How M&S Became the Latest High-Profile SIM Swap Victim.
How M&S Became the Latest High-Profile SIM Swap Victim.
The recent Marks & Spencer cyberattack represents a watershed moment for cybersecurity in retail, marking the evolution of SIM swap fraud from an individual consumer threat to an enterprise-level weapon. With a staggering 1,055% surge in unauthorised SIM swaps reported in the UK in 2024, this attack methodology has rapidly become one of the most dangerous vectors for corporate breaches. This report examines how SIM swap attacks have transformed, how they affected M&S, and what organisations must do to protect themselves in this new threat landscape.
The Explosive Growth of SIM Swap Fraud
The statistics are nothing short of alarming. According to Cifas, the UK’s leading fraud prevention service, cases of SIM swap fraud have increased by more than tenfold in a single year, with almost 3,000 cases filed to the National Fraud Database in 2024, up from just 289 in 2023[^1][^2][^16]. This exponential rise reflects a disturbing trend: criminals are increasingly weaponising phone number takeovers not just against individuals but as entry points into corporate networks.
The retail and telecommunications sectors have been particularly hard hit. Facility takeover fraud, where criminals seize control of individual accounts, soared by 76% in 2024, with nearly half (48%) of all account takeover cases involving mobile phone accounts[^16]. Identity fraud linked to mobile products increased by 87%, representing more than 16,000 additional cases[^16]. These aren’t isolated incidents but evidence of a coordinated shift in criminal strategy.
Simon Miller, Director of Policy, Strategy, and Communications at Cifas, described the situation as “particularly concerning,” noting that unlike many frauds that result in a single loss of money, SIM swap attacks can have “an enduring long-term impact” by compromising a victim’s entire digital identity[^13].
Why SIM Swap Attacks Are So Devastating
SIM swapping presents a unique danger because it subverts what many consider to be a security feature: two-factor authentication. When a phone number is compromised, fraudsters gain access to SMS verification codes, effectively bypassing this critical security layer[^2][^5][^7]. This explains why SIM swap fraud cost UK consumers more than £10 million in 2024 alone, with individual victims reporting losses as high as £40,000 in a single incident[^17].
Anatomy of a SIM Swap Attack
Understanding how these attacks work is crucial for appreciating their sophistication and danger to both individuals and organisations.
The Attack Methodology
A retail SIM swap typically begins with extensive information gathering. Attackers collect personal data through phishing campaigns, social media mining, or purchasing stolen information from the dark web[^2][^11][^17]. With this data in hand, they contact the victim’s mobile service provider, impersonating the legitimate account holder.
Using persuasive social engineering tactics, fraudsters convince operator representatives that they need to transfer a phone number to a new SIM card, often claiming the original was lost or damaged[^7][^17]. Once the provider completes the transfer, the victim’s phone loses service while the attacker gains control of all incoming calls and text messages.
This technique has evolved with technology. Today’s attackers increasingly target eSIMs (embedded SIMs)-digital SIM cards stored within device chips that can be remotely provisioned[^4][^11]. Since fall 2023, cybersecurity firm F.A.C.C.T. has documented hundreds of attempts to access customers’ online accounts by exploiting eSIM replacement or restoration functions[^4].
The M&S Breach: SIM Swap Goes Corporate
The attack on Marks & Spencer represents a watershed moment in retail cybersecurity. What began as service disruptions, including outages in contactless payment systems and online ordering, was eventually confirmed as a sophisticated cyberattack linked to a group known variously as “Scattered Spider” or “Octo Tempest”[^14].
How Attackers Breached M&S
Sources familiar with the investigation told BleepingComputer that attackers first compromised M&S as early as February 2025, when they stole the company’s Windows domain NTDS.dit file – a database containing password hashes for Windows accounts[^14]. Using these credentials, the attackers were able to move laterally through M&S’s network.
The critical point of entry appears to have been sophisticated social engineering attacks targeting IT helpdesk staff. According to reports, attackers impersonated legitimate M&S employees and contacted the IT helpdesk, convincing staff to reset passwords[^9][^2]. SIM swapping played a key role in this deception, allowing attackers to receive authentication codes and verification calls that would normally protect against such impersonation[^9][^13].
The National Cyber Security Centre (NCSC), part of GCHQ, has since issued new guidance specifically addressing the tactics used in this attack, advising organisations to “review help desk password reset processes – how IT desk authenticates staff members’ credentials before resetting passwords, especially those with escalated privileges”[^9].
The DragonForce Connection
The attack has been linked to ransomware known as DragonForce, deployed on VMware ESXi hosts on April 24 to encrypt virtual machines[^3][^14]. “DragonForce” refers to both the malware and the group behind it, which cybersecurity experts believe consists primarily of English-speaking teenagers operating a cybercrime affiliate service that allows others to use their tools for attacks and extortion[^3][^10].
What makes this group particularly dangerous is their double-extortion tactics – not only did they encrypt M&S systems, but they also stole sensitive data and threatened to publish it unless ransom demands were met[^10].
The Co-op Parallel: Evidence of a Coordinated Campaign
Notably, M&S wasn’t the only major UK retailer targeted. The Co-op suffered a similar attack using identical techniques, with cybercriminals from the Scattered Spider network resetting employee passwords to breach the Co-op’s network[^9].
The DragonForce group claimed responsibility for both attacks, telling the BBC they had stolen data from both retailers and provided evidence to support their claims[^10]. For the Co-op, this allegedly included access to the company’s internal Microsoft Teams, leaked staff credentials, and approximately 10,000 customer records containing membership card numbers, names, addresses, emails, and phone numbers[^10].
Even more concerning, the group claimed to have obtained private information of 20 million people who signed up to Co-op’s membership scheme[^10], though this number hasn’t been independently verified. They also revealed attempts to breach Harrods, suggesting a coordinated campaign specifically targeting UK retailers[^10].
Why Retail Has Become a Prime Target
The substantial increase in attacks against retailers isn’t coincidental. Several factors make retail an attractive target for SIM swap-enabled attacks:
1. Valuable Customer Data
Retailers maintain extensive customer databases containing personal and financial information. This data is valuable both for direct financial fraud and as leverage in ransomware negotiations. M&S alone reportedly has data on millions of customers through its loyalty programs and online shopping platforms.
2. Complex Digital Infrastructure
Modern retailers operate complex digital ecosystems integrating point-of-sale systems, inventory management, e-commerce platforms, and customer relationship management tools. This complexity creates multiple potential entry points for attackers[^19]. Once inside, criminals can move laterally through these interconnected systems to access increasingly sensitive data and controls.
3. IT Support Vulnerabilities
Retail operations often maintain large IT support teams servicing thousands of employees across multiple locations. These support structures, while necessary, create opportunities for social engineering attacks, as demonstrated in both the M&S and Co-op breaches[^9][^19].
4. Reliance on Mobile Authentication
As retailers embrace omnichannel strategies and mobile-first approaches, they increasingly rely on phone numbers for customer authentication and account security. This dependency makes SIM swap vulnerabilities particularly damaging to their security posture[^16][^19].
From Personal to Enterprise Threat: The Evolution of SIM Swap
What makes the M&S case particularly noteworthy is how it demonstrates the evolution of SIM swap attacks from targeted individual fraud to enterprise-level threats. This evolution follows a concerning pattern:
Phase 1: Individual Financial Fraud (2018-2022)
Initially, SIM swap attacks primarily targeted high-value individuals like cryptocurrency holders and wealthy banking customers. Attacks were labour-intensive and highly targeted.
Phase 2: Automated Scaling (2022-2024)
As techniques matured, criminals developed more automated approaches, targeting larger numbers of individual consumers. The explosive 1,055% growth in cases between 2023 and 2024 reflects this scaling[^1][^2].
Phase 3: Enterprise Penetration (2024-Present)
Now, SIM swap techniques are being integrated into sophisticated corporate attack methodologies. Rather than directly monetising individual accounts, attackers use compromised phone numbers as entry points into corporate networks, enabling much larger-scale data theft and ransomware operations[^9][^14][^19].
The Speed Factor: Why Traditional Defenses Fail
What makes these attacks particularly dangerous is their speed. As noted in the user’s original post, these attacks “don’t take hours or days. They take minutes.”
In one documented case reported to the National Fraud Database, fraudsters contacted a customer under the guise of a service check. Within hours, the victim’s phone lost service, an eSIM was issued to the criminals, and high-value transactions were attempted using redirected authentication codes[^2][^17].
Traditional security measures that rely on after-the-fact detection or batch processing of security events are ineffective against this threat velocity. When such systems flag an issue, attackers have already gained access to the target systems and begun their lateral movement.
This is where real-time SIM Swap protection is crucial. If an organisation knows a SIM has been swapped, it can react BEFORE any fraud is committed. SIM Swap solutions that use scraped data, or days-old databases, are no defence if the SIM has just been swapped.
Risk Factors and Vulnerable Groups
While all organisations face risk from SIM swap attacks, certain factors increase vulnerability:
1. Older Demographics in Customer Base
Data shows older consumers are disproportionately targeted by account takeover fraud. Those aged 61 and over now constitute 29% of all account takeover cases, with incidents affecting this demographic rising by 90% year-on-year[^16][^17][^19]. Retailers with significant customer bases in this demographic face heightened risk.
2. SMS-Based Authentication Reliance
Organisations heavily reliant on SMS-based two-factor authentication are particularly vulnerable, as this is precisely what SIM swap attacks are designed to circumvent[^2][^5].
3. IoT Deployment Without Adequate Security
Retail IoT systems that rely on SIM cards for connectivity present another attack surface. Compromised SIM-based IoT devices can serve as entry points to broader networks, enabling attackers to intercept data or disrupt operations[^19].
Prevention Strategies for Retail Businesses
Protecting against SIM swap threats requires a multi-layered approach:
1. Strengthen Help Desk Authentication Procedures
The NCSC recommends explicitly reviewing and enhancing help desk password reset processes[^9]. This should include:
- Multi-factor verification that doesn’t rely solely on SMS
- Callback procedures to verified numbers
- Knowledge-based authentication questions that aren’t easily discovered via social media
2. Implement Real-Time SIM Swap Detection
Real-time SIM swap detection services can identify when a phone number has recently been transferred to a new SIM card. Solutions like those offered by Sekura.id and XConnect integrate directly with mobile network operators to provide millisecond-level detection[^7][^8][^12].
3. Move Beyond SMS-Based Authentication
Where possible, organisations should transition to authentication methods that don’t rely on SMS delivery, such as:
- Authenticator apps that generate time-based codes
- Hardware security keys
- Biometric verification systems
4. Employee Training on Social Engineering
Regular training sessions should educate staff, particularly those in customer service and IT support roles, about social engineering techniques and how to identify potential SIM swap-related scams[^9][^19].
5. Implement Network Segmentation and Least-Privilege Access
Limit the damage potential of compromised accounts by implementing strict network segmentation and enforcing least-privilege access controls. This ensures that even if attackers gain initial access through a SIM swap, their ability to move laterally is constrained.
The Future of SIM Swap Threats and Defences
As we look ahead, several trends will shape the evolution of SIM swap threats and countermeasures:
Rising eSIM Vulnerabilities
The transition to eSIM technology potentially creates new vectors for SIM swap attacks, as these digital SIMs can be remotely provisioned without physical access[^4][^11]. As noted by cybersecurity experts, attackers have already begun exploiting eSIM replacement and restoration functions to hijack phone numbers[^4].
Regulatory Response
The dramatic rise in SIM swap fraud is likely to prompt regulatory action. The financial services industry has already seen increased scrutiny around authentication methods, with regulators like the EU’s PSD2 promoting multi-factor authentication beyond SMS[^5]. Similar regulations may soon extend to other sectors, including retail.
Integration of Behavioural Biometrics
Next-generation security systems are beginning to incorporate behavioural biometrics, analysing how users interact with devices and services, to detect anomalous behaviour that might indicate a compromised account, even when all authentication steps have been successfully completed.
Conclusion: The New Reality of Retail Cybersecurity
The M&S attack represents a sobering reality check for the retail industry. SIM swap attacks have evolved from a consumer-focused nuisance to a sophisticated enterprise threat capable of crippling major organizations and compromising millions of customer records.
The statistics are clear- with a 1,055% increase in SIM swap fraud in a single year[^1][^2][^16], this attack vector is rapidly becoming one of the most significant threats facing retailers today. Organisations must adapt quickly, implementing real-time detection capabilities and moving beyond traditional authentication methods that rely on vulnerable SMS delivery.
As yesterday’s Sekura ID post identified, “SIM Swap is no longer a personal problem- it’s an enterprise threat.” For retailers, the question is no longer if they will face such attacks, but when, and more importantly, whether their defences are prepared to respond at the speed these modern threats demand.
In this new landscape, reactive security measures are insufficient. Only proactive, real-time detection and prevention strategies can adequately protect against the sophisticated SIM swap techniques that compromised even a retail giant like Marks & Spencer.
The future of retail cybersecurity depends on recognising this shift and responding accordingly.
Sekura.id is a global leader in mobile identity and fraud prevention, trusted by banks, fintechs, and mobile network operators across six continents. Through its Uniti platform, Sekura.id delivers real-time SIM Swap detection that stops account takeovers before they happen—using direct network signals and zero-latency APIs. Designed for financial institutions and regulated sectors, Uniti enables fraud prevention at speed and scale, without compromising user experience. Learn more at: www.sekura.id/sim-swap
Sources used:
[^1]: https://www.cifas.org.uk/newsroom/huge-surge-see-sim-swaps-hit-telco-and-mobile
[^4]: https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone-numbers-in-esim-attacks/
[^7]: https://sekura.id/sim-swap/
[^8]: https://developer.orange.com/apis/camara-sandbox-simswap-orange-lab
[^9]: https://www.lbc.co.uk/news/uk/co-op-marks-spencer-cyberattackers-tricked-it-workers/
[^11]: https://esimcard.com/blog/info/are-esims-subject-to-sim-swap-attacks/
[^12]: https://www.xconnect.net/solutions/fraud-protection
[^13]: https://www.independent.co.uk/news/uk/home-news/sim-swapping-fraud-marks-and-spencer-b2749238.html
[^17]: https://www.watchyourpocket.co.uk/news/sim-swap-scams-soar/
[^18]: https://www.prove.com/blog/2024-mobile-fraud-market-trends-in-uk-europe
[^19]: https://www.csl-group.com/blogs/rising-threat-sim-swapping-business-retail-iot/
[^20]: https://www.cifas.org.uk/newsroom/fraudscape-2025-record-fraud-levels
[^22]: https://www.itv.com/news/2025-05-12/m-and-s-and-co-op-what-we-know-weeks-after-cyber-attacks
[^24]: https://www.kaspersky.co.uk/blog/what-is-sim-swapping/27367/
[^25]: https://www.callsign.com/platform/intelligence-engine/telco-intelligence
[^26]: https://www.itpro.com/security/cyber-attacks/m-and-s-customer-personal-data-stolen
[^27]: https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants
[^28]: https://www.csl-group.com/blogs/rising-threat-sim-swapping-business-retail-iot/
[^29]: https://connect.myriadgroup.com/en/technologie/secure-sim-swap-detection/
[^31]: https://www.coalitioninc.com/en-gb/blog/sim-swapping-extortion
[^32]: https://developer.orange.com/apis/sim-swap
[^34]: https://hackhunting.com/2024/12/31/esim-vulnerabilities-lead-to-sim-swapping-attacks/
[^35]: https://netnumber.com/sim-swap-detection/
[^36]: https://en.wikipedia.org/wiki/SIM_swap_scam
[^37]: https://securelist.com/large-scale-sim-swap-fraud/90353/
[^39]: https://sekura.id/sim-swap/
[^42]: https://nordvpn.com/blog/is-esim-safe/
[^43]: https://www.keepersecurity.com/blog/2023/04/19/what-is-sim-swapping/
[^44]: https://info.international.jtglobal.com/all-you-need-to-know-about-sim-swap-fraud
[^45]: https://www.safaricom.co.ke/fraud-awareness/impersonation/sim-swap-fraud
[^46]: https://sinch.com/blog/monitoring-and-risk-assessment-preventing-sim-swap-fraud/
[^47]: https://sekura.id/gsma-sim-swap/
[^48]: https://developer.bt.com/products/sim-swap
[^50]: https://sekura.id/sekura-id-xconnect-acquisition/
[^51]: https://sekura.id/mpm/
[^52]: https://www.nfp.com/insights/case-study-sim-swapping/
[^53]: https://www.cifas.org.uk/newsroom/huge-surge-see-sim-swaps-hit-telco-and-mobile
[^55]: https://opengateway.telefonica.com/en/news/article/api-sim-swap
[^56]: https://www.independent.co.uk/news/uk/home-news/sim-swapping-fraud-marks-and-spencer-b2749238.html
[^57]: https://www.grantthornton.co.uk/insights/sim-swapping-the-rising-threat-from-employees-phones/
[^58]: https://sekura.id/banking/
[^59]: https://globalesim.app/sim-swap/
[^60]: https://voyeglobal.com/can-esims-be-hacked/
[^62]: https://sekura.id
[^64]: https://www.malwarebytes.com/blog/news/2024/03/store-manager-admits-sim-swapping-his-customers
