British retailers are under cyber siege. In recent weeks, major brands like Marks & Spencer (M&S), Co-op, and Harrods have fallen victim to a wave of coordinated cyber attacks. And the damage isn’t just technical—cybercriminals are now using phones, not just phishing emails, to breach businesses.
The UK’s National Cyber Security Centre (NCSC) has raised the alarm. According to their latest guidance, hackers are posing as IT help desk staff, tricking employees into handing over passwords or resetting credentials. It’s a sneaky move that plays on trust—and it’s proving dangerously effective.
Beware of Phony IT Calls
After the M&S and Co-op hacks, the NCSC issued a blunt warning: watch out for fake IT calls. Criminals are impersonating support staff to convince employees to reset passwords, share login details, or grant access to secure systems.
This tactic, known as “vishing” (voice phishing), is social engineering at its most manipulative. Hackers sound professional, act like they’re from the company’s IT department, and ask just the right questions to gain access.
The NCSC is urging all companies to review how their IT help desks verify employees before resetting passwords, especially for senior team members with high-level access.
“It’s no longer about brute-forcing your way in—it’s about talking your way in.”
Security experts recommend using multi-step authentication, including code words, callback verification, and even facial recognition for sensitive account resets.
How the Hacks Happened
Over the Easter weekend, M&S had to shut down online services due to a suspected breach. Just days later, Co-op confirmed they took their systems offline as a precaution against a cyber intrusion. Harrods followed soon after.
These incidents share an unsettling theme: the attackers didn’t just use malware—they used voice, charm, and deception. It’s a chilling sign of the times.
Who’s Behind It? A Spider’s Web of Hackers
The attacks show signs of involvement by a loose-knit group dubbed “Scattered Spider.” This collective of young, English-speaking hackers isn’t a centralized gang. Instead, they’re a decentralized community coordinating attacks through platforms like Discord and Telegram.
In the past, they’ve targeted major U.S. companies like MGM Resorts and Caesars Palace, often using the same social engineering tactics seen in the UK hacks.
While the group behind the Co-op and M&S attacks calls itself DragonForce, the techniques used—help desk impersonation, credential theft, and ransomware—point to Scattered Spider’s playbook.
So far, the NCSC hasn’t confirmed a direct link but says it’s working with law enforcement to investigate. At least six members connected to the Spider group have already been arrested in the UK and the U.S., including a 17-year-old from Walsall, England.
Data at Risk: Not Just Corporate, But Personal
DragonForce claims it stole large amounts of employee and customer data from Co-op. Though the full extent of the M&S breach hasn’t been confirmed, the damage may go beyond temporary downtime. Customers are being urged to monitor their accounts, change passwords, and be alert for phishing attempts.
The UK’s Information Commissioner’s Office (ICO) is now investigating both incidents. Their advice is to use strong, unique passwords and enable two-factor authentication wherever possible. “Beware Phony IT Calls,” Warns UK Cyber Centre
Following the recent cyberattacks on major British retailers like Co-op and Marks & Spencer, the UK’s National Cyber Security Centre (NCSC) issued a direct warning: beware of phony IT calls. This isn’t just a cautionary note—it’s a red flag that cybercriminals are actively impersonating IT support to bypass technical defenses and gain access to internal systems. The NCSC described these tactics as “a rising threat,” particularly dangerous because they exploit human psychology, not software vulnerabilities.
The attacks on M&S and Co-op revealed how help desk impersonation is becoming a go-to strategy for hacker groups like Scattered Spider and DragonForce. These groups are not relying on malware alone—they’re using voice-based deception to manipulate employees into giving away login credentials or initiating password resets. The NCSC’s advice is clear: organizations must train their staff to challenge unexpected tech support calls, especially those that create urgency or ask for sensitive access.
According to NCSC CEO Lindy Cameron, this kind of “voice phishing” (or vishing) is alarmingly effective because it mimics internal processes and exploits the instinct to comply with authority figures in IT. “It’s no longer about brute-forcing your way in—it’s about talking your way in,” she noted. Companies are now being urged to implement multi-step verification for help desk interactions, and staff are being reminded: if a call seems suspicious, it probably is.
The NCSC also emphasized that password reset protocols need to be scrutinized. Organizations should consider adding security questions, callback confirmations, or even facial verification in sensitive roles. The warning serves as a broader reminder that in today’s cyber landscape, people are the new perimeter, and awareness is as important as antivirus software.
Spotting the Signs of Trouble
The NCSC also recommends watching out for what it calls “Risky Logins”—unusual times or locations where employees access the network. For instance, a login attempt from a foreign country at 2 a.m. should trigger a red flag.
Employers should also invest in training employees on cyber hygiene. After all, even the strongest firewall can’t stop an employee from giving their password to someone they think is their IT guy.
Cybersecurity Isn’t Optional Anymore
These incidents are a reminder that cybersecurity isn’t just an IT problem—it’s everyone’s problem. From the boardroom to the sales floor, everyone has a role to play.
“Ransomware is a real and growing threat to many aspects of our daily lives,” said MP Matt Western, chair of the Joint Committee on the National Security Strategy. “These serious attacks threaten not just the bottom line of the businesses involved but also the wider food supply chain.”
If a cyberattack disrupts deliveries or damages infrastructure, communities could be left without basic goods. That’s why cyber readiness should be seen as part of a company’s crisis preparedness, just like fire drills or data backups.
What You Can Do Right Now
For businesses:
- Review IT help desk protocols immediately
- Implement multi-factor authentication (MFA) across systems
- Train staff to spot social engineering tactics
- Watch for suspicious login activity
For customers:
- Change your passwords—especially if you’re a Co-op or M&S customer
- Use unique passwords for every account
- Turn on two-factor authentication where available
- Stay alert for phishing emails and texts
Final Thoughts: Stay Sharp, Stay Safe
Cybercriminals are getting smarter, but so can we. These latest attacks are a wake-up call to stay vigilant. Don’t trust every email or call, and never hand over credentials unless you’re absolutely sure who you’re talking to.
The real threat might not be malware. It might be a fake IT call asking, “Hi, can I help you reset your password?”
As cybercriminals grow bolder with tactics like impersonating IT support, businesses need to do more than just patch software—they need to build a culture of cyber awareness and put robust defenses in place. That includes tight verification processes, employee training, and layered security systems that don’t fall for smooth-talking intruders.
At Hoplon Infosec, we specialize in helping businesses stay one step ahead. From designing secure help desk protocols to deploying advanced endpoint protection, we’re here to keep your team and your data safe.
