Blue spider web against a black background.

Beware: Scattered Spider cybercrime ring sparks warnings

Cybercriminal group known for moving quickly to attack businesses

ByJenna Hardie
August 6, 20255 min read

KEY POINTS

  • Scattered Spider is a decentralized cybercrime group targeting 15+ industries with advanced social engineering and ransomware.
  • The group mimics corporate structures, recruits skilled hackers and partners with other threat actors to scale attacks.
  • Businesses can defend against threats with employee training, system updates and strong incident response plans.

It might sound like the basis for a cinematic thriller: a cybercriminal group known for moving quickly, dodging investigations by decentralizing their operations and pivoting across not only industries but also targeted regions. However, this organization, known as Scattered Spider, is a very real threat faced by businesses.

According to Paul Tucker, chief information security and privacy officer at BOK Financial®, the group isn’t like a typical cybercrime gang. “Scattered Spider operates more like a tech startup, recruiting young talent, partnering with other threat actors and constantly adapting their tools and strategies to be more effective,” he said.

Scattered Spider often focuses their efforts on high-value data and extortion opportunities, and their targets span 15 industries—including finance, healthcare, retail and airlines. "Some of their tactics include tricking employees, bypassing security systems and even impersonating IT staff to gain access to sensitive systems," Tucker explained.

Some of the group’s targets have included big names, like MGM Resorts & Caesars Entertainment in 2023, where criminals impersonated IT staff and tricked help desk employees into resetting log-in credentials. The group then deployed BlackCat/ALPHV ransomware, which caused widespread outages and resulted in more than $100 million in losses.

Similarly, in 2024, the group was responsible for the Snowflake Cloud Data Breach, which compromised credentials for 165 Snowflake customers, including major companies like AT&T, Ticketmaster and LendingTree. This breach resulted in massive data theft and extortion attempts targeting cloud-stored customer data across multiple industries.

A new breed of cybercriminal organization
Scattered Spider is one of the most notorious and rapidly evolving cybercriminal groups active today. Emerging in 2022, this group has gained a reputation for its bold tactics, sophisticated social engineering and corporate-style operations. As of 2025, Scattered Spider continues to evolve, absorbing other cybercriminal groups and expanding its reach, making it a top-tier threat in the global cybersecurity landscape.

“What sets Scattered Spider apart is how they behave remarkably like a rogue corporate IT department—and that's part of what makes them so dangerously effective.”
- Paul Tucker, chief information security and privacy officer at BOK Financial

The group is known to recruit or absorb other threat actors, especially those with specialized skills such as ransomware deployment, phishing infrastructure or SIM swapping. “This strategy allows them to scale operations quickly and diversify their attack methods, making them a formidable force in the cybercrime world,” Tucker explained.

Their recruitment process mirrors that of legitimate companies, complete with specific job qualifications. They seek native speakers with neutral accents for their targeted regions, typically recruiting U.S. and UK English speakers since those are their primary target areas. The group also forms strategic alliances and collaborations with other major cybercrime organizations like AlphV/BlackCat and Qilin.

“What makes them especially dangerous is that instead of operating as a single, tightly controlled group, Scattered Spider functions more like a network of affiliates—each with its own specialty but aligned under a shared brand or mission,” Tucker explained. “Think of it as a franchise model in the cybercriminal world, where the group doesn't originate from a single country but spans many nations.”

Their tactics explained
Scattered Spider uses sophisticated social engineering techniques, manipulating people into giving away secrets through various methods:

  • Vishing (voice phishing). They call pretending to be from IT support, banks or other trusted entities. There's emerging evidence they're now using AI voice cloning in some instances to strengthen these tactics, according to Tucker.
  • Phishing campaigns. They send fake emails asking targets to “verify” accounts or click malicious links, routinely using domains that closely resemble legitimate websites.
  • SIM swapping. They trick phone companies into giving them control of victims’ phone numbers, allowing them to intercept security codes and bypass multi-factor authentication (MFA).
  • IT impersonation. They convince help desk employees to reset credentials by impersonating legitimate IT staff members.

Once the bad actors gain initial access, they can steal login information, bypass security codes and access sensitive data including bank accounts and personal information.

Protection strategies: How to keep your business safe
“Cybersecurity today means protecting what we cannot see, in places we cannot reach,” Tucker said. “The best defense against attacks is preventing them.”

Organizations and individuals can take several steps to protect against Scattered Spider and similar threats.

For businesses:

  • Implement non-SMS multi-factor authentication (MFA). Use app-based or hardware token multi-factor authentication when available, as SMS can be compromised through SIM swapping.
  • Employee training. Regularly train employees, including help desk staff, to recognize social engineering tactics. "In today's rapidly changing landscape, businesses must ensure their employees are well trained and vigilant against cyberattacks, especially phishing attacks,” Tucker said.
  • System updates. It’s critical to keep all infrastructure and computing systems up to date with security patches.
  • Expanded verification methods. Always verify through separate communication channels when prompted to perform large financial transactions or sensitive operations. “It’s imperative that employees take a moment to verify emails before interacting with them and that they report suspicious activity. A single click can have far-reaching consequences,” Tucker said.
  • Incident response planning. Ensure you have tested incident response and business continuity plans ready for ransomware attacks.
  • Supply chain security. Evaluate and secure your supply chain, as threat actors often gain access through compromised third-party software.

For individuals:

  • Never share credentials. Don't share passwords or verification codes, even if someone sounds official.
  • Use strong, unique passwords. Implement different, complex passwords for critical accounts like banking and email.
  • Enable MFA. Additionally, be cautious of fake prompts and use app-based authentication when possible.
  • Verify independently. Call your bank or service provider directly using official numbers if something feels suspicious.
  • Manage account settings. Set account lockout policies after a limited number of failed login attempts.

“The growth of this group–and others–serves as a stark reminder that today’s cybercrime has become a professional enterprise,” Tucker said. "Being prepared, having a cybersecurity playbook and robust programs, and investing in educating employees about the importance of cybersecurity safety will go far in protecting your business and clients.”

Topics
Subscribe

Related Content

    BOK Financial Corporation is a more than $50 billion regional financial services company headquartered in Tulsa, Oklahoma with more than $105 billion in assets under management and administration. The company's stock is publicly traded on NASDAQ under the Global Select market listings (BOKF). BOK Financial Corporation's holdings include BOKF, NA; BOK Financial Securities, Inc., and BOK Financial Private Wealth, Inc. BOKF, NA's holdings include TransFund and Cavanal Hill Investment Management, Inc. BOKF, NA operates banking divisions across eight states as: Bank of Albuquerque; Bank of Oklahoma; Bank of Texas and BOK Financial (in Arizona, Arkansas, Colorado, Kansas and Missouri); as well as having limited purpose offices Nebraska, Wisconsin, Connecticut and Tennessee. The entities held by BOK Financial Corporation are periodically referred to collectively as BOK Financial Corporation Group. Through its subsidiaries, BOK Financial Corporation provides commercial and consumer banking, brokerage trading, investment, trust services, mortgage origination and servicing, and an electronic funds transfer network. For more information, visit www.bokf.com.

    Securities, insurance, and advisory services offered through BOK Financial Securities, Inc., member FINRA/SIPC and an SEC registered investment adviser. Services may be offered under our trade name, BOK Financial Advisors.

    Investments involve risk, including loss of principal. Past performance does not guarantee future results. There is no assurance that the investment process will consistently lead to successful investing. Asset allocation and diversification do not eliminate the risk of experiencing investment losses. Risks applicable to any portfolio are those associated with its underlying securities.

    INVESTMENT AND INSURANCE PRODUCTS ARE: NOT FDIC INSURED | NOT GUARANTEED BY THE BANK OR ITS AFFILIATES | NOT DEPOSITS | NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY | MAY LOSE VALUE.

    The content in this article is for informational and educational purposes only and does not constitute legal, tax or investment advice. Always consult with a qualified financial professional, accountant or lawyer for legal, tax and investment advice. Neither BOK Financial Corporation nor its affiliates offer legal advice.

    BOK Financial® is a trademark of BOKF, NA. Member FDIC. Equal Housing Lender . © 2025 BOKF, NA.