In April, two of Britain’s biggest retailers got hit by a massive cyberattack by the notorious Scattered Spider group, leading to substantial financial losses, operational disruptions and compromised customer data.

M&S suffered losses of £300 million due to the attack, with supply chains affected for weeks.

On top of the direct losses, over £1 billion was stripped from the organisation’s market value. Similarly, the Co-op experienced data breaches affecting customers’ personal information, while Harrods reported attempted cyberattacks, but managed to maintain online operations.

says Anna Collard, SVP of Content Strategy & Evangelist at KnowBe4 Africa.

A new kind of threat actor

Unlike traditional ransomware gangs, Scattered Spider is decentralised, native English-speaking, and highly adaptive. explains Collard.

With some members as young as 19, they coordinate their activities on platforms like Discord and Telegram. he says.

Added to this, they have great expertise in human psychology, as showcased during their attacks on Las Vegas casinos in 2023.

Their primary weapons, therefore, aren’t just digital – they’re human. says Collard.

MFA fatigue is one of the growing tactics they’re known for which involves triggering repeated multi-factor authentication (MFA) prompts, hoping the bombarded employees eventually click “approve” just to make the interruptions stop.

Another alleged tactic Scattered Spider used in its latest attacks involved calling IT helpdesks to reset credentials, gaining access to their target’s infrastructure and subsequently deploying a ransomware-as-a-service tool. The outcome? Encrypted systems, stalled operations, and a long road to recovery.

Why Africa should be paying close attention

Retailers across Africa – particularly in South Africa, Nigeria, and Kenya – are digitally transforming at a rapid pace. Cloud-based POS systems, centralised inventory platforms, and data-driven loyalty programmes are now standard. But these digital advancements also expand attack surfaces.

High employee turnover, remote workforces, and under-resourced helpdesks can compound exposure. And while business English is common in South Africa, this linguistic advantage also makes local teams more susceptible to social engineering by fluent English-speaking attackers.

Collard notes.

Pepkor IT’s CISO, Duncan Rae, delivered an insightful talk at the ITWeb Security Summit in May where he warned that cybersecurity teams are often overwhelmed – not just by threats, but by too many competing priorities.

Teams are bombarded with shiny, new tools and threat reports spreading fear, uncertainty, and doubt (FUD) which sometimes makes organisations lose sight of the basics, he warned.

according to Rae.

What needs to change?

Collard points to gaps in access controls, third-party risk management, and cloud security as common weaknesses – not just in the UK, but globally. “Legacy systems, shadow IT, and poorly enforced policies create entry points,” she warns. “Attackers don’t need to break in if they can just log in.”

For African retail leaders, this is a call to fortify the human layer.

“Train your frontline teams, especially in helpdesk and customer support. Teach them to detect manipulation. Make secure behaviour the norm – not the exception.”

Equally important, she says, is embedding cybersecurity into leadership conversations.

From awareness to action

Too often, security training is treated as a box-ticking exercise. Collard urges a more thoughtful approach:

She challenges business leaders with the following:

Collard says.

Join @techbuildafrica on Telegram