Cybercriminals Imitate IT Help Desks in Targeted Attacks on UK Retailers: Elvedon IT Advises Vigilance
The National Cyber Security Centre (NCSC) has issued an alert following a recent surge in cyber attacks targeting major UK retailers, where attackers are impersonating IT help desks to infiltrate corporate networks.
In recent weeks, high-profile organisations including Marks & Spencer, Co-op, and Harrods have been targeted. A group claiming responsibility told the BBC more attacks are imminent.
At Elvedon IT, we're seeing a rise in this type of threat—known as social engineering—where attackers manipulate human trust to bypass technical safeguards. The NCSC's latest guidance underscores the need for businesses to review their internal password reset protocols, particularly those managed by IT support teams.
"Adopting robust verification procedures is critical. No help desk should reset credentials without thoroughly confirming the identity of the requestor—especially when dealing with privileged accounts," said a spokesperson from Elvedon IT.
Social engineering tactics commonly involve attackers posing as employees locked out of their accounts—or, conversely, contacting staff members and pretending to be IT personnel. These deceptive strategies are remarkably effective and are believed to be behind the recent breaches.
Layered Defenses are Essential
Experts now recommend that companies implement multi-layer authentication, including internal code words or phrases that help desk staff and employees can use to validate legitimate requests. Simple safeguards like this can add a significant layer of protection against impersonation.
"We've advised clients to implement passphrases, internal challenge-response systems, and behavioral monitoring to catch anomalies in login patterns," said Elvedon IT's Head of Cybersecurity.
Who's Behind the Attacks?
While the group behind these attacks has called themselves "DragonForce," their tactics bear a resemblance to those used by a loosely connected cybercrime network known as Scattered Spider—a collective of English-speaking attackers known for targeting large corporations using social engineering and data extortion tactics.
These groups often collaborate and plan via encrypted messaging platforms like Discord and Telegram. Law enforcement, including the FBI and UK cybercrime units, has made several arrests in connection to such operations, including individuals as young as 17.
Monitoring Risky Logins
In line with NCSC recommendations, Elvedon IT strongly encourages clients to monitor for risky logins—such as account access from unusual geographic locations or at odd hours. These digital breadcrumbs are often early signs of compromise.
Elvedon IT's Takeaway
The cyber threat landscape continues to evolve, and attackers are increasingly exploiting the human element. Training staff, enforcing strict verification protocols, and maintaining a layered defense strategy are no longer optional—they're essential.
If your organisation needs help auditing internal IT support procedures or strengthening its cyber resilience, Elvedon IT is here to assist.