Scattered Spider: The Social Engineering Gang That Cost MGM $100M — and Why Your Help Desk Is Next

In September 2023, one of the most audacious cyberattacks in history unfolded — and the weapon wasn't a zero-day exploit or sophisticated malware. It was a 10-minute phone call to an IT help desk.

The group behind it: Scattered Spider, a loosely organized collective of mostly English-speaking young adults who have become one of the most dangerous social engineering threat groups on the planet. Their victims include MGM Resorts International (estimated $100 million in losses), Caesars Entertainment (reportedly paid a $15 million ransom), and dozens of other Fortune 500 companies across telecom, finance, and hospitality.

If your organization has a help desk — and every organization does — you are a potential target.

Who Is Scattered Spider?

Scattered Spider (also tracked as UNC3944, Octo Tempest, and 0ktapus) is not your typical nation-state APT. Most members are believed to be teenagers and young adults based in the US and UK, operating in gaming and hacking forums. What they lack in technical sophistication, they more than compensate for with extraordinary social engineering skill.

Their methods include:

• Vishing (voice phishing): Calling IT help desks and impersonating employees to get passwords reset or MFA removed
• SIM swapping: Convincing mobile carriers to transfer a victim's phone number to an attacker-controlled SIM card
• Phishing kits: Reverse-proxy phishing pages that steal both credentials and MFA tokens in real time (adversary-in-the-middle attacks)
• Insider recruitment: In some cases, reportedly bribing or coercing current employees into providing access

Their fluency in English, familiarity with corporate culture, and patient research into targets makes their impersonation attacks unnervingly convincing.

The MGM Breach: How a Single Phone Call Unlocked a $100M Disaster

Here's what allegedly happened at MGM Resorts, pieced together from public reporting and cybersecurity disclosures:

1. Reconnaissance: Scattered Spider actors identified an MGM IT employee on LinkedIn — name, title, department.
2. The call: They called MGM's IT help desk, impersonated that employee, and claimed they were locked out of their account.
3. MFA reset: The help desk, following standard procedure, reset the account's multi-factor authentication.
4. Lateral movement: With valid credentials and no MFA, attackers moved laterally through MGM's environment, eventually deploying ransomware via the BlackCat/ALPHV ransomware-as-a-service gang.
5. The fallout: MGM's slot machines, hotel check-in systems, digital key cards, and reservation platforms went dark across dozens of properties. The disruption lasted over a week.

This wasn't a failure of technology. MGM had security tools. They had MFA. They had an IT team. What they didn't have was a help desk that was trained and empowered to resist social engineering pressure — and it cost them dearly.

Why Help Desks Are the Perfect Attack Surface

Think about what an IT help desk is trained to do: be helpful. They exist to solve problems fast, reduce friction for employees, and keep systems running. That culture of helpfulness, when untested against adversarial pressure, becomes a critical vulnerability.

Attackers exploit predictable help desk behaviors:

• Urgency works: "I'm trying to get on a call with the CEO in 10 minutes and I'm locked out" is surprisingly effective
• Authority works: Claiming to be a senior executive, legal team member, or external auditor puts agents on the back foot
• Partial information passes verification: Attackers research targets on LinkedIn, company websites, and data breaches to pass basic identity verification questions
• Agents fear the escalation: No one wants to be the IT person who blocked the CFO's login before a board call

The help desk is, functionally, a password reset-as-a-service vulnerability — unless you harden it deliberately.

How Scattered Spider Targets Your Specific Industry

While MGM and Caesars made the headlines, Scattered Spider's targeting list is broad. They have been linked to attacks on:

• Telecommunications companies: To facilitate SIM swapping at scale
• Financial services: Targeting brokerage accounts and wire transfer approvals
• Healthcare: Targeting patient data and held operational systems hostage
• Technology firms: Stealing source code and customer data for extortion

No sector is immune. If your company has an IT help desk and employees who show up on LinkedIn, you are on someone's reconnaissance list.

The 5 Help Desk Security Controls That Could Have Stopped Scattered Spider

The good news: these attacks are highly preventable with the right combination of process controls and training. Here's what security-hardened organizations are doing:

1. Require In-Person or Video Identity Verification for Sensitive Requests

For any request involving password resets, MFA changes, or account unlocks, require the employee to either show up in person, verify via a pre-registered video call, or have their manager countersign the request digitally. A phone call alone should never be sufficient.

2. Use a Callback Procedure — But Not to the Number the Caller Provides

Callback verification sounds good until an attacker gives you their own number. Instead, call back using the number already on file in your HR or directory system. This simple step eliminates the most common bypass.

3. Implement a "No-Fly List" for High-Risk Request Combinations

C-suite executives, finance team members, and system administrators should be flagged for elevated verification requirements. Any MFA reset for these users should require manager approval and a secondary authentication factor — period.

4. Train Help Desk Staff to Recognize Social Engineering Tactics

This is where most organizations fail. Help desk agents receive technical training, but rarely receive dedicated social engineering resistance training. They need to practice saying no to a convincing, authoritative, or urgent caller — without flinching.

PhishDefense's vishing simulations let you test exactly this. We'll simulate a Scattered Spider-style call to your help desk and see how your team responds — before a real attacker does.

5. Log and Review All Help Desk Interactions

Record calls. Review them. Look for patterns. An attacker who calls twice with slightly different information should trigger an alert — but only if someone is watching the logs.

The Broader Lesson: Social Engineering Is Now the Primary Attack Vector

The cybersecurity industry has spent two decades building better firewalls, intrusion detection systems, and endpoint protection platforms. Scattered Spider's success is a reminder that attackers will always route around technical defenses by targeting the human layer.

In 2025, Verizon's Data Breach Investigations Report found that over 68% of breaches involved a human element — phishing, credential theft, or social engineering. The number has not gone down year-over-year. It has gone up.

No amount of investment in technology closes this gap if your people aren't trained, tested, and empowered to resist manipulation.

What to Do Right Now

If you walked away from the MGM story thinking "that couldn't happen to us," reconsider. Here's a short checklist to run this week:

• Audit your help desk verification procedures — what can a caller get with just a name and employee ID?
• Run a tabletop exercise simulating a Scattered Spider-style call to your help desk
• Review who can approve MFA resets — the fewer people, the better, with proper oversight on each
• Search LinkedIn for your own employees — see what an attacker can learn about your org in 15 minutes of free research
• Check if your employees' credentials are on dark web breach lists — tools like HaveIBeenPwned can give a starting point

And critically: test your people before the attackers do.

Don't Let Your Help Desk Become the Open Door

Scattered Spider succeeded not because MGM was careless, but because MGM hadn't specifically anticipated and drilled for the exact attack vector that hit them. Social engineering attacks succeed because they exploit the gap between how people are trained to behave and how adversaries actually operate.

The gap is closable — with the right training, simulations, and procedures.

PhishDefense specializes in human-layer security: realistic phishing simulations, vishing attack drills, smishing tests, and security awareness training that prepares your employees for exactly these scenarios. We've helped hundreds of businesses build the muscle memory their people need to stop attackers in their tracks.

Ready to find out if your help desk would pass a Scattered Spider test?

Talk to our team today →