The Gist
Social engineering hits hard again—and this time, a third-party breach is costing some of the UK’s most iconic retailers tens of millions. Cybercriminals have breached Marks & Spencer, Co-op, and Harrods in the past two weeks by posing as internal IT help desks to gain network access. The UK’s National Cyber Security Centre (NCSC) has issued a formal warning, and the culprits warned the BBC that more attacks are coming.
How They’re Doing It
This is a classic third-party breach in action. The attackers used textbook social engineering tactics across email, voice, and text to pose as IT support staff. Posing as a trusted third-party vendor, they tricked employees into handing over passwords and verification codes. In some cases, they flip the script: they call legitimate help desk employees and pose as locked-out staff. Once the attackers gain entry, they extract a significant amount of company data and vanish.
The Latest
Marks & Spencer is just the latest example of a trend accelerating across every industry: cybercriminals using sophisticated social engineering attacks and exploiting vulnerable third-party relationships.
And the cost is staggering. Deloitte’s Center for Financial Resources projected that socially engineered fraud could reach $40B in losses by 2027. A figure that feels increasingly realistic in light of this latest string of high-profile attacks on British retailers.
This attack didn’t just breach data—it crippled operations. With online services paused, systems disrupted, and recovery expected to stretch into July, M&S is facing tens of millions in lost revenue, not to mention reputational damage and shaken customer confidence.
These attacks are more disruptive, scalable, and accessible than ever. Powered by generative AI, they’re faster to launch, harder to spot, and built to exploit trust, urgency, and process gaps—especially in third-party relationships.
Trustmi’s Take
The M&S cyberattack is a stark reminder of what’s become the costliest threat in cybersecurity: social engineering. What makes these attacks so dangerous isn’t just how convincing they are. It’s how easily they bypass traditional defenses by targeting the people and processes companies rely on every day—like an IT help desk.
This incident also highlights a critical but often overlooked reality: third-party vendors can be high-risk entry points. In this case, attackers didn’t need to break into M&S directly. The result: a third-party breach, enabled by a trusted IT contractor with deep system access.That kind of indirect access is what makes attacks so scalable, hard to detect, and financially devastating.
That’s why at Trustmi, our mission is simple: to end socially engineered fraud. To do that effectively, companies need to not only look at email as an entry point, but focus on the exploitation of siloed business systems and third-party relationships.
Want to learn more about third-party vendor risks? Check out our webinar, Trade Wars & Vendor Risks: 3 Actionable Insights to Avoid Fraud.
