The National Cyber Security Centre (NCSC) has warned criminals launching cyber attacks at British retailers are impersonating IT help desk calls to break into organisations.

Hackers have targeted Marks & Spencer, Co-op and Harrods in the last two weeks, and on Friday the anonymous group told the BBC there will be more attacks soon.

Now the NCSC, the government agency responsible for cyber security, has issued guidance to organisations urging them to review their IT help desk “password reset processes” to reduce their chances of getting hacked.

“We believe by following best practice, all companies and organisations can minimise the chances of falling victim to actors like this,” it said.

It said firms should reassess how their IT help desk “authenticates staff members” before resetting passwords, especially senior employees with access to high-level parts of an IT network.

It highlighted press speculation around “social engineering” as a way hackers may have gained access to accounts.

Criminals use social engineering techniques to get people to trust them when they email, text or call pretending to be from a company’s IT help desk – ultimately tricking employees into handing over their log in passwords and security codes.

This also works the other way – calling people who work on the help desk and pretending to be an employee locked out of their account.

Cyber security experts now recommend further layers of security to deal with these sorts of attacks.

“Having code words that get used when an employee phones up to change their credentials, such as “BluePenguin”, is one thing being discussed in the cyber community as a way to check that the member of staff is genuine,” said Lisa Forte from cyber security firm Red Goat.

“Ultimately it comes back to the same issue with login credentials as always – we need multiple ways to do it to ensure it isn’t easy to bypass.”

The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.

The name derives from “spider” being the label given to financially motivated cyber criminals, while “scattered” is because they are not a cohesive, organised gang.

In the past two years these disparate hackers, in their teens or early twenties, have coordinated and planned attacks on Discord and Telegram to breach dozens of companies and steal or scramble data to extort their victims.

The NCSC does not specifically name the group as being responsible for the current wave of attacks, but acknowledges Scattered Spider are known for these types of hacks.

In other NCSC advice, cyber defenders are being urged to watch out for “Risky Logins”.

This means looking out for when and where employees have logged in from – for example late at night or from strange locations.

Although cyber criminals could be anywhere in the world, young English-speaking hackers in the UK and US have become adept at using social engineering in their attacks.

Scattered Spider hackers have been responsible for high profile attacks including the coordinated moves against casinos in Las Vegas in which MGM Grand Casinos and Caesar’s Palace were hit in quick succession.

There have been six arrests in the last year of hackers accused of being from Scattered Spider in the US and UK.

In July 2024 a 17-year-old from Walsall was arrested as part of an FBI investigation into the MGM hack – and months later a person of the same age and location was arrested in connection with another hack on Transport for London.

Police would not say if the alleged hacker was the same person.

On Friday, the hackers responsible for the current wave of attacks spoke to the BBC.

The criminals repeatedly denied they are Scattered Spider hackers and would only call themselves DragonForce – the name of a cyber crime service hackers can use for malicious software and extortion.

The hackers, who were fluent English speakers, revealed to the BBC they had compromised Co-op and stolen a large amount of customer and employee data.

They would not discuss the M&S hacks. But it is thought DragonForce ransomware was used to scrambled the firm’s IT servers.

While the NCSC said it “had insights”, it added it was “not yet in a position to say if these attacks are linked”.

“We are working with the victims and law enforcement colleagues to ascertain that,” it said.