Last year, the National Crime Agency arrested four suspects in connection with cyber-attacks on Marks & Spencer, Co-op, and Harrods. What made these arrests noteworthy wasn’t just the high-profile nature of the victims, but the fact that the suspects are UK nationals. This highlighted a shift in the cyber risk landscape which organisations cannot afford to ignore.

For years, companies have become used to spotting dodgy phishing emails. The language was broken, they lacked regional nuance or contained often obvious signs that the emails purporting to be from a colleague in the same office emanated from overseas. Scams were relatively easy to spot and were underpinned by the assumption that serious cyber criminals operate from jurisdictions beyond UK law enforcement's reach. But a new generation of hackers is changing the game.

Changing the game

Scattered Spider, the hacking group behind many of the attacks against UK retail in 2025, represents an evolution in how cyber criminals have typically operated. What makes them particularly dangerous isn't new technology or complex malware. It's their mastery of social engineering conducted by native English speakers who understand how companies work, how the job roles interact, and how to pressure employees into making mistakes.

Social engineering itself isn't new. It's been around for decades, tricking people into giving away passwords or transferring money. What's different now is the scale and sophistication of how it's being used to break into company networks.

These aren't criminals using basic language or making obvious mistakes that immediately raise suspicions. They're articulate, well-researched operators who sound indistinguishable from colleagues. They know that the CFO is important, that regional managers hold sway in retail organisations, and that new employees are particularly vulnerable to pressure from apparent authority figures because they don't yet understand company hierarchies.

The group has shown a clear pattern of moving through different industries systematically. After hitting retail hard, they shifted targets, learning the specific structures and jargon of each sector before launching their attacks. This industry-by-industry approach lets them refine their tactics and develop deep familiarity with how each type of organisation works.

One of the most significant evolutions in their approach is targeting Managed Service Providers (MSPs), the outside IT companies that handle help desk support for multiple businesses simultaneously. This is a force multiplier that traditional social engineering never achieved.

The weakness lies in how these providers manage access. An MSP might have just two accounts that can reset passwords for all their client companies. These accounts are shared among eight or ten technicians working in shifts. Because they're shared, they often don't have multi-factor authentication enabled, creating a perfect entry point.

The hackers understand this setup. They'll phone the MSP pretending to be a senior executive: "I'm the CFO, I'm about to go into a meeting, I'm locked out, you need to reset my password right now." Then comes the pressure: "I control your contract. If you don't sort this immediately, I'm terminating it."

When the caller sounds British at a British company, American at an American etc, knows the internal terminology, and can reference recent conversations with HR or other departments, the help desk person has little reason to doubt them. And once the hackers get in, they continue the same tactics internally, working their way up to more important accounts.

What makes this evolution so concerning is that it's changing the nature of the threat. We've moved from a world where cyber-attacks were distinguishable because the attackers sounded and acted differently to their targets or didn't know what, to one where they're indistinguishable from legitimate internal communications.

The traditional markers that helped employees identify potential threats have disappeared. Poor grammar, unfamiliarity with company structure, incorrect terminology, gone. When a hacker can reference recent HR conversations, knows the correct hierarchy, and speaks with a local accent, the human firewall that organisations rely on becomes significantly less effective.

Moreover, anyone can copy this operational model. As long as threat actors can pass the human check (sounding local, understanding the culture, knowing the right terms) we face a growing problem that transcends technological solutions. For risk managers in 2026, this represents perhaps the most significant shift in the threat landscape in recent years.

Improving defences

The defences against this threat aren't primarily technological. They're procedural. Organisations need clear processes for password resets and security checks, and crucially, those processes cannot be broken for anyone, regardless of who they claim to be or how much pressure they apply.

Identity verification must be based on information that's personal and not stored on company systems. Some organisations now use secret words or phrases that are written down and kept offline. If you can't provide it, you come into the office and present yourself physically at the IT desk. It doesn't matter how much pressure someone applies on the phone. The process doesn't change.

The emergence of homegrown hacking groups represents a defining theme for risk management in 2026. The question is no longer if organisations will be targeted, but when, and whether they'll have the processes and protections in place to withstand the pressure when that call comes in.