Scattered Spider hackers shift focus from UK to US retailers

Cybersecurity specialists have raised concerns following reports that hackers employing Scattered Spider tactics, previously focusing on UK retail chains, have now shifted their operations to target major retailers in the United States. The move marks a new phase in ransomware and extortion campaigns that have already caused significant disruption in the British retail sector.

Scattered Spider, the name ascribed to a criminal collective known for sophisticated social engineering ploys, has become notorious for breaching corporate networks. The group's modus operandi involves tricking employees through tailored psychological manipulation, gaining access to sensitive systems and data before demanding ransom payments to prevent the release or destruction of the stolen information.

Commenting on the development, Martin Jartelius, Chief Information Security Officer at cyber risk firm Outpost24, highlighted the global nature of online threats.

"Well, there is often a geographic element to campaigns, of course, but the difference between cyber and regular crime is that you have billions of neighbors on the internet," Jartelius said.

"A transition from one primarily English-speaking region to another is less adaption of scripts and makes good sense. Social engineering is related to marketing in that it aims to entice a desired behaviour in another individual, which requires both a well-tailored script and an element of culture suited for those you target for it to work out," he added.

The tactics used by these groups tend to rely on an in-depth understanding of their targets' cultural context. Social engineering, Jartelius noted, must resonate with its victims to be effective. Just as marketing messages are tailored to consumers, so too are phishing emails and fraudulent phone calls crafted to manipulate employees who may inadvertently provide the keys to organisations' digital vaults.

Law enforcement agencies on both sides of the Atlantic have scrambled to adapt as incidents have escalated. According to information released by Google's security teams, US-based retailers have begun to experience similar attacks to those that plagued the UK last year – with hackers infiltrating corporate IT environments using phishing emails, fake login portals, and even helpdesk impersonations that trick staff into divulging credentials or bypassing internal cyber defences.

Jartelius drew parallels between high-profile ransomware campaigns and smaller-scale scams, noting how methods are often reused and even sold among criminal syndicates. "We see this in smaller fraud as well, where a method is reused, and in those cases scripts, that is, ways of working the social engineering, is even sold between criminals," he said. This sharing of tactics enables threat actors to quickly adapt to different markets with minimal effort, capitalising on successful campaigns and continually refining their approaches.

The impact on retailers can be profound. Direct financial losses may run into the millions, while the fallout from interrupted operations, reputational damage, and the possible exposure of customer data can persist long after the ransom demand is resolved. Increasingly, organisations rely on a combination of staff training, multi-factor authentication, and advanced monitoring solutions to fend off such threats, yet attackers continue to find ways to exploit human and technical vulnerabilities.

The migration of these cybercriminal efforts to the US underscores the ever-evolving nature of online crime. With English-speaking targets often sharing similarities that make campaign adaptation straightforward, experts warn that vigilance among employees and strict adherence to security protocols remain the best line of defence.

Retailers are urged to maintain heightened awareness of social engineering tactics and to invest in robust cyber defences, as threat actors continually seek new opportunities for profit in an increasingly interconnected world.