You’d think a major cyberattack would start with a high-tech exploit, a flaw in the system, or some zero-day vulnerability buried in the code.
But the recent breach that hit Marks & Spencer and Co-op didn’t need any of that. Instead, it started with something much simpler — a convincing phone call.
According to reports, the cybercriminal group known as Scattered Spider pulled off the attack by using a classic technique: social engineering. They didn’t break in by force. They asked — and someone let them in.
Here’s how it works:
READ ALSO: M&S confirms cyberattack after days of disruption
- The hackers posed as real employees, calling IT help desks and claiming they’d lost access to their accounts.
- Using details likely scraped from earlier data leaks, phishing emails, or even LinkedIn, they sounded convincing enough to fool support staff.
- IT teams, thinking they were just helping a colleague, reset the credentials, effectively handing the keys to the kingdom over to the attackers.
Once inside, the group didn’t waste time. They moved laterally through internal systems, escalating their access and, in M&S’s case, eventually deploying ransomware (linked to the DragonForce group) to lock up servers and disrupt operations.
This wasn’t just a temporary hiccup. The breach led to the complete suspension of online orders at M&S, while contactless payments and click-and-collect services were taken offline.
The company also suffered market value losses exceeding £650 million. Over at Co-op, customer data, including personal contact information, was exposed. And incredibly, it all started with someone simply pretending to be an employee on the phone.
This type of attack is hard to stop with tech alone. You can have the best firewalls in the world, but if someone inside clicks the wrong link or resets the wrong password, the damage is done.
It’s a reminder that cybersecurity is a people problem as much as a technology problem. Staff training, strict ID verification, and internal protocols need just as much investment as fancy security software.
Both M&S and Co-op are still working to clean up the problem, and investigations are ongoing. On the other hand, the UK’s cybersecurity authorities are warning other retailers to review their IT support processes immediately.
Because next time, it might not just be a retail chain. It could be your bank, your healthcare provider, or your workplace.