Shoppers Could be Targeted by Scammers, M&S Warns

British retail giant Marks and Spencer has confirmed that customer information was compromised in the devastating cyber-attack that has paralysed its online operations for more than three weeks. The breach represents a stark warning for corporations worldwide about an increasingly common threat; SIM-swap fraud.

The retailer ceased taking online orders on April 25, triggering a 15% drop in share price since problems with orders first emerged over Easter weekend. While M&S's 1,000 physical stores remain open, the company has been effectively locked out of its digital business.

"Some customer details had been taken," M&S acknowledged in a statement, attributing the breach to the "sophisticated nature" of the attack. The company moved to reassure customers about the limited scope of the breach, "Importantly, the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared."

The retailer advised customers they need not take action while work continues to restore normal operations. M&S stated it "had taken steps to protect its systems, while working with cybersecurity experts, law enforcement and government agencies."

The financial toll grows with each passing day as M&S misses critical sales opportunities for new season merchandise during unusually warm May temperatures across the UK. With approximately one-third of its clothing and home sales typically generated online, the timing couldn't be worse.

Analysts at Deutsche Bank previously estimated the profit hit at "at least 30 million pounds" with losses continuing at "about 15 million pounds a week." While cyber insurance will likely cover much of the impact, such policies typically provide coverage for only a limited timeframe. M&S has declined to provide specific figures on the financial damage.

The SIM-Swap Connection

The M&S attack appears to be part of a troubling trend. According to reporting by The Times, cyber attackers likely employed SIM-swap fraud to penetrate M&S internal systems, potentially by hijacking an employee's mobile number and convincing IT staff to reset critical login credentials.

This attack method has exploded in popularity. CIFAS, the UK's national fraud prevention service, reports that SIM-swap incidents surged from fewer than 300 in 2022 to almost 3,000 in 2023. What once primarily targeted cryptocurrency investors and online influencers now threatens everyone from everyday consumers to major corporations.

SIM-swap fraud succeeds not through technical sophistication but by exploiting a fundamental weakness, our reliance on mobile phone numbers as identity verification tools.

Anatomy of a SIM-Swap Attack

The attack begins when fraudsters persuade a mobile operator to transfer a victim's phone number to a new SIM card under the criminal's control. This can happen via phone call, online chat, or sometimes with help from corrupted insiders.

Once successful, all calls and texts meant for the victim, including verification codes for email, banking, messaging platforms like WhatsApp, and government services such as HMRC, redirect to the attacker.

What makes these attacks particularly effective is that perpetrators often compile victim information beforehand. Bits of personal data gathered from data breaches, phishing attempts, questionable websites, and even social media create a convincing profile that can fool customer service representatives.

Many people underestimate how much they reveal online, birthdays on Instagram, phone numbers in job postings, or addresses used for contest entries. Criminals assemble these fragments into a comprehensive profile sufficient to impersonate the legitimate account holder.

Once attackers gain control of a number, they can:

• Access sensitive personal information and documents

• Request and receive password reset links for various accounts

• Log into messaging platforms like WhatsApp or Telegram

• Read private communications

• Impersonate the victim

• Contact friends and family to execute additional scams

• 
  

Victims may discover fraudulent posts or transactions made in their name, resulting in financial losses, reputational damage, and significant emotional distress.

In M&S's case, attackers apparently leveraged this access to manipulate internal processes and breach sensitive systems. This highlights a critical vulnerability, many companies still rely on phone numbers for staff verification, exposing their systems to the same attacks that target individuals.

Protecting Against SIM-Swap Attacks

While detecting mobile number hijacking in real-time remains challenging, several measures can reduce your vulnerability:

1. Limit sharing personal data across platforms, especially on unknown or untrusted websites

2. Recognise that attackers build profiles incrementally, combining information from public profiles, marketing databases, and previous data breaches

3. Be strategic about sharing phone numbers, birthdays, and other identifiers that could help someone impersonate you

4. Learn to recognise phishing attempts to avoid submitting sensitive information to fraudulent sites

5. When possible, avoid SMS-based authentication in favour of authenticator apps like Google Authenticator, Microsoft Authenticator, Due, or Authy, which don't depend on mobile numbers

6. Add unique PINs or passwords to mobile accounts that must be provided before authorising changes

   
   

The responsibility extends beyond individual users. Mobile network operators must strengthen identity verification practices beyond basic questions about names and addresses. Financial institutions should reconsider SMS as the default authentication method. Companies handling sensitive data need to train IT and customer service teams to recognise identity-based attacks.

The M&S breach demonstrates that SIM-swap fraud succeeds not because of technical complexity, but because it exploits our trust in phone numbers as identity verification tools.

What security measures does your company have in place to prevent SIM-swap attacks? Do your employees understand how their personal device security directly impacts corporate vulnerabilities? These questions might determine whether your organisation becomes the next headline.