What to look out for today
Two themes to brief staff on today:
- Helpdesk / IT support impersonation leading to account takeover (a common pattern associated with groups like Scattered Spider). Expect realistic calls, texts and emails aimed at resetting passwords, adding MFA devices, or gaining access to Microsoft 365/Google accounts.
- Breach “ripple effect” scams following widely reported incidents (e.g., customer notifications after a Medtronic data exposure). Attackers often use these headlines to make phishing emails feel timely and believable.
Why this matters to smaller businesses
SMEs are often targeted because:
- Support processes are informal (quick password resets, shared inboxes, approval-by-chat), which makes social engineering easier.
- One compromised mailbox can quickly turn into invoice fraud (intercepting/altering payment details) or a wider compromise via password reuse.
- High-trust supplier relationships (IT providers, payroll, finance platforms, couriers, medical/insurance providers) can be abused for believable impersonation.
Warning signs
- “IT support” asks you to read out MFA codes, approve an unexpected sign-in prompt, or install a “remote support” tool urgently.
- Unexpected messages referencing a recently reported breach asking you to “confirm details”, “download a secure document”, or “verify your account”.
- Payment detail changes sent via email (even from a familiar contact) with pressure to pay today.
- Unusual password reset emails, new device/MFA enrolment prompts, or sign-in alerts outside normal hours.
- Staff (or your IT provider) downloading and running “quick fixes” or scripts from public repositories without validation.
How attackers may exploit the situation
- Impersonate your IT provider or internal IT to trick a colleague into granting access (password reset, MFA reset, new authenticator added).
- Use breach news as a pretext: “You were affected, open this file to see what data was exposed.”
- Compromise an email account then monitor conversations to time a believable invoice change or “urgent payment” request.
- Target technical staff with trojanised “proof-of-concept” or “tooling” downloads that steal cookies/passwords and open the door to business systems.
What to do today
- Brief reception/admin/finance: no password resets or payment changes based on an email or inbound call alone.
- Set a call-back rule: if someone claims to be IT support/supplier, hang up and call back using a known number from your own records (not a number in the email).
- Lock down MFA resets: require a second approver (ideally a manager) for MFA device changes and mailbox access requests.
- Reconfirm bank detail changes via an out-of-band method (phone call to a known contact; not replying to the email thread).
- Remind staff: never share MFA codes, never approve unexpected prompts.
Ask your IT provider
- What controls do we have to detect and stop suspicious logins (impossible travel, new device, risky sign-ins)?
- Do we have a formal process for MFA resets and admin access requests (including for your own engineers)?
- Can you confirm our email security settings to reduce impersonation and lookalike domains, and what you monitor for?
- If a mailbox is compromised, what is our 1-hour response plan (reset sessions, revoke tokens, check forwarding rules, review finance threads)?
Patch watch - only one short paragraph, and only if relevant
Today’s main risk is people and process (impersonation, account takeovers, breach-themed phishing) rather than a single must-patch item. If your organisation uses specialised IoT hubs or connected devices, ask your IT provider how you track supplier security advisories and whether any deployed devices require urgent review.
One action today
Send a same-day internal note to finance and admins: ‘No payment detail changes and no MFA/password resets from inbound calls/emails—always verify via call-back to a known number.’
Related Actions On Cyber resource
CTA: Use the Actions On Cyber “Invoice & bank detail change verification checklist” with your finance team today.
Sources
- 19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges (The Hacker News)
- Alleged Scattered Spider hacker extradited to the United States (BleepingComputer)
- Medtronic notifies customers impacted by ShinyHunters data breach (BleepingComputer)
- New ChocoPoC malware targets researchers via trojanized PoC exploits (BleepingComputer)
- New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.