Scattered Spider: What NZ Small Businesses Need to Know

Introduction

Scattered Spider is a cybercrime group that has made headlines for high-profile attacks on companies across the US, UK, and Australia. While they tend to go after big names, their methods mean that small and medium businesses (SMEs) in New Zealand should take them seriously. This article explains who they are, how they operate, and what Kiwi businesses can do to protect themselves from cyber threats.

Who Are Scattered Spider?

Scattered Spider is a relatively young hacking group that emerged around 2022. Most of its members are believed to be native English-speaking teenagers and young adults from the US and UK. Unlike many cybercriminal gangs aroudn the world, this group’s use of fluent English helps them blend in and sound credible when they impersonate company staff.

They are known by other names in the cybersecurity world, such as UNC3944 and Octo Tempest, and have links to ransomware groups like ALPHV/BlackCat. Their skill lies in social engineering, convincing employees to hand over login details or approve security requests. They often pose as IT support and contact staff by phone, email, or SMS.

How They Attack

Scattered Spider doesn’t rely solely on malware or software vulnerabilities. Instead, they exploit people. Their most common tactics include:

• Impersonating IT staff: They call help desks pretending to be employees needing a password reset

• MFA bombing: Sending repeated multi-factor authentication (MFA) requests until a user clicks approve out of frustration

• Bypassing cybersecurity tools: Once in, they often disable security monitoring and logs to cover their tracks

• Supply chain attacks: They hack small third-party providers to reach larger organisations

They also steal sensitive data and sometimes partner with ransomware gangs to encrypt systems and demand payment. This "double extortion" approach increases pressure on victims.

Who They Target

Scattered Spider has attacked more than 100 organisations, including:

• Caesars Entertainment and MGM Resorts in the US

• Marks & Spencer and Co-op in the UK

• Qantas, Hawaiian Airlines, and WestJet in the aviation sector

• Cloud platform Snowflake and its customers

Their focus is often on large firms, but they frequently use small vendors, IT contractors, or service providers as entry points. In one case, they impersonated a CFO on a call to a help desk to gain access to sensitive systems.

Smaller Businesses Also Affected

Although most headlines focus on large corporations, there is growing evidence that Scattered Spider has affected small to mid-sized businesses:

• Insurance service providers and grocery suppliers in the US and UK were disrupted during broader cyberattacks targeting enterprise firms. These smaller partners were used as access points into larger targets.

• In June 2025, the hacking group also hit Aflac, Erie, and Philadelphia Insurance. While these are major firms, reports note that stolen data included personal and policyholder information, and some attacks involved backend contractors and third-party platforms.

These examples highlight that organisations don’t need to be household names to be exploited. Even smaller companies with useful credentials or connections to enterprise clients can be targeted in cyber attacks.

Why NZ Businesses Should Care

There are no confirmed reports of Scattered Spider directly targeting a New Zealand business yet, but that doesn't mean the risk is low. Here’s why local SMEs should be proactive:

• Collateral damage: Your customer data could be caught in a cyber incident involving a vendor or business partner

• Weak links: You might be targeted as a way to reach larger organisations you work with

• Easier targets: Smaller businesses often have fewer resources for cybersecurity, making them more vulnerable to phishing, impersonation, and business email compromise (BEC)

In the Qantas breach, millions of customer records were exposed, including names, contact details, and travel history. It’s likely some of those affected were New Zealanders.

How to Protect Your Business from Cybercrime

The good news is that many of Scattered Spider's tactics can be countered with smart, affordable steps. These cybersecurity best practices can help defend your business:

1. Strong verification processes:

• Train staff to follow multi-step verification before resetting passwords or granting access

• Don’t act on urgent-sounding requests without independent confirmation

2. Smarter multi-factor authentication (MFA):

• Use number-matching MFA apps or physical security keys instead of push-only approvals

• Educate employees to never approve unexpected MFA requests

3. Vendor access control:

• Review and limit access for third-party vendors

• Ensure your suppliers follow security best practices, including MFA, patching, and secure login

4. Be incident-ready:

• Have a basic incident response plan in place

• Monitor for unusual account activity, especially admin logins and file access

• Run regular cybersecurity awareness training and simulation exercises

Final Thoughts

Scattered Spider represents a modern cyber threat that relies on deception, not just technical exploits. Their social engineering attacks can bypass even strong digital defences if your people aren’t trained to spot them. While large companies are often the main targets, small businesses can easily be affected, either directly or as part of a supply chain.

By following sound cybersecurity practices and fostering a security-aware culture, your business can reduce its risk. Cybersecurity is no longer optional for SMEs, it’s an essential part of protecting your operations, your customers, and your reputation.

If you're a New Zealand business looking to improve your cyber resilience, talk to your cyber security partner, or contact us to request a security assessment to identify your weak spots, Cybersecurity & Penetration Testing NZ | Cyberoptic Security