Social engineering used to refer to large-scale campaigns to alter the attitudes or behaviour of a population. These days, cyber specialists use it to mean something else: manipulating individuals into performing actions or divulging information that can enable criminals to hack into IT networks — where they can steal data, shut down systems and extort. The costs can be huge. For Marks and Spencer, one of Britain’s biggest retailers, a cyber attack that began last month is expected to knock as much as £300mn off its annual operating profit, and has wiped about £750mn from its market value.
M&S revealed last week that cyber criminals accessed its systems using social engineering tactics via a third-party supplier, which typically means duping IT staff into changing passwords or resetting authentication processes. The retailer has had to shut down online clothing sales for weeks and warn millions of customers that personal data, though not bank details, had been stolen. Trust in its brand is on the line, though M&S shoppers seem a loyal bunch. But it is not alone. The Co-op grocery group and Harrods department store have been fending off attacks too.
All these cyber incidents share characteristics associated with a loose community of “threat actors” known as Scattered Spider. Hackers linked to the network were behind attacks on MGM Resorts and Caesars Entertainment in the US in 2023. Google Threat Intelligence researchers have warned that US retailers may be their next target.