Scattered Spider: What NZ Small Businesses Need to Know

Scattered Spider is a cybercrime group that has made headlines for high-profile attacks on companies across the US, UK, and Australia. While they tend to go after big names, their methods mean that small and medium businesses (SMEs) in New Zealand should take them seriously. This article explains who they are, how they operate, and what Kiwi businesses can do to protect themselves from cyber threats.

Who Are Scattered Spider?

Scattered Spider is a relatively young hacking group that emerged around 2022. Most of its members are believed to be native English-speaking teenagers and young adults from the US and UK. Unlike many cybercriminal gangs aroudn the world, this group’s use of fluent English helps them blend in and sound credible when they impersonate company staff.

They are known by other names in the cybersecurity world, such as UNC3944 and Octo Tempest, and have links to ransomware groups like ALPHV/BlackCat. Their skill lies in social engineering, convincing employees to hand over login details or approve security requests. They often pose as IT support and contact staff by phone, email, or SMS.

How They Attack

Scattered Spider doesn’t rely solely on malware or software vulnerabilities. Instead, they exploit people. Their most common tactics include:

• Impersonating IT staff: They call help desks pretending to be employees needing a password reset

• MFA bombing: Sending repeated multi-factor authentication (MFA) requests until a user clicks approve out of frustration

• Bypassing cybersecurity tools: Once in, they often disable security monitoring and logs to cover their tracks

• Supply chain attacks: They hack small third-party providers to reach larger organisations

They also steal sensitive data and sometimes partner with ransomware gangs to encrypt systems and demand payment. This "double extortion" approach increases pressure on victims.

Who They Target

Scattered Spider has attacked more than 100 organisations, including:

• Caesars Entertainment and MGM Resorts in the US

• Marks & Spencer and Co-op in the UK

• Qantas, Hawaiian Airlines, and WestJet in the aviation sector

• Cloud platform Snowflake and its customers

Their focus is often on large firms, but they frequently use small vendors, IT contractors, or service providers as entry points. In one case, they impersonated a CFO on a call to a help desk to gain access to sensitive systems.

Smaller Businesses Also Affected

Although most headlines focus on large corporations, there is growing evidence that Scattered Spider has affected small to mid-sized businesses:

• Insurance service providers and grocery suppliers in the US and UK were disrupted during broader cyberattacks targeting enterprise firms. These smaller partners were used as access points into larger targets.

• In June 2025, the hacking group also hit Aflac, Erie, and Philadelphia Insurance. While these are major firms, reports note that stolen data included personal and policyholder information, and some attacks involved backend contractors and third-party platforms.

These examples highlight that organisations don’t need to be household names to be exploited. Even smaller companies with useful credentials or connections to enterprise clients can be targeted in cyber attacks.

Why NZ Businesses Should Care

There are no confirmed reports of Scattered Spider directly targeting a New Zealand business yet, but that doesn't mean the risk is low. Here’s why local SMEs should be proactive:

• Collateral damage: Your customer data could be caught in a cyber incident involving a vendor or business partner

• Weak links: You might be targeted as a way to reach larger organisations you work with

• Easier targets: Smaller businesses often have fewer resources for cybersecurity, making them more vulnerable to phishing, impersonation, and business email compromise (BEC)

In the Qantas breach, millions of customer records were exposed, including names, contact details, and travel history. It’s likely some of those affected were New Zealanders.

How to Protect Your Business from Cybercrime

The good news is that many of Scattered Spider's tactics can be countered with smart, affordable steps. These cybersecurity best practices can help defend your business:

1. Strong verification processes:

• Train staff to follow multi-step verification before resetting passwords or granting access

• Don’t act on urgent-sounding requests without independent confirmation

2. Smarter multi-factor authentication (MFA):

• Use number-matching MFA apps or physical security keys instead of push-only approvals

• Educate employees to never approve unexpected MFA requests

3. Vendor access control:

• Review and limit access for third-party vendors

• Ensure your suppliers follow security best practices, including MFA, patching, and secure login

4. Be incident-ready:

• Have a basic incident response plan in place

• Monitor for unusual account activity, especially admin logins and file access

• Run regular cybersecurity awareness training and simulation exercises

What to Actually Do

Scattered Spider's attacks rely on people making decisions under pressure: approving an unexpected MFA request, trusting a caller who sounds like IT support, not questioning an unusual password reset request. The technical entry point varies, but the human element is consistent across their documented attacks.

The controls that interrupt this pattern are the same ones that address most identity-based attacks: phishing-resistant MFA on critical accounts, clear procedures for verifying anyone requesting access or a password reset, and staff who know what a suspicious request looks like and what to do when they get one.

For NZ businesses that work with larger enterprises or government agencies as vendors or contractors, it is also worth being aware that you may be targeted not for your own data, but as a route into a client's environment. Reviewing what access your accounts have to client systems, and making sure those connections are properly secured, is a reasonable precaution.