Close-up of a person using a keyboard.

Scattered Spider isn't your typical hacker group. They're not writing complex malware or exploiting obscure software bugs. Instead, they've perfected something much simpler and far more effective: they lie to people. Really, really well.

This isn't some teenager in a basement. Scattered Spider is a sophisticated criminal organization that's been behind some of the biggest corporate data breaches in recent years. We're talking hundreds of millions of dollars in damages across major companies.

Their specialty? Social engineering on steroids. They research companies like private investigators, then call employees pretending to be coworkers, IT staff, vendors, or anyone else they need to be. They're so good at it that even security-aware people get fooled.

Think of them as the Ocean's Eleven of cybercrime—except instead of robbing casinos, they're after your company's data, and instead of elaborate heists, they just pick up the phone.

Why everyone should care (Yes, that means you)

Here's the thing: Scattered Spider doesn't just target IT departments. They cast a wide web, and anyone in your organization could be their next victim.

  • If you work in HR, they might call pretending to be an employee who needs access restored or personal information "updated."
  • If you're in finance, they could pose as a vendor requesting payment details or asking about invoice procedures.
  • If you're management, they might impersonate a subordinate with an urgent request that bypasses normal procedures.
  • If you're literally anyone with a work phone, they could call pretending to be IT, asking you to "verify" your credentials or install "security software.”

The scariest part? They're not shooting blind. These criminals spend weeks researching your company. They know your org chart, recent projects, internal terminology, even who's on vacation. When they call, they sound like they belong.

How they spin their web: The setup

Scattered Spider's homework phase is terrifying in its thoroughness. They'll:

  • Scrape your company website and LinkedIn for employee names and roles
  • Monitor social media for internal information and relationships
  • Call your main number to learn phone directories and internal processes
  • Research recent company news, projects, and even office locations
  • Study your industry's common tools and terminology

By the time they make that first malicious call, they know more about your workplace than some of your actual coworkers do.

The many faces of their attacks

The fake IT emergency

"Hi, this is tech support. We're seeing suspicious login attempts on your account. Can you confirm your password so we can secure it?"

The helpful colleague

"Hey, it's Sarah from accounting. I'm working from home and can't access the expense system. Can you help me submit this urgent report for the CEO?"

The vendor verification

"This is Mike from your software vendor. We need to update our payment information in your system. Can you connect me with someone in finance?"

The new employee assist

"Hi, I'm the new marketing coordinator starting Monday. HR said you could help me get set up with my accounts before my first day?"

The executive bypass

"This is [CEO's name]'s assistant. She needs the Q3 financial data immediately for an investor call. She said you'd have access to pull this."

Red flags that should make your spider senses tingle

Urgency that feels manufactured

Real emergencies are rare. Artificial time pressure is a classic manipulation tactic. "I need this right now or someone's getting fired" should make you pause, not rush.

Requests that skip normal procedures

If someone asks you to bypass standard processes "just this once," that's suspicious. Legitimate requests follow legitimate channels.

Too much personal information

Scammers often over-share to build trust. "I'm calling from the Starbucks near the office because my laptop died and I spilled coffee on my phone" is probably a lie.

Emotional manipulation

They might sound stressed, frustrated, or even angry to pressure you into helping. Real coworkers understand when you need to verify things.

Information fishing

Questions that seem designed to gather intelligence: "What system do you use for that?" or "Who usually handles these requests?" could be reconnaissance.

Your defense playbook: How to not get caught

Slow down when someone tries to speed you up

The more urgent someone claims their request is, the more carefully you should verify it. Real emergencies can wait two minutes for proper confirmation.

Verify through a different channel

If someone calls asking for something, hang up and call them back using a number from your company directory. If it's really them, they'll understand.

Follow official processes

Those security procedures exist for exactly this reason. Don't let anyone pressure you into skipping steps, no matter how legitimate they sound.

Ask questions only real employees would know

"What floor is your office on?" "Who's your direct manager?" "What project are you working on?" Insider knowledge goes deeper than names and titles.

Trust your gut

If something feels off, it probably is. It's better to seem overly cautious than to hand over access to criminals.

When in doubt, escalate

Pass unusual requests to your manager or IT security team. It's literally their job to handle these situations.

What's really at stake

Scattered Spider isn't after small-time data. They're hunting for the keys to your digital kingdom—customer databases, financial records, intellectual property, anything they can sell or hold for ransom.

Once they're inside your systems, they move fast. They escalate privileges, access sensitive data, and sometimes lock everything down with ransomware. Companies hit by Scattered Spider have faced months of recovery, hundreds of millions in costs, and massive reputation damage.

The bottom line: You're the human firewall

Here's the reality: we have excellent technical security. Firewalls, encryption, monitoring systems—the works. But Scattered Spider doesn't attack technology. They attack people.

That makes you—yes, you—a critical part of your company's defense. Every time you pause to verify a suspicious request, you're potentially stopping a million-dollar breach.

The next time someone calls asking for information, credentials, or access, remember: real coworkers appreciate good security. Criminals hate it.

Stay skeptical, stay secure, and remember—when someone's trying to rush you past safety procedures, that's exactly when you should slow down.

Resources
Learn more about cybersecurity and best practices for prevention

Nationwide is providing this information as part of its Business Solutions Center website content and e-newsletter. The information included on this e-newsletter and the Business Solutions Center website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.