passcodes sent to a pre-registered device. Never reset MFA or passwords solely on the say-so of an incoming call. This one policy change could have prevented many Scattered Spider incidents from occurring.
  
  

• Add Approvals for High-Privilege Changes: Treat it like a mini “two-person rule.” If someone requests access to admin-level resources or a critical reset (especially via a non-standard channel), require managerial approval or a second staff member to sign off on the request. This creates a deliberate speed bump and an opportunity to detect something suspicious before it’s too late. An attacker impersonating a CFO might bully one service rep, but it’s much harder to fool two people (or convince a supervisor) without raising suspicion.
  
  

• Harden MFA and Account Security: Move toward phishing-resistant MFA methods wherever possible – for instance, FIDO2 security keys or biometric MFA that can’t be easily read off or transferred. Configure your identity systems to require additional checks (such as in-person verification or manager approval) for MFA resets or new authenticator device enrollments. This ensures that even if a help desk is tricked, the attacker hits a wall trying to bypass MFA. Also consider implementing limits, such as time-of-day or VPN/location-based restrictions, for when support can issue resets for sensitive accounts.
  
  

• Train and Empower Your Help Desk Staff: Security awareness is not just for general employees; your support agents need specialized training to recognize social engineering red flags. Conduct role-play exercises and team training on scenarios like someone claiming, “I’m the CEO and I forgot my password”. Teach staff to verify claims through official channels and to feel comfortable saying “no” or pausing when something seems off. Emphasize that attackers will use pressure and charm, and that it’s OK to slow down and double-check credentials. By making your front-line staff more skeptical and procedure-focused, you shrink the attackers’ advantage.
  
  

• Monitor for Unusual Help Desk Activity: Just as you monitor networks for anomalies, do the same for your support workflows. Set up alerts or reviews for patterns such as multiple password resets for privileged accounts within a short period, or frequent MFA device changes. Scattered Spider’s techniques sometimes generate tell-tale patterns (e.g., an account that had MFA removed right before a breach). Monitoring these actions can catch an ongoing social engineering attack. Also, consider caller ID analytics; if someone is spoofing an internal number or calling from an odd location, flag it for scrutiny.
  
  

• Set Up a Reporting Path: Ensure that support has a place to report suspected attacks. Incorporate stakeholders from security and support for effective coordination. Use simulated attacks to test help desk employees. For example, in a simulated attack, you might discover that your report rate for attacks is low. Use this data to investigate process gaps, train employees, and adapt.

  
  

• Simulate Attacks to Build Resilience: One of the most effective ways to harden your help desk is to practice against the threat. Consider running realistic social engineering simulations, not just phishing emails, but also voice calls and chat scenarios. For example, you might have your security team (or a service like an external tester) call the help desk pretending to be an employee with an urgent issue, and see if procedures are followed. Modern training platforms (such as Mirage Security) even allow you to simulate AI-driven “vishing” attacks with deepfake voices and tailored scripts, so your team can experience a very life-like phishing call in a safe environment. These exercises reveal where gaps exist and reinforce good practices in a memorable way. The goal isn’t to “gotcha” your employees, but to build their confidence and vigilance so that when a real Scattered Spider actor calls, your team will sniff out the lie.
  
  

By implementing the measures above, organizations can dramatically reduce their exposure to help desk social engineering attacks. In essence, you are strengthening the human element, transforming your people from an easy target to a formidable last line of defense. As one security expert noted about the Clorox incident, if a hacker’s entire attack comes down to “just calling and asking” for a password, then failing to stop that is a serious lapse in duty. We have the tools and knowledge to do better.

The Perceived People Problem Is Actually a Process Problem

If Scattered Spider has proven anything, it is that attackers do not need malware when policy gaps and improvisation are enough.

These were not failures of awareness. They were failures of process. Help desks without strict verification steps. Agents pressured to be fast, not thorough. No escalation protocol. No second set of eyes.

We do not need slogans about the “human firewall.” We need codified procedures, tested responses, and executive-level support that reinforces security over convenience.

The right questions to ask:

• Can every support agent describe the exact steps required before resetting a high-privilege account?

• Is there a written policy, backed by the C-suite, that requires multi-party approval?

• Are agents empowered to slow things down without fear of pushback?

• Have these scenarios been rehearsed in real time?
  
  

When a help desk agent resets MFA on a voice call alone, that is not a human mistake. That is a systems failure.

If we want our people to be defenders, we have to give them the tools, clarity, and backing to do it. That starts with process. It is reinforced through repetition and practice. And it is validated through simulation - not to punish mistakes, but to confirm the system works when it matters.

Let’s stop blaming people, and start reinforcing the process around it.