M&S cyberattack used a lesser-known but dangerous technique, here's what your business needs to know
Marks & Spencer has been hit by a cyberattack exploiting a method known as SIM swap fraud. While the incident primarily affected the retailer’s customer feedback system, it serves as a stark reminder of how increasingly sophisticated and under-recognised cyber threats can bypass traditional defences — and why businesses of all sizes should take notice.
What is SIM swap fraud?
SIM swap fraud occurs when a cybercriminal convinces a mobile network provider to switch a victim’s phone number to a new SIM card one they control. Once they have access to your number, they can intercept calls and texts, including two-factor authentication (2FA) codes, giving them potential access to email accounts, banking apps, and sensitive corporate data.
What makes this type of attack especially dangerous is how little a victim needs to do to be compromised. It typically relies on social engineering tricking a phone company into making the switch rather than technical vulnerabilities in software or hardware.
Why businesses should care
Although this type of fraud often targets individuals, it can just as easily be used against business owners, directors, and staff with access to corporate systems. In many cases, email accounts linked to mobile numbers become a gateway to internal systems and critical company data. If a criminal gains access, the impact can include financial theft, reputational damage, and regulatory penalties.
This attack on a major UK retailer shows how even companies with advanced IT setups are not immune. It also highlights a gap in many organisations’ cybersecurity strategies: the assumption that two-factor authentication is infallible.
How to reduce your risk
To minimise the risk of SIM swap fraud and related attacks, businesses should consider
- Using authentication apps instead of SMS-based 2FA
Apps like Microsoft Authenticator or Google Authenticator reduce reliance on mobile networks and offer a more secure way to confirm user identities.
- Implementing robust mobile device management policies
Enforcing controls through solutions like Microsoft Intune ensures that only approved, secure devices can access corporate data.
- Training staff on social engineering threats
Cyber awareness should go beyond phishing emails. Understanding how attackers manipulate service providers or employees is essential.
- Monitoring for signs of compromise
Unusual login attempts, unexpected phone number changes, or sudden loss of mobile service can be early warning signs.
Is your cybersecurity strategy fit for purpose?
At ACUTEC, we don’t believe in one-size-fits-all solutions. As a member of the Cyber Resilience Centre for the West Midlands Advisory Group, we understand the region’s most pressing cyber threats including emerging tactics like SIM swap fraud.
We offer a clear, strategic roadmap for protecting your organisation’s data and ensuring that, if the worst should happen, you have effective policies and processes in place to respond.
Let’s talk about building your business’s cyber resilience.
Contact our team for a strategic approach to cybersecurity.
