In April, two of Britain’s biggest retailers got hit by a massive cyberattack by the notorious Scattered Spider group, leading to substantial financial losses, operational disruptions and compromised customer data . M&S suffered losses of £300 million (roughly R7.3 billion) due to the attack, with supply chains affected for weeks. On top of the direct losses, over £1 billion was stripped from the organisation’s market value . Similarly, the Co-op experienced data breaches affecting customers’ personal information, while Harrods reported attempted cyberattacks, but managed to maintain online operations.

“These attacks aren’t just about stolen data,” says Anna Collard, SVP of Content Strategy & Evangelist at KnowBe4 Africa. “They took whole systems offline.

“In retail, downtime is a critical threat – it affects sales, customer trust, and brand loyalty, instantly.”

Unlike traditional ransomware gangs, Scattered Spider is decentralised, native English-speaking, and highly adaptive. “Scattered Spider aren’t mere opportunistic hackers,” explains Ms Collard. “They operate more like well-funded, well-organised crime syndicates.”

With some members as young as 19, they coordinate their activities on platforms like Discord and Telegram. “They’re agile, patient and disturbingly good at blending in,” she says. Added to this, they have great expertise in human psychology, as showcased during their attacks on Las Vegas casinos in 2023.

Their primary weapons, therefore, aren’t just digital – they’re human. “They’ve mastered social engineering,” says Ms Collard. “They specialise in exploiting human trust. From vishing (voice phishing) to impersonating internal staff and triggering what’s referred to as ‘MFA fatigue’, they’re skilled manipulators who understand both systems and people.”

MFA fatigue is one of the growing tactics they’re known for, which involves triggering repeated multi-factor authentication (MFA) prompts, hoping the bombarded employees eventually click “approve” just to make the interruptions stop.

“Legacy systems, shadow IT, and poorly enforced policies create entry points. Attackers don’t need to break in if they can just log in.”

Another alleged tactic Scattered Spider used in its latest attacks involved calling IT helpdesks to reset credentials, gaining access to their target’s infrastructure and subsequently deploying a ransomware-as-a-service tool. The outcome? Encrypted systems, stalled operations, and a long road to recovery.

Retailers across Africa – particularly in South Africa, Nigeria, and Kenya – are digitally transforming at a rapid pace. Cloud-based POS systems, centralised inventory platforms, and data-driven loyalty programmes are now standard. But these digital advancements also expand attack surfaces.

High employee turnover, remote workforces, and under-resourced helpdesks can compound exposure. And while business English is common in South Africa, this linguistic advantage also makes local teams more susceptible to social engineering by fluent English-speaking attackers.

“Our local executives aren’t naïve,” Ms Collard notes. “Many are acutely aware of the risks. What’s needed now is clarity on what really matters – and cutting through the noise.”

Pepkor IT’s CISO, Duncan Rae, delivered an insightful talk at the ITWeb Security Summit in May where he warned that cybersecurity teams are often overwhelmed – not just by threats, but by too many competing priorities. Teams are bombarded with shiny, new tools and threat reports spreading fear, uncertainty, and doubt (FUD) which sometimes makes organisations lose sight of the basics, he warned.

“These basics include managing human risk, addressing third-party exposure, and hardening vulnerabilities,” according to Mr Rae.

Ms Collard points to gaps in access controls, third-party risk management, and cloud security as common weaknesses, not just in the UK, but globally. “Legacy systems, shadow IT, and poorly enforced policies create entry points,” she warns. “Attackers don’t need to break in if they can just log in.”

For African retail leaders, this is a call to fortify the human layer.

“Train your frontline teams, especially in helpdesk and customer support. Teach them to detect manipulation. Make secure behaviour the norm – not the exception.”

Equally important, she says, is embedding cybersecurity into leadership conversations. “Cybersecurity is not just an IT function. It’s a board-level business risk.

“Executives must ask tough questions about readiness, incident response, and accountability.”

Too often, security training is treated as a box-ticking exercise. Collard urges a more thoughtful approach: “Training must resonate. It should be contextual, culturally relevant, and delivered in local languages where appropriate.”

She challenges business leaders with the following:

“If the answer is ‘no’ to any of these, your organisation is vulnerable,” Ms Collard says. “But the good news is that change is possible – and fast – when you start investing in the human element.”

“Cyber resilience is a collective responsibility,” she concludes. “And in an interconnected world, learning from each other’s crises is one of the smartest defences we have.”