The Attack Surface in Your Pocket—and How Scattered Spider Socially Engineers Their Way Inside

A guide for financial institutions.

How many of your employees accessed corporate email, collaboration services, transaction platforms, or reset passwords from their personal phones this week?

What security controls do you actually have on those devices?

For most financial institutions, there's a gap between those two answers. Not because security teams don't see the risk, but because mobile security has been the organizational fight nobody wanted to pick, thanks to myriad privacy concerns, employee pushback, unclear legal boundaries, and competing priorities.

Meanwhile, Scattered Spider (aka Scattered LAPSUS$ Hunters) and similar groups built their entire playbook around this hesitation. They didn’t use zero-days or sophisticated malware. They're using SMS, MFA requests, voice calls, and the fact that mobile devices typically fall outside traditional enterprise security controls.

This post is about closing that gap, not with theory, but with practical guidance financial institutions can actually implement.

TL;DR:

• Mobile devices are now primary attack vectors, not side channels

• Scattered Spider's 67% help desk success rate shows where controls are failing

• SMS and SIM swaps remain critical vulnerabilities in authentication flows

• OAuth integrations have become new lateral movement paths

• Financial institutions need mobile security that works for both BYOD (Bring Your Own Device) and corporate owned devices

Your Employees Already Moved to Mobile; Attackers Followed

Most financial institutions have tightened email security, deployed EDR, and improved IAM over the past decade. Meanwhile, employees quietly moved more of their work onto their personal phones, especially email, finance, authenticators, CRM, incident alerts, and customer communications.

At the same time, BYOD has surged in the past year. Over 82% of organizations use BYOD today, and a large share involve unmanaged personal devices. One study found 78% of IT professionals say employees use personal devices for work even when it's not allowed.

If employees use a device for work, that device is part of the corporate perimeter.

Attackers agree. Phishing and social engineering have moved heavily into SMS, messaging apps, and voice calls. Not just email anymore.

A Criminal Federation That Changed the Game

One of the more disturbing changes in 2025 wasn't just what Scattered Spider does, but who they're working with.

Channels linked to Scattered Spider announced an alliance with LAPSUS$ and ShinyHunters. Three distinct brands combining their specialties:

• Scattered Spider: social engineering, mobile-first access, vishing, help-desk impersonation, SIM swaps

• ShinyHunters: large-scale data theft and leak-site operations

• LAPSUS$: extortion, public pressure, "name and shame" tactics

This kind of open criminal federation is unusual. Historically, crews guarded access, tooling, and brand. Now we're seeing actual division of labor: one group gets in, another pulls data, another weaponizes it publicly.

For financial institutions, that means more polished, repeatable playbooks. Faster end-to-end campaigns. Less time to detect and disrupt.

SIM Swaps and SMS: Still the Front Door

SIM swaps and SMS-based MFA keep showing up in real incidents for a reason.

The FBI's Internet Crime Complaint Center tracked nearly $26 million in reported SIM-swap losses in the U.S. in 2024. In the UK, Cifas data showed a 1,055% increase in unauthorized SIM swaps, from 289 cases in 2023 to nearly 3,000 in 2024.

A SIM swap is straightforward: the attacker calls the carrier posing as the victim, uses stolen personal data to pass "verification," and the carrier moves the phone number to the attacker's SIM. All SMS codes and calls now go to the attacker.

If you still rely on SMS for critical authentication or recovery, you've effectively made telecom call centers part of your security perimeter.

To address this issue for sensitive flows - administrator access, payments, trading systems, high-value customer data, you should:

Disable SMS as an authentication factor, wherever possible, for high-risk users and systems. Where you can't remove it yet, monitor and alert on SIM-swap indicators like sudden loss of mobile service on a registered device, recent SIM changes followed by new device logins, or multiple failed MFA attempts followed by successful enrollment from a new device.

You don't need to remove SMS out of everything overnight, but you cannot treat it as a strong, unmonitored factor for critical access.

As attackers increasingly target identity flows, stronger authentication becomes non-negotiable. Especially for users with elevated access.

Stronger Authentication: FIDO2 and Passkeys

This isn’t a theoretical discussion, it’s based on real patterns we’re seeing across multiple financial institutions this year.

FIDO2 security keys and modern passkeys use public-key cryptography instead of shared secrets. The private key stays on the device or hardware token; the service only holds the public key. That means phishing pages can't easily steal the credential. There's no password database to crack or reuse. The user experience can be simpler than SMS or OTP apps.

For high-risk users: admins, executives, staff with elevated access permissions, moving to FIDO2 or platform authenticators is one of the highest-impact changes you can make.

OAuth: The Quiet Back Door

Scattered Spider and similar actors don't stop at phones. Once they're in, they go after OAuth tokens and SaaS-to-SaaS connections. The glue between your platforms.

Your "Connect to X" and "Log in with Y" flows are quickly becoming some of the most abused paths into sensitive data.

To address this, you should inventory all OAuth apps and integrations tied to your IdP, CRM, productivity, and core banking SaaS. Clean up unused, legacy, or abandoned connections. Enforce least privilege by understanding what "read," "write," and "offline access" actually grant. Monitor for new OAuth grants with high-risk scopes, especially outside normal behavior windows and from unusual locations.

Identity and integrations are now the new lateral movement paths. Treat them as such.

Cryptographic Device Binding

Many organizations still treat a device as "trusted" because it has the correct associated phone number, runs the right app, or has been seen before.

That's not enough against attackers who can spoof numbers, swap SIMs, or enroll new devices.

Binding devices cryptographically means when a device is enrolled for corporate access, it gets a unique cryptographic key pair. The private key stays on the device, protected by secure hardware. Your systems store only the public key. When the user authenticates, the device proves it's the same one by signing a challenge.

The impact: an attacker can't simply say "I'm a new iPhone, trust me" without that key. If a device is lost, stolen, or suspected compromised, you revoke that specific key. Device trust becomes based on cryptographic identity, not just metadata.

This same concept underpins FIDO2 and passkeys. Extending it to device enrollment is a natural next step.

It's Not Just Executives

Executives remain high-value targets. They move money, make strategic decisions, talk to regulators and boards. But groups like Scattered LAPSUS$ Hunters focus on who can change things, not just who has a big title.

Your high-risk population includes IdP, CRM, ERP, trading, payments, and cloud admins. Help-desk staff who can reset MFA or enroll devices. Engineers with production or CI/CD access. Back-office staff handling sensitive financial or customer data. Executives and board-facing roles.

These users should get the strongest controls: FIDO2 or strong platform authenticators (no SMS as a primary factor), cryptographically bound device enrollment, extra monitoring and alerting on identity changes and logins, targeted awareness training and scenario-based exercises.

You can still layer dedicated Executive Protection on top, but don't forget the "quiet power users" who hold operational keys. Defining high risk in practice is harder than it sounds. At one major financial institution, the security team ultimately made the decision to deploy mobile security to every employee. Not because they wanted universal coverage from the start, but because determining who counted as high risk proved impossible. Attackers could find privilege in unexpected places: a treasury analyst who could initiate wire transfers, a compliance officer with access to customer PII, a marketing coordinator who managed the corporate social media accounts could all potentially be weaponized for phishing.

In a mobile-first world where work happens across devices and attackers are skilled at identifying hidden privilege, the concept of "high-risk users" may need to expand significantly or apply to everyone with corporate access.

Move Security Awareness Beyond Email

Most security awareness programs are still centered on email phishing. That's necessary, but not sufficient.

You need to train people on SMS phishing (smishing), voice phishing (vishing), SIM-swap signals, and mobile app spoofing. And this training shouldn't just be "check the box" content for general employees. Your help-desk team and high-risk users need scenario-based training and simulations that mimic actual attacker behavior.

Why does this hit financial institutions especially hard?

The average cost of a data breach in financial services is around $6.08 million, higher than nearly every other industry. Global breach costs average about $4.88 million as of 2024. Scam and cybercrime losses reported to U.S. IC3 hit $16.6 billion in a single year, with under-reporting acknowledged.

Combine that with exploding BYOD - $132 billion market in 2025, projected to $276 billion by 2030 - and mobile compromises climbing from under 30% of organizations to over 50% in a few years, and you get a simple picture: ignoring mobile and identity as first-class security domains is now a board-level risk.

The institutions getting ahead of mobile-first threats share a common approach. Here's what to prioritize:

• Retire old perimeter thinking. Assume the perimeter is wherever work happens: phones, homes, the office, coffee shops, client sites, airports.

• Lock down help-desk identity flows. Dual approval, callback verification, code words, rate limiting, and vishing-aware training.

• Remove or closely monitor SMS for high-risk access. Move high-risk users to FIDO2/passkeys. Where SMS remains, monitor and alert for SIM-swap indicators.

• Treat OAuth and SaaS integrations as top-tier risk. Inventory, clean up, enforce least privilege, and monitor for risky new grants.

• Bind devices with cryptographic identity. Don't just trust phone numbers or "known devices." Enroll and trust devices based on cryptographic keys and revoke when risk changes.

• Protect all users, not just executives. Include admins, help-desk, engineers, and sensitive-data handlers in your strongest control set.

• Update security awareness for mobile-first threats. Add SMS, voice, SIM-swap, and mobile-app scenarios to your training and simulations.

• Refresh incident response playbooks. Include SIM-swap entry points, malicious MFA resets, mobile-driven OAuth abuse, and SaaS-to-SaaS pivots.

• Use industry collaboration as a force multiplier. Through FS-ISAC and other bodies, push for better telecom practices, BYOD baselines, and shared intel on these federated threat actors.

Need Help Implementing Mobile Security?

Most financial institutions we work with know they need better mobile security. What they need help with is implementing it in a way that works for their environment, respects privacy, and doesn't create massive organizational friction.

Whether you're securing corporate-owned devices, implementing BYOD controls, or running a hybrid model, the challenge is the same: detecting mobile threats without turning security into surveillance.

If that's where you are, let's talk. We specialize in on-device threat detection with deployments at institutions ranging from regional banks to global firms.

Request Demo