Evolving organizational resilience: Training teams to defend against Scattered Spider

Date: September 23, 2025 Reading time: 2 minutes

The recent Scattered Spider cyberattacks targeting UK-based retailers, and the subsequent arrest of several British teenagers, have sparked alarm across industries. What is particularly unsettling about these attacks isn't just the group's success in infiltrating well-defended systems, but how they did it: not through exotic zero-days or nation-state funding, but through calculated social engineering tactics that prey on human vulnerabilities.

That means our best defense is preparing our people. At SailPoint, we created some custom training for our help desk personnel, since Scattered Spider frequently targets people in positions that can grant access to company assets. As a cyber community, we sink or swim together. And we know not every company can quickly develop custom training modules, so we decided to make it available to the public. You can download it and deliver it through any learning management system that is compatible with SCORM content. We hope it helps.

Scattered Spider is uniquely dangerous in part because many of its members are native English speakers. This enables them to operate without triggering the linguistic or cultural red flags that typically alert organizations to phishing or impersonation attempts. Further, their familiarity with Western workplace norms allows them to convincingly pose as employees, IT support, or third-party contractors. And when these impersonations succeed, they can manipulate insiders into handing over the keys: literally and figuratively.

Their tactics are relatively straightforward. By impersonating staff and convincing overworked or under-trained call center representatives to reset passwords or disable multi-factor authentication, attackers can sidestep even well-implemented security defenses. When done at scale, even a few successful attempts can result in major breaches. We've seen this strategy not only in retail, but in the insurance and aviation sectors as well, industries that rely heavily on human interaction and have broad access privileges at the front line.

This isn't a case of sophisticated malware or cutting-edge exploits. This is the exploitation of trust, and that should be a wake-up call.

Cybercrime is no longer exclusively the domain of elite, well-funded actors in far-off countries. It's learnable, scalable, and it's accessible to anyone with time, motivation, and an internet connection. Organizations can't afford to build their defenses solely around what yesterday's threats looked like. If you're only thinking about how to defend against the threats of today, you're already too late.