Social Engineering Attacks Exploit Service Desks at Major Retailers and Travel Companies
What Happened — Attackers impersonating employees or IT support have repeatedly convinced service‑desk agents to reset passwords or grant remote‑access sessions. High‑profile incidents include the 2025 Scattered Spider campaign against UK retailers Marks & Spencer, Co‑op and Harrods, and a 2026 breach at Carnival Corporation. The FBI also warned that the Silent Ransom Group is using the same “help‑desk” ploy to gain footholds.
Why It Matters for Compliance & Audit Readiness
- SOC 2 CC6.1 (Logical Access) and CC6.2 (User Access Management) require documented, enforceable processes for credential provisioning and MFA bypass prevention; service‑desk impersonation directly subverts those controls.
- Continuous‑compliance programs must capture evidence that access‑reset requests are verified, logged, and reviewed—exactly the evidence Verisq’s Security Awareness Training capability helps generate and retain.
- A defensible audit trail of service‑desk interactions demonstrates due‑diligence to regulators and customers, reducing the risk of non‑compliance findings.
Who Is Affected — Retail (e.g., Marks & Spencer, Co‑op, Harrods), travel & hospitality (Carnival Corporation), and any organization that outsources or centralizes help‑desk functions.
Recommended Actions
- Map service‑desk password‑reset and remote‑access procedures to SOC 2 CC6.1/CC6.2 controls.
- Deploy multi‑factor authentication for all privileged reset actions and enforce a “dual‑approval” workflow.
- Conduct targeted security‑awareness training for help‑desk staff focused on impersonation detection and verification scripts.
- Enable continuous logging and automated alerting on anomalous reset activity for audit evidence.
Technical Notes
- Attack vector: social engineering (phone, chat, email) → credential reset or remote‑access session.
- No specific CVE; the weakness is procedural rather than software‑based.
- Data exposed: typically internal system credentials, potentially leading to downstream data exfiltration.
Source: BleepingComputer – Securing the service desk: Why social engineering attacks keep succeeding